Mainframe Blog

Are Mainframes Your Weakest Link?

3 minute read
Christopher Perry


The information security market has grown tremendously over the past two decades as major cyber attacks have resulted in over ten billion dollars in damages1, revealed millions of personally identifiable information2, and new legislation begins fining companies for failure to take appropriate measures3. Yet, the vast majority of defensive systems are designed solely for distributed platforms and fully ignore the mainframes which run the vast majority of the world’s financial transactions and maintain the bank’s most sensitive data.

“But the mainframe is the most secure platform, it has never been hacked!”

I’ve heard this line repeatedly since I’ve entered the mainframe market. The mainframe has earned years of security through obscurity because the original hacker culture simply lacked access to the prohibitively expensive system to break and pen test. Today, the cost of access for nation state sponsored Advanced Persistent Threats (APTs), ubiquity of z/Linux, and access to a virtualized z/OS platform have lowered the barrier to entry for malicious actors and necessitate companies begin protecting the backbone of the IT infrastructure.

Two companies learned this lesson the hard way when a small group of hackers, led by the Pirate Bay co-founder Gottfrid Svartholm Warg, broke into their IBM mainframes and made transfers of up to $858,500.4 Both the Swedish Nordea Bank and Logica, a Swedish IT firm that provides tax services to the Swedish government were compromised by the four suspects who leveraged two 0Day exploits that they developed themselves using a z/OS virtual machine. Both Windows and Unix operating systems have heavily paid teams of researchers looking for vulnerabilities in their operating systems which increases the overall security posture as bugs are found and patched.

How many researchers are currently attacking the z/OS operating system?

What does that say for the likelihood that further bugs exist that have yet to be discovered?

One of these researchers, Phil Young, gave a tremendous talk on this hacking operation and explained that the hackers were quickly able to:

  • Escalate their privileges from a normal user to an administrator/super user with z/OS special and operations access
  • Modify the Authorized Program Facility (APF) to give themselves persistence to the machine
  • Upload programs and scripts both in REXX and C to extend their toolset
  • Read Personally Identifiable Information (PII) stored in their datasets and exfiltrate the files off the mainframe
  • Transfer money to external accounts

Within a few hours, the hackers had full control of the victim mainframe and all the data it controlled. At this point, the hackers had the full capability to encrypt and destroy the company’s most vital information which would have left a devastating impact on the company as they scrambled to recover their tape files. The only way to effectively manage and stop attacks like this is to use tools like BMC AMI Security to have real time notification and monitoring of mainframe events aggregated into the enterprise SIEM where security analysts can immediately spot unauthorized users escalating privileges, access to the mainframe’s most sensitive files, and modification of the APF.

Luckily, the aftermath only cost them around $700,000 to conduct their incident response and investigation as the hacker’s greed in transferring over $800,000 in raised enough audit red flags that the company could catch them before further damage could be done. The Companies were additionally lucky that they managed to avoid the ever-growing trend of compliance regulations like GDPR which would have levied significant fines for the loss of such sensitive user PII.

The time to prevent stories like this from being about your organization is now. Treat your mainframes like the crown jewels of your IT infrastructure that they are and include them in your security architecture like your distributed systems while training your security analysts on indicators of compromise before you are in the headlines.

For more information on how to protect your mainframe from malicious breaches, download 11 Guidelines for Minimizing Vulnerability for IBM z/OS while Improving Compliance today.

1 https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

2 https://arstechnica.com/information-technology/2018/05/equifax-breach-exposed-millions-of-drivers-licenses-phone-numbers-emails/

3 https://blogs.dlapiper.com/privacymatters/germany-first-data-protection-authority-issues-gdpr-fine/

4 https://www.pcworld.com/article/2034733/pirate-bay-cofounder-charged-with-hacking-ibm-mainframes-stealing-money.html

11 Guidelines for Minimizing Vulnerability for IBM z/OS while Improving Compliance

Prevent mainframe data breaches with these 11 guidelines
Download the white paper ›

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing blogs@bmc.com.

BMC Bring the A-Game

From core to cloud to edge, BMC delivers the software and services that enable nearly 10,000 global customers, including 84% of the Forbes Global 100, to thrive in their ongoing evolution to an Autonomous Digital Enterprise.
Learn more about BMC ›

About the author

Christopher Perry

Christopher Perry is the Lead Product Manager for BMC AMI Security. Prior to BMC, he served in the US Army in several cyber security roles including Expeditionary Cyber Company Commander, Technical Advisor to the Commanding General of Army Cyber Command, and Cyber Training Officer. He is a graduate of United States Military Academy and holds several certifications including Offensive Security Certified Professional + Expert (OSCP / OSCE), Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), GIAC Penetration Tester (GPEN), GIAC Certified Intrusion Analyst (GCIA), and GIAC Certified Forensic Analyst (GCFA).