The Establishment of Accredited Testing Laboratories (LAP) within the Italian Cybersecurity Framework

The financial sector amid cybercrime, espionage, and the hybrid threat linked to ongoing conflicts

 View all
Cybersecurity

The financial sector amid cybercrime, espionage, and the hybrid threat linked to ongoing conflicts

Threat Discovery Telsy TS WAY Cyber Threat Intelligence

Threat Discovery is an editorial space dedicated to in-depth analysis in cyber threat intelligence at the global level.

The information reported is the outcome of the collection and analysis work carried out by Telsy’s Theat Intelligence & Response specialists for the TS-Intelligence platform.

 

ENISA Report on Threats to the Financial Sector

With the introduction of the DORA regulation in European legislation—focused on digital operational resilience in the financial sector—stakeholders are now required to comply with stricter obligations regarding security, incident management, and operational continuity.

According to data presented this year in the ENISA Threat Landscape: Finance Sector—covering the period from January 2023 to June 2024—the main threat in Europe has been hacktivist-driven DDoS attacks (58%), followed by data breaches and leaks. The primary attack tactic was social engineering, particularly in the forms of phishing, smishing, and vishing. Ransomware attacks mainly targeted service providers (29%) and insurance organizations (17%), with impacts including financial losses (38%), data exposure (35%), and operational disruptions (20%).

Non-ransomware attacks primarily involved trojans and spyware. Fraud accounted for 6% of total incidents, mainly affecting individuals (40%) and credit institutions (35%).

 

“Tactical” and “Strategic” State-Sponsored Campaigns

In addition to facing criminal offensives, financial institutions and operators must pay increasing attention to threats posed by state-sponsored campaigns.

In recent years, North Korea has carried out extensive and effective operations for self-financing. The cryptocurrency sector has been its primary target, culminating in the high-profile attack by the Lazarus Group on the Bybit exchange. The theft of $1.5 billion in Ethereum resulted from a sophisticated combination of social engineering techniques and technological supply chain compromise.

Moreover, attention must be paid to the cyberespionage risks from China, aimed at strengthening its global commercial dominance, and those tied to the two main active war theaters—Ukraine and the Middle East. While Pyongyang stands out for its tactical cunning and significant financial gains, campaigns led by China, Russia, Ukraine, Israel, and Iran represent a mix of intelligence, psychological strategy, and hybrid objectives.

 

China Spied on the U.S. Treasury Department

china ts TelsyIn late December 2024, the U.S. Department of the Treasury was targeted in an espionage campaign exploiting a vulnerability in BeyondTrust software. The attack, attributed to the Chinese group Silk Typhoon (Hafnium), affected the Office of Foreign Assets Control (OFAC), the Office of the Secretary of the Treasury, and, reportedly, the Office of Financial Research and the Committee on Foreign Investments in the United States (CFIUS).

Attribution occurred as the Biden Administration, nearing the end of its term, issued an executive order to strengthen U.S. cybersecurity. Analysts hypothesize that the attacker sought to gather intelligence on Chinese individuals and organizations potentially subject to U.S. sanctions.

 

Israel Hits Iranian Bank and Crypto Exchange

isravsira ts TelsyBetween June 17 and 18, 2025, the group Predatory Sparrow claimed responsibility on X and Telegram for attacks against Bank Sepah—linked to the Islamic Revolutionary Guard Corps (IRGC) and the military—and the Nobitex cryptocurrency exchange. The operation appears to be a pure act of sabotage.

The hacktivists, believed to be closely aligned with the Tel Aviv government, accused Bank Sepah and Nobitex of helping evade international sanctions and fund terrorism and Iran’s nuclear weapons program.

 

Pro-Russian DDoS and Cross Attacks Between Moscow and Kyiv

The war in Ukraine has frequently manifested in threats against the USA and NATO countries, accounting for the majority of the 55% of hacktivist DDoS attacks reported by ENISA.

For example, in February 2024, during one of the many waves of attacks claimed by pro-Russian collectives against Italy, dozens of financial targets were affected. On Telegram, groups like NoName057(16), People Cyber Army, 22C, and CyberDragon published lists of targets including the websites of the Guardia di Finanza, Revenue Agency, Electronic Invoicing PA, Electronic Identity Card, CONSOB, various banks such as Bank of Italy, ANAC, the National Council for Economics and Labour, and the Ministry of Foreign Affairs and International Cooperation.

ruvsukr ts TelsySince the start of the special military operation, Moscow and Kyiv have repeatedly attacked each other’s financial infrastructures to undermine internal economic and operational functionality.

In December 2023, a large-scale destructive attack affected the telecom operator Kyivstar and, subsequently, PrivatBank, Ukraine’s largest state bank. Functionality of POS terminals, ATMs, and TSO systems based on Kyivstar SIMs was temporarily disrupted. The KillNet hacktivist group and Solntsepek—presumably linked to Sandworm—both independently claimed responsibility. Solntsepek stated it had destroyed over 10,000 computers and 4,000 servers, including enterprise cloud storage and backup systems.

In February 2025, Ukrainian Cyber Alliance hacktivists claimed an attack against CarMoney, a Russian microfinance company allegedly linked to President Putin’s ex-wife. The attackers reported destroying the entire infrastructure and exfiltrating several terabytes of data, including information on FSB’s 16th Center, associated with the APT group Energetic Bear.

In the same period, the FSB’s National Coordination Center for Cyber Incidents reported a breach at LANIT, Russia’s largest system integrator and an IT services provider for major entities including the Ministry of Defense and Rostec, the state-owned tech company.

 

TS-Intelligence

TS-Intelligence_Telsy_Platform-2This report has been made thanks to TS-Intelligence, a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is presented as a Web-usable, full-API platform that can be operated within an organization’s defensive systems and infrastructure, to strengthen protection against complex cyber threats.

Constant research and analysis on threat actors and emerging networked threats, both in APT and cybercrime, produces a continuous information flow of an exclusive nature that is made available to organizations in real-time and processed into technical, strategic, and executive reports.

 

Learn more about our Intelligence services.