Article Updated

This article was originally published September 2025. It has been substantially revised in March 2026 to reflect the current geopolitical environment, updated threat actor activity, and evolving resilience obligations for financial institutions. See footnote →

Field Notes  ·  Cyber Warfare  ·  Operational Resilience  ·  Financial Stability

Cyber Operations in Open Conflict

By GRCGuy  ·   ·  8 min read  ·  Updated from Sep 2025
Cyber Warfare Operational Resilience Financial Stability GRC
← Field Notes
← Risk & Residual Risk Third-Party Vendor Risk →

The character of conflict has changed.

Missiles still fly. Airspace still closes. Diplomacy still strains. But increasingly, the first signs of escalation are not visible in the sky — they are visible in network telemetry, payment queues, and anomalous authentication logs.

Periods of military tension involving multiple state actors across the Middle East, Eastern Europe and the Asia-Pacific have coincided with measurable increases in cyber activity targeting financial systems, energy infrastructure, and telecommunications providers. These digital campaigns are not rhetorical gestures. They are structured instruments of statecraft.

Financial infrastructure has become strategic terrain.

Financial Systems as Strategic Targets

Modern economies are interdependent. Payment rails, correspondent banking networks, securities settlement platforms, and real-time liquidity channels operate across jurisdictions. When geopolitical tensions rise, these systems become attractive pressure points — not because they are undefended, but because attacking them is low-cost, deniable, and disproportionately disruptive.

The 2016 breach of Bangladesh Bank, executed through the SWIFT ecosystem, remains a defining case study. Attackers attempted to move nearly $1 billion, ultimately extracting $101 million. The incident was not merely financial theft. It exposed structural weaknesses in global trust architecture — and demonstrated that a single access point in an interconnected settlement network could generate systemic shock far beyond the targeted institution.1

In today's environment, the scale and sophistication of state-aligned groups has expanded significantly. Threat actors publicly tracked as APT33 and APT34 — historically associated with Iranian state interests — have demonstrated sustained operational focus on financial, energy, and industrial sectors. Groups associated with North Korean and Russian intelligence ecosystems have targeted SWIFT endpoints, cryptocurrency exchanges, and defence-adjacent supply chains.2

The objective is rarely random disruption. It is calibrated signalling.

From Espionage to Economic Signalling

State-sponsored cyber activity in conflict environments generally falls into three operational categories. Understanding which category you are facing matters — because your response, your board escalation threshold, and your regulator's expectations will differ materially across each.

1. Intelligence Collection

Long-term network persistence to monitor capital flows, sanctions compliance patterns, counterparty exposure, and supply-chain dependencies. This category is the hardest to detect and the most strategically dangerous. Attackers are not trying to break anything. They are reading your mail.

2. Operational Disruption

Distributed denial-of-service campaigns, data integrity attacks, or payment platform interruptions designed to stress institutional resilience without triggering uncontrollable escalation. The goal is degradation, not destruction — enough pain to signal capability and intent, not enough to compel a kinetic response.

3. Strategic Deterrence

Demonstrating capability without fully deploying it. The legacy of Stuxnet — a joint US-Israeli operation that physically destroyed Iranian uranium centrifuges through software — permanently altered the escalation calculus of every capable state actor. The lesson taken: cyber tools can produce physical consequences, and the threshold is lower than anyone assumed.3

Incident tracking by the Carnegie Endowment for International Peace shows that financial-sector cyber events cluster measurably during periods of geopolitical crisis. This pattern is structural, not incidental. Practitioners should treat geopolitical threat intelligence as an input to cyber risk posture — not a separate domain.4

Regional Hubs: Interconnected Exposure

Regional financial centres — Dubai, Doha, Riyadh, Manama, Singapore — function as liquidity bridges between East and West. Their infrastructure underpins trade settlement, energy transactions, and cross-border capital allocation. Their neutrality does not eliminate their exposure. In tightly coupled systems, neutrality sometimes increases it.

When a regional banking system experiences disruption, the effects propagate:

  • Payment latency creates liquidity stress in correspondent banks.
  • Settlement failures trigger margin calls and collateral obligations.
  • Confidence shocks — even temporary ones — generate capital movement that amplifies volatility.
  • Regulatory scrutiny follows, compressing operational bandwidth precisely when it is most needed.

The IMF has repeatedly flagged the systemic implications of cyberattacks on financial infrastructure. In conflict-adjacent environments, those systemic risks do not simply increase linearly — they compound.1

On the record

"The question is not whether cyber operations will occur during periods of geopolitical strain. They will. The real question is whether governance, resilience engineering, and cross-border collaboration will mature quickly enough to absorb systemic shock without cascading failure."

Operational Resilience as Strategic Defence

Cybersecurity in financial services is no longer purely technical compliance. It is institutional defence posture. The gap between those two framings — compliance checkbox versus strategic capability — is where most institutions currently sit, and where the most consequential failures will occur.

A credible resilience framework across this threat environment requires:

Threat Intelligence Fusion

Real-time collaboration among financial institutions, regulators, and national cyber agencies. Contextual intelligence — geopolitical, economic, technological — must actively inform defensive prioritisation. Cyber threat teams that operate without access to geopolitical analysis are navigating with half a map.

Zero-Trust Architecture

Perimeter assumptions fail systematically in state-sponsored campaigns. Identity-centric controls, strict privilege management, microsegmentation, and continuous validation are not aspirational — they are the current operational baseline for any institution handling cross-border payments or sensitive government-adjacent data.

Payment Network Hardening

Post-2016 reforms improved SWIFT security governance materially. Concentration risk remains. Continuous red-team simulation across cross-border rails — including correspondent relationships and third-party payment processors — is essential. If you have not tested your payment network under adversarial conditions recently, you have not tested it.

Crisis Scenario Design

Institutions should build and regularly run scenarios combining:

  • Simultaneous DDoS and insider credential compromise
  • Supply-chain infiltration through a tier-two technology vendor
  • Sanctions-triggered cyber retaliation against correspondent partners
  • Data integrity attacks on ledger systems without visible ransomware

Resilience is measured not by prevention alone but by recovery time, confidence restoration, and the quality of regulator communication during an active incident.

Workforce Conditioning

The most sophisticated campaigns still enter through the most ordinary doors: credential harvesting, spear-phishing, and social engineering of individuals with privileged access. Technical controls without behavioural conditioning are an incomplete system.

Escalation Without Visibility

What makes cyber operations uniquely challenging in conflict environments is the absence of the visibility cues that normally trigger institutional response. Unlike conventional attack, cyber escalation may manifest first as:

  • Data corruption that surfaces only during reconciliation cycles
  • Payment anomalies that resemble operational error rather than hostile interference
  • Firmware manipulation in industrial control systems adjacent to financial infrastructure
  • Temporary market volatility triggered by coordinated misinformation

The absence of visible damage does not imply the absence of impact. It may simply mean the dwell time is not yet over.

Attribution can be contested indefinitely. Escalation thresholds remain undefined in international law. Responses are asymmetric by design. These are not arguments for passivity — they are arguments for building internal detection and response capability that does not depend on definitive attribution to trigger action.

The Governance Imperative

For individuals, the consequences of cyber conflict typically appear as transaction delays, market fluctuations, or temporary service outages. Inconvenient. Recoverable. For institutions, the stakes are structurally different: trust, solvency perception, regulatory standing, and the integrity of the systems on which clients depend.

Boards and executive committees should be integrating cyber conflict scenarios into capital adequacy discussions, stress testing exercises, and recovery planning — not treating them as a technical annex to the CISO's quarterly report. The regulators — DORA in Europe, FFIEC CAT in the US, and emerging frameworks across the Gulf and APAC — are converging on exactly this expectation.

Operational resilience frameworks must evolve from compliance checklists to strategic doctrine. The institutions that survive the next wave of geopolitically motivated cyber activity will not be those with the most sophisticated tools. They will be those where governance, culture, and technical capability function as a coherent system.

Trust is the currency beneath currency.

Editorial Note

This article was originally published in September 2025 under the title State-Sponsored Cyber Espionage. It has been substantially revised and retitled in March 2026 to reflect the current geopolitical environment, including heightened tensions across multiple theatres, updated threat actor activity patterns, and evolving resilience obligations under frameworks including DORA and FFIEC CAT. The original URL and canonical link have been preserved. The core thesis — that financial infrastructure is strategic terrain — is unchanged. The urgency has increased.

Behind every data point in this analysis are people — families fractured, livelihoods upended, futures interrupted. My thoughts are with all those who have lost someone, and with those still waiting for the noise to stop. Conflicts of this kind do not resolve on spreadsheets. I hope for an early, just, and lasting peace.

The analysis presented is geopolitically neutral. No attribution, endorsement, or political position regarding any state actor or conflict is expressed or implied. The purpose is practitioner-relevant risk intelligence, not commentary.

References
  1. IMF — The Global Cyber Threat to Financial Systems, Maurer & Nelson, Finance & Development, 2021. imf.org ↗ ↑ back
  2. CISA — Advisories and operational guidance on state-sponsored threat actor activity. cisa.gov ↗ ↑ back
  3. Kim Zetter — Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, Crown, 2014. The definitive account of how cyber tools crossed the physical-consequences threshold. ↑ back
  4. Carnegie Endowment for International Peace — Financial Cyber Incidents Timeline. carnegieendowment.org ↗ ↑ back

Collaboration welcome: corrections, counterexamples, and build ideas — grcguy@rtapulse.comDiscussionsIssuesHow to collaborate.

Request a topic

Continue reading

Field Notes Third-Party Vendor Risk Field Notes The Quantum Apocalypse Control Automation Auditing in the AI Era Field Notes Auditing Generative AI
← All Field Notes
Third-Party Vendor Risk →

What ऋतPulse means

rtapulse.com (ऋतPulse) combines ऋत (ṛta / ṛtá) — order, rule, truth, rightness — with Pulse (a living signal of health). It reflects how GRC should work: not a quarterly scramble, but a steady rhythm — detect drift early, keep evidence ready, and translate risk into decisions leaders can act on.