Translated by
2020/01/21 14:40:29

Sberbank (information security)

Article is devoted to fight of Sberbank against swindlers and cyber-criminals.


Шаблон:Subject Sberbank

2020: The most powerful is recorded "" DDoS attack in the history of bank

Sberbank recorded "the most powerful" DDoS attack in the history. It managed to be reflected, the vice-chairman of bank Stanislav Kuznetsov said on January 21, 2020.

On January 2, 2020 Sberbank faced unprecedented DDoS attack which was 30 times more powerful, than the most powerful attack for all history of Sberbank. The attack was executed using IoT self-contained unitsRIA Novosti quotes it.

Sberbank recorded \"the most powerful\" DDoS attack in the history
Sberbank recorded "the most powerful" DDoS attack in the history

According to Kuznetsov, it is three times more offline equipment for Internet of Things, than people on the planet, and to the 2025th the difference will be 5-fold.

It is noted that the attack did not entail any effects, at the same time it was reflected in automatic the mode. Sberbank at once announced this attack in law enforcement agencies and transferred them all necessary information.

Not each company could reflect the similar attacks in the Russian Federation and even in the world, Kuznetsov claims. Gain of cyber attacks can become a trend in 2020, he considers.

Kuznetsov told that the number of the hacker attacks to Sberbank in 2019 grew by 15–20%, in day the bank fixes 280–300 attempts of the attacks on its systems. The purpose of many of them was to take the systems of bank under control.

According to the deputy chairman of Sberbank, the attack showed that cyber crime passes into the new plane and continues to gain steam, and use of technology 5G upon threatens with the new level of risks in carrying out DDoS attacks.

We them reveal everything and we block. In addition, It should be noted that bulk harmful mailings are still popular — about 50% of letters which are received by our employees, it is spam, including attempts of a phishing — he reported.

As the representative of Sberbank reminded, earlier in bank predicted that in 2019 losses from cybercrimes can make more than 2.5 trillion rubles.

In general our forecast came true — Stanislav Kuznetsov emphasized.[1]


Charge is brought to the hackers who stole more than 10 million rubles of ATMs of Sberbank and Vozrozhdeniye bank.

On December 13, 2019 it became known that the Investigative Committee of Russia (SK) brought charge to two hackers of robbery of banks by cracking of ATMs. In "work" criminals used the specialized software literally forcing ATMs to unload money.

The grouping activity geography and also even approximate terms of its organization, Investigative Committee does not reveal. It is known only that in 2018 hackers plundered ATMs in different areas of the Moscow region. The general size from "earnings" exceeded 10 million rubles.

Both criminals received charge on points 3 and 4 of Article 154 of the Criminal code of Russia (the thefts by organized group of money committed in large and especially large sizes and also attempt at thefts). Violation of point 3 is punished by a penalty from 100 to 500 thousand rubles or in the amount of income accused during the period up to three years. Also by it forced labor for a period of up to five years with restriction of freedom for a period of up to one and a half years can be awarded. The maximum punishment for this violation – imprisonment for a period of up to six years together with a fine of 80 thousand rubles.

SK brought charge of violation of Article 154 of the Criminal Code of the Russian Federation to only two participants of hacker grouping – their total quantity for December 13, 2019 was known not. According to department, one of hackers in is delayed by law enforcement agencies of other country for similar crimes.

The Investigative Committee does not report a country name in which there was a detention, as well as how it managed to reveal communication between this criminal and those that were arrested for robberies of ATMs in the Moscow region, but he will try to obtain its issue for criminal prosecution in the territory of Russia.

According to SK, hackers whose names, surnames and age department does not report, were extremely selective in a question of the choice of ATMs. They cracked only ATMs of Sberbank and Vozrozhdeniye bank – the investigation does not report whether criminals made attempts to rob ATMs of other financial institutions.

It is also unknown what similar restrictions were connected with – it is possible that the software applied by them was able to work only with ATMs of Renaissance and Sberbank[2].

2.5 million complaints to telephone fraud in a year

The social engineering in recent years forced out all other types of cyberfraud. 2.5  million complaints to telephone fraud — calls under the guise of a security service of bank came to only one Sberbank in 2019. In comparison with 2017 growth was by 15 times, and about many cases are simply unknown as clients did not announce them to bank. Swindlers already got personal consultants who analyze methods of counter reaction of banks. In Sberbank in 2019 counted also number of unique numbers from which malefactors call — them there were 170  thousand.

Data of clients of Sberbank are offered for sale. The base contains one million lines

On October 23, 2019 it became known of date leak of clients of Sberbank. On one of shadow resources the seller offers the database about borrowers on one million lines which are saved up since 2015. In addition to standard information, offer buyers record of the last conversation with call center.

According to Kommersant, in the declaration of sale is said that the base contains about one million lines with personal information (the passport, a registration, residence addresses, phones, accounts, the amount of a remaining balance or debt) the clients of Sberbank having the credits or credit cards.

The new portion of these clients of Sberbank got on the black market
The new portion of these clients of Sberbank got on the black market

Unloading of audio recordings of a talk with  call center,  according to the seller, is made "from  a workplace",  i.e.  in the afternoon. However the seller was recognized that he acts as the dealer and  sells one line for  30  rubles.  The base contains data from  10 territorial Sberbank branches (all them  11), journalists of Kommersant found out.

It was noted that information is on sale in any volume, and the buyer can even call the criteria interesting him by which selection will be made. At the same time the seller in a conversation with the newspaper explained that this base forms since 2015 and is updated weekly.

The database can be real, and information looks rather fresh, the founder and the technical director of DeviceLock Ashot Oganesyan specifies.

Taking into account the fact that the seller announced an opportunity to receive audio recordings of a talk, data, perhaps flowed away from the external call center ensuring functioning with debtors — Oganesyan considers. [3]

The source, close to Sberbank, specified RBC that it is about data from old base, and on bank unknown conduct the information attack.

The press service  of Sberbank disproved information on new date leak of clients,  TASS reports.

We do not comment on information which belongs to the category of rumors and conjectures — told in the press service.

Sberbank found guilty of date leak of clients

On October 5, 2019 Sberbank published on the website the message about completion of internal investigation on identification of the channel of date leak of accounts on credit cards of clients as a result of which it was succeeded to identify the thief of data. The employee of the bank born in 1991, the head of the sector in one of business divisions of Sberbank which had access to databases owing to accomplishment of service duties was him. He tried to perform plunder of accounts in the mercenary purposes, found out in Sberbank.

Sberbank identified the employee who stole accounts of credit cards of 200 clients. Photo:

Earlier it was announced that the criminal allegedly located base in 60 million accounts. The malefactor even showed the fragment of base containing data on 200 clients of the Ural territorial bank of Sberbank. As result, on the Internet there was such personal information of holders of cards as limits of the released credit cards, date of the forthcoming payment and so on.

Sberbank recognizes date leak at least of 200 clients. In the statement of October 5 the president and the chairman of the board of Sberbank German Gref called information about 60 million accounts "information noise", having specified at the same time that all for October, 2019 in Sberbank there are 18 million clients having credit cards.

According to the published information, the Security service of bank made internal investigation in interaction with law enforcement agencies. The financial organization worked several versions of the event. The employee having the special rights of the administrator could get access to base. Also it was not excluded that the computer could be physically disassembled, and the hard drive with data is withdrawn. Besides, the security service assumed that the employee could just photograph the monitor screen where information necessary to it was specified.[4]

As a result necessary evidence for the proof of the committed crime was gathered and documented. The employee who committed a crime at the same time already gave confession, and representatives of law enforcement agencies perform with it legal proceedings.

In general as of October 5 the threat of leakage of client data (in addition to data on credit cards of 200 clients of bank what it was announced in the press release of bank of October 3) is absent, assured of Sberbank. At the same time in credit institution emphasized that in all cases the threat for safety of means of clients of bank was not.

From myself personally and all command of Sberbank I want to bring once again deep apologies to our 200 clients for the event and to all our clients for the delivered experiences. We drew serious conclusions and cardinally we strengthen access control to work of our systems of employees of the bank to minimize influence of a human factor. I want to thank all our clients for faith in us and trust and also security service specialists of bank, our affiliated enterprise "Bizon" and law enforcement agencies for accurate and harmonious work which allowed to solve the crime within few hours, – German Gref, the president, the chairman of the board of Sberbank said.

In the Internet the database of clients of Sberbank flowed away

On October 3, 2019 it became known that in the Internet the database of clients of Sberbank containing information on several tens millions of credit card holders flowed away. The declaration of sale of the database appeared in Runet in the last dates of September, 2019 and it was revealed the founder of DeviceLock company concerning data protection Ashot Oganesyan. According to the experts who studied data, leak became the largest in the Russian banking sector.

According to Kommersant, theft of information could occur at the end of August, 2019. The declaration was placed at one of the Russian-speaking forums blocked by Roskomnadzor. According to the person who published him the base offered them contains data about 60 million clients. As trial consignment the malefactor offers a small fragment of this base – a detail about 200 clients of bank from the different cities which are serviced by the Ural territorial bank of Sberbank.

The base offered for sale contains detailed personal data of credit card holders, including the Full Name, passport data and also all information on credit cards of the client and operations on them, including a credit limit and an unused limit. The seller claims that all DB consists of 11 parts, by the number of territorial banks of Sberbank. The cost of information – 5 rub for every line.

The compromised personal information of millions of holders of Sberbank Cards. Source: Telegram channel Bankst
The compromised personal information of millions of holders of Sberbank Cards. Source: Telegram channel Bankst

Kommersant was convinced of authenticity of information – correspondents asked the seller to find the data in a DB, and that provided them the necessary information which matched real data.

Sberbank reported that it obtained information on possible large information leak in the evening on October 2, 2019. It initiated office investigation which results will be opened in addition.

Specialists of financial department put forward major version of an incident – they assume that theft of customer information became result of the deliberate crime committed by one or several employees of the bank. Representatives of Sberbank claim that penetration into the database from the outside is simply impossible because of it for "isolation from external network".

Also assured of bank that information stolen by unknown does not threaten safety of means of clients because does not contain codes CVV. Besides accomplishment of transaction without presentation of the card in Sberbank requires confirmation in the form of one-time SMS- password sent on phone the card holder.

According to the head of DeviceLock Ashot Oganesyan, specialists of his company analyzed about 240 records from the database and came to a conclusion about their authenticity. Experts noted that the array of information offered for sale can appear Way4 database saved by the partial or complete copy – the processing platform used by Sberbank for nearly 10 years.

The unnamed source of Kommersant approximate to the Central Bank also is confident in authenticity of a DB. It called the file offered by the seller with 200 lines of data "unloading of base" of Sberbank. "Data can be from the data warehouse of all systems, all customer information lies there. Leak of the database from any of partners seems improbable, judging by set and amount of data", – noted an edition source.

Ashot Oganesyan told that so large leak will be reflected in all bank industry. According to him, the Central Bank of Russia and Roskomnadzor and, perhaps, law enforcement agencies will be engaged in investigation of the event. Also connection of foreign regulators is not excluded: for example, if the stolen DB contains the information about citizens of the EU, Sberbank will have to notify on an incident European Commission, according to "The general regulations on data protection" (GDPR) – to the EU regulation which became effective in May, 2018.

Roskomnadzor will check information on possible violation of the Russian law on personal data "within the competence". "Response measures will be taken after establishment of signs of violations", – reported in department.

According to CNews for October, 2019 the reliability of data in the flowed-away base was already confirmed by some employees of the bank, whose addresses of mail and names were in this list. Confirmation also arrived from the representative of one of third parties connected with information security of bank.[5]

Prohibition on photography of screens of computers by employees

On June 24, 2019 it became known that large banks in Russia prohibited the employees to photograph screens of computers using personal mobile phones. According to RBC, restrictions are introduced in Sberbank, Unicredit, Otkrytiye bank and VTB. Read more here.


Reflection of 90 DDoS attacks in a year

In 2018 Sberbank reflected 90 DDoS attacks from which 25 cyberattacks had high power. On December 25 the credit institution in the report "Bank trends — 2018" reported about it.

Follows from it that indicators of DDoS attacks grew by the systems of Sberbank by one and a half times in comparison with 2017. Every week the bank receives on average 14.5 thousand letters with harmful investments and razdelegirut (blocks) five phishing sites. For 2018 Sberbank fixed on average one-two DDoS attacks a week. Such attacks represent external impacts on the systems of the organizations leading to an overload. Eventually they can lead to a stop of work of IT infrastructure of the organization.

Data on cyber attacks to Sberbank
Data on cyber attacks to Sberbank
Despite such intensity of emergence of threats banking systems and services of Sberbank were never put out of action by malefactors, said in the report.

Also it is reported that about 5% of all cyber attacks in Russia are aimed at the systems of Sberbank. The bank came to such conclusions on the basis of data for the first quarter 2018.

According to Qrator Labs company (specializes in counteraction to DDoS attacks and ensuring availability of Internet resources), the number of DDoS attacks worldwide in 2018 in comparison with previous year grew by banks by 1.9 times.

Cyber attacks to banks become frequent against the background of the growing popularity of mobile banking. By December, 2018 the active audience of users of mobile application "Sberbank Online" exceeded 40 million people. In a year (from October, 2017 to October of the 2018th) the gain made 47%. These digits correspond to high rates for foreign large retail banks, note in Sberbank.

More than 60% of active users of digital channels (the SMS, the website, the application) – nearly 25 million people – generally use only the program for smartphones and already even practically do not come into the traditional web version.

6 large cyber attacks in 2 days

According to the message of November 30, 2018 Sberbank for the last two days underwent a series from six hacker attacks. DDoS attacks were made through spoofing from not less than 100 servers from six countries. At the same time the systems of bank did not suffer.

The fact that there are the last several days, caused in us a certain concern. Yesterday and the day before yesterday resources of Sberbank were attacked not less than six times. The general duration of these DDoS attacks was not less than 1.5 hours. One of the attacks lasted about 27 minutes. It is the attack, unprecedented on duration, which was performed using the last technologies using technology of the satellite and concealment of source addresses. By our estimates, it was performed very professionally, within this attack attacking actively investigated the level of our protection. These attacks did not affect resources of bank. With high probability they were performed from abroad. And from those materials which we have it is visible that the attacks were about more than 100 servers, placed in six countries of the world. Protection and technologies of Sberbank allows to reflect attacks of this sort successfully. If such attacks were performed on servers of other company, effects could be considerable".
Stanislav Kuznetsov, the deputy chairman of Sberbank[6]

Sberbank saved 32 billion rubles of means of clients from cyberswindlers

On November 29, 2018 it became known that Sberbank summed up the preliminary results of 2018 in the field of cyber security. According to the company, Sberbank saved 32 billion rubles of means of clients from cyberswindlers. For November, 2018 the social engineering became the most widespread type of cyberfraud  — more than 80% of the cases recorded by Sberbank in 2018 were the share of this method of receiving unauthorized access to information based on use of weaknesses of the person. At the same time for November, 2018 86% from all cases of social engineering made "self-transfers" of money under the influence of swindlers.

The most typical case of "self-transfers" for November, 2018 — deception on the websites of free declarations. The client posts the declaration on the website, from potential "buyer" the call during which the client himself tells him details bank is made maps, often even providing SMS-passwords in order that the malefactor could make all transactions from client name.

Since the beginning of 2018 Sberbank saved from cyberswindlers 32 billion rubles of means of clients using the system a fraud monitoring based on artificial intelligence. For November, 2018 a system a fraud monitoring analyzes more than 150 million transactions a day and blocks suspicious transactions.

Center of cyber defense of Sberbank daily processes more than 3 billion events, at the same time several thousands from them are connected by page harmful SOFTWARE. On average in 2018 Sberbank fixed 1-2 DDoS- attacks on the systems every week. In total since the beginning of 2018 the bank reflected 62 DDoS attacks, 25 of them are the attacks of high power, their quantity by 1.5 times exceeds this indicator of 2017. Smooth operation banking systems and services from DDoS attacks and uninterrupted customer service became result of work of the Center of cyber defense.

On average, for November, 2018 in a week Sberbank razdelegirut about 5 phishing sites, and for a quarter of a security system of bank fix about 190 thousand attempts of the direction of the letters containing harmful investments and a phishing, to employees of the bank.[7]

Cybercriminals crack more often not an IT system, and the person therefore people need to know rules of cyber security and to follow them at the level of a habit.

Stanislav Kuznetsov, vice chairman of the board of Sberbank

These 420 thousand employees of Sberbank appeared in open access

On October 29, 2018 it became known of date leak of 421 thousand staff of Sberbank. The text file of 47 MB in size in which there are Full Names of workers and their logins for an input in the operating system (often match their e-mail addresses), appeared at the specialized forum

The database which was laid out by the unknown user is available free of charge, Kommersant reports. One of the staff of Sberbank and the representative of a third party which is connected with information security of bank confirmed to the edition authenticity of base.

The address directory of staff of Sberbank was posted on the Internet
The address directory of staff of Sberbank was posted on the Internet

The base contains data and  on the staff of the child organizations of Sberbank,  including foreign  and also about  some already dismissed employees. The edition compared the e-mail addresses of some non-public managers of Sberbank to  own base for  confirmation of authenticity of data. There are in  base and  three e-mail of the president of bank German Gref. It is noted that the database is relevant for  August 1, 2018.

Sberbank assured that date leak  does not pose any threat to clients and automated systems, and the address directory is available to all employees. Did not comment on the leak reason in the press service. According to newspaper sources, "malicious actions someone from the operating or former employees are most probable".

German Gref also knows about a problem, told a source of Kommersant in bank. According to him, the president of Sberbank already showed discontent. Sources of the newspaper claim that most likely this document was published by someone from the staff of Sberbank — acting or being.[8]

Leaks happen often: are subject to them both the companies, and the whole departments, the web analyst of Kaspersky Lab Vladislav Tushkanov says. 

For the enterprise it can be fraught with reputation losses, also leaks pose threat directly for those whose data get to open access — he told in a conversation with RIA Novosti.[9]

Dr.Web: More than 78 million rub of clients of Sberbank under the threat

Analysts of Doctor Web Company recorded distribution of the Trojan of Android.BankBot.358.origin who is aimed at clients of Sberbank in April, 2018. This malware steals information on bank cards, withdraws money from accounts and also blocks the infected devices and requires the redemption. The damage which can put Android.BankBot.358.origin exceeds 78 million rub[10].

Android.BankBot.358.origin is known to Doctor Web Company since the end of 2015. Virus analysts established that new modifications of the Trojan of Android.BankBot.358.origin are intended for an attack on the Russian clients of Sberbank and infected already more than 60 thousand mobile devices. However, as virus writers distribute a set of different versions of this malware, the number of victims can increase considerably. The total amount of funds which malefactors are capable to steal from bank accounts of owners of the infected devices exceeds 78 million rubles Besides, cybercriminals can steal more than 2.7 million rubles from accounts of mobile phones.

This bank Trojan extends through fraudulent SMS which both cybercriminals, and the malware can send. Most often messages are sent from a user name of service. In such SMS the potential victim is offered to follow the link – allegedly to study the answer to the declaration. For example, the text is popular: "Good afternoon, exchange is interesting?". Besides, sometimes owners of mobile devices receive counterfeit notifications on the credits, mobile translations and transfers of money for the bank account.

When following the link from such message the victim gets on the website belonging to malefactors from where on the mobile device the apk-file of the malware is downloaded. For bigger persuasiveness virus writers use an icon of this Avito program therefore the probability of successful installation of the Trojan after his loading increases in Android.BankBot.358.origin. Some modifications of the banker can extend under the guise of other programs – for example, software for work with Visa and Western Union payment systems.

The press service of Sberbank quickly reacted to the message of Doctor Web Company and sent the message about what is known for a long time to specialists of bank of existence of the described malware in mass media's editorial office, and the Sberbank Online application with built in by an antivirus is capable to protect mobile devices from the similar attacks.


The command center cyber security of Sberbank received the certificate of conformity to the international standard

On December 13, 2017 Sberbank became the first bank in Russia whose command center cyber security is certified by British Standards Institute (BSI) on compliance to the international standard ISO/IEC 27001:2013.

Command center cyber security of Sberbank (2017)
Command center cyber security of Sberbank (2017)

[11] defines requirements to creation, implementation, service and continuous improvement of an information security management system of the organization. It also includes requirements to assessment and processing of the risks of information security adapted to requirements of the organization. A developer of the standard is International Organization for Standardization (ISO), the British Standards Institute (BSI) acts as one of the accredited certification bodies.

In more detail about the project you watch IBM will create Information Security Center for Sberbank.

Sberbank brought together thousand army of specialists in cybersecurity and continues "vacuum" the market

In 2017 Sberbank significantly increased the number of specialists in the information security (IS), and as of November in bank about 1200 such employees work, the head of service of cyber security of Sberbank Sergey Lebed told TAdviser. In addition to Moscow the service of cyber security of bank is provided in five cities.

According to Sergey Lebed, the service is going to be expanded further. He preferred not to call exact digits on the being available and planned growth of employees in the field of cybersecurity, but designated that their rotation in Sberbank - approximately at the level of 100 specialists a year. A part of people "grows" and goes to other divisions, Lebed notes.

Sergey Lebed notes existence of staff deficit in the market of cybersecurity
Sergey Lebed notes existence of staff deficit in the market of cybersecurity

The head of service of cyber security of Sberbank noted that in the market of cybersecurity there is a serious personnel problem - deficit of specialists in the field of cyber security. He sees roots of it in the low level of professional training in the Russian universities: "bezopasnik are not taught by IT, and Itshnikov do not learn security".

In our understanding the specialist in the field of cybersecurity is an expert in IT. And not only that there are no experts at the exit from university, so also the security expert is very far from information technologies. And this problem - the general, both Sberbank, and other companies. It is a country problem, and with it it is necessary to do something, to change an education system, - Lebed said.

He added that during the recent meeting with colleagues from Innopolis who are engaged in training in the field of cybersecurity too it became clear that those purchased for "very big money" of the program in the international universities.

It is the correct commercial course in terms of fast effect, but really we cannot develop these rates, really there are not enough competences for this purpose of the country where according to the world the best hackers?, - the representative of Sberbank asks a question.

Sergey Lebed designated by one of factors of current situation the fact that good specialists in the field of cybersecurity are seldom delayed in universities as teachers because of low wages.

The CEO of Solar Security Igor Lyapunov considers that Sberbank is "vacuum cleaner" of the personnel in the field of cyber security: in Solar Security many employees regularly receive invitations with multiply increased salaries. At the staff deficit which is available in the market in the field of cybersecurity and a large number of open vacancies of Sberbank of such Hunting can aggravate a problem for other companies in the market.

Sergey Lebed explains that Sberbank works with universities in the direction of training in the field of cybersecurity: as of fall of 2017 it has a partnership with 7 universities. But if in universities of the personnel is not enough, then solves a problem in "the commercial way". Sberbank needs the ready personnel which are ready to solve problems, the bank representative says. At the same time Sberbank is ready to teach them and to invest in them, but not for five years, Lebed noted.

The artificial intelligence helped Sberbank of the Russian Federation to reveal the scheme of plunder of money from ATMs

Specialists of Sberbank of the Russian Federation in a system a fraud monitoring of artificial intelligence managed to define the method of malefactors directed to cracking of ATMs by application and to build protection against actions of hackers. The vice chairman of the board of financial institution Stanislav Kuznetsov reported about it in June, 2017.

We recorded it for the first time using artificial intelligence technology. The swindler inserts a card, requests a certain amount, the ATM begins to count money. While it gives money to the receiver inside, the ATM should issue a card back. The swindler holds a card, it gets stuck in the receiver. And money already is already in the issue device, and it was possible in our ATMs this amount earlier to get. As a result the criminal had money, too he had a card in hands, - Kuznetsov explained.

Upon, issue of money the ATM was not recorded and write-off from their account did not happen.

Traces of the malefactors who are carrying out similar plunders which were recorded in Moscow and St. Petersburg could not be detected. As Kuznetsov explained, allowed to see "deviations between the volume of loading and the collected revenue on the ATM and to compare a difference and the transactions made on the device" to system software a fraud monitoring. According to him, thanks to in this system of artificial intelligence technology most of which effectively allows to carry out the analysis of behavior of holders of cards allowed to define in March of this year a technique of plunders and to develop counteraction measures. Proceeding from data, information on where when used these cards to what addresses and so on"[12] became available to specialists "].</blockquote>

In July Sberbank is going to start a system a fraud monitoring on all devices of self-service.

Deputy chairman of Sberbank: The state did not interest in our weapon against WannaCry, and abroad we were applauded

The deputy chairman of board of Sberbank Stanislav Kuznetsov representing a cyber security command at the St. Petersburg International Economic Forum (SPIEF) in May, 2017 criticized reaction of the state to the attack of the Russian organizations by the WannaCry virus racketeer and the relation of officials to a cyber security subject in general.

Large-scale cyber attack using the WannaCry virus took place in May earlier and affected more than 70 countries, in a number of them computers of the state departments and large companies underwent the attack. Russia, according to Kaspersky Lab, underwent infection most. Among the organizations whose computers got under blow, there were Sberbank, MegaFon, the Ministry of Internal Affairs, the Ministry of Health, the Russian Railway, the Ministry of Emergency Situations.

Stanislav Kuznetsov considers that the state did not pay enough attention to a problem with WannaCry attack
Stanislav Kuznetsov considers that the state did not pay enough attention to a problem with WannaCry attack

Stanislav Kuznetsov said that Sberbank among the first, literally in minutes, saw this situation, and specialists of bank instantly understood in what a problem. According to him, in several hours they created the utility which allows to define remotely in any company presence of this virus and to stop its distribution.

We offered the help to all who were targetted, and non-paid helped the organizations. However this utility did not attract interest of the state institutes though abroad we were applauded because we made it and quickly enough, - the deputy chairman of board of Sberbank told.

Kuznetsov asks a question why in Russia there was no discussion about what serious conclusions need to be drawn from this attack.

None of government officials brought together us, discussed this problem, understood what reasons led to it, and wishes to look for ways of an exit from this situation, - he complained.

According to Kuznetsov, in Russia underestimation of risks of cyber security takes place in general while Russia – "target number one for all hackers".

The Russian legislation in the field of cyber security should be modified, the deputy chairman of board of Sberbank considers. He noted that a year ago on PMEV discussion was conducted that it is necessary to accept urgently a packet of legislative initiatives in this area, but since then there are only small attempts something to alter, and laws are not adopted. Bills which enter FSB and other departments it is remains against the background of what is necessary for the country.

According to Stanislav Kuznetsov, the state institutes are incapable to manage billions a cyber of risks independently today, and it is necessary to attract all large corporations from all industries to effective protection.


Sberbank reflected 74 DDoS attacks of the attack in 2016

Sberbank recorded 74 DDoS attacks on the systems in 2016. The deputy chairman of board of Sberbank Stanislav Kuznetsov told about it in the end of the year.

According to Kuznetsov, large attacks to bank are made with frequency weekly or time in 10 days. In December hackers attacked Sberbank of 6 times. The credit institution manages to prevent nearly 100% of attempts of a skimming (theft of data of the card by means of the special reader device).

At the same time Kuznetsov emphasized that the skimming began to be used by cybercriminals seldom now.

The fraud is not present new elements, we continue to fix special risks for the companies which are not engaged in cyber security. We fix attempts to display several million rubles approximately weekly, - he told.

However in December the bank did not record severe losses of the Russian companies. Including, decrease in damage results from more harmonious work of law-enforcement structures with credit institutions.

Sberbank stopped attempts of cyberfraud for the amount over 8.6 billion rubles

In 9 months 2016 Sberbank prevented fraud against the clients  - physical persons and legal entities in channels of remote banking  and outlets for the amount more than 8.6 billion rubles, the bank in October reported. In 2015 for the same period fraud for the amount of 4.8 billion rubles was prevented.

The damage from fraud in mobile application "Sberbank Online" is reduced more than seven times, in a system Mobile bank — twice, speak in Sberbank.

Sberbank did not specify TAdviser how many money from customer accounts cyberswindlers managed to steal in 2015 and in 9 months 2016.

The vice chairman of the board of Sberbank Stanislav Kuznetsov notes that the amount of the prevented damage increased in 1.8 in comparison with the same period of 2015, despite the increased activity of criminals. According to him, it became possible thanks to implementation this year of the "latest security technologies" allowing Sberbank to prevent more effectively cyberfraud.

In April, 2016 Sberbank reported on end of the first stage of construction of Information Security Center (Security Operational Center, SoC) within which the centralized SIEM system for collecting and correlation of events of security was implemented. It allowed to consider up to 1 million suspicious events in work of the systems of the organization in day. Before SoC creation the bank managed to study only 100-200 incidents a day.

As of the middle of 2016, according to Stanislav Kuznetsov, "several hundred" employees are involved in providing Information Security in Sberbank.

Creation of the center of cyber defense, entry into the market of cybersecurity services

On October 13, 2016 Sberbank and the Russian representative office of Microsoft announced the agreement on creation of the center of cyber defense using which the bank intends to render to business a range of services in information security field [1] (in more detail).

The partnership agreement in the field of information security with the leading universities of the country

On July 15, 2016 Sberbank signed the agreement on strategic partnership in the field of information security with MSU, MSTU of Bauman, Higher School of Economics National Research University, MIPT, MEPhI and the Moscow university Ministry of Internal Affairs.

The agreement provides specialized training of specialists for the subsequent work in Sberbank and also joint surveys, educational and research projects.

"Development of information security systems – one of the most important areas of work of Sberbank, – the vice chairman of the board of Sberbank Stanislav Kuznetsov emphasized. – Strategic partnership with the leading Russian universities will in addition strengthen our positions in this area. Besides, we will help universities to create relevant training programs on information security, and students – to work on applied demanded subjects".

Sberbank created special "daughter" and laboratory for gain of cyber security

In June, 2016 Sberbank told about the current results of activities for increase in level of the information security (IS) in the organization. The vice-president of board of Sberbank Stanislav Kuznetsov noted that the number of cyber attacks and volumes of damage from them grow in Russia and in the world. In 2015 Sberbank carried out the deep analysis of a situation in the field of cybersecurity which showed that the bank needs to change completely the landscape, a configuration of the forces and means to counteract the existing volumes of threats, he noted.

According to Kuznetsov, on the basis of this analytics and forecasts Sberbank last year developed and approved the concept of cyber security. In 2015 the bank also implemented the first stage on creation of uniform operational Information Security Center (Security Operation Center, SOC). In its framework the management system for all incidents of cybersecurity (SIEM) was unrolled. In day Sberbank fixes up to 1 million events which can bear risks of cybersecurity. In SOC all risks are quickly analyzed and prevented.

В диспетчерском центре <!--LINK 0:188--> Sberbank Stanislav Kuznetsov showed work of some systems of uniform SOC bank in real time. Where there is SOC, in Sberbank prefer not to speak
В диспетчерском центре MegadPC Sberbank Stanislav Kuznetsov showed work of some systems of uniform SOC bank in real time. Where there is SOC, in Sberbank prefer not to speak
The cybersecurity system of Sberbank in real time counts the amount of the prevented embezzlement from customer accounts in a day. On May 10 by 1 p.m., for example, could be, but more than 27 million rubles were not stolen
The cybersecurity system of Sberbank in real time counts the amount of the prevented embezzlement from customer accounts in a day. On May 10 by 1 p.m., for example, could be, but more than 27 million rubles were not stolen

Where exactly there is SOC of Sberbank, the deputy chairman of board of the organization preferred not to open from security reasons. Are not frank in Sberbank and concerning solutions which in it are used. At the same time, Stanislav Kuznetsov told TAdviser that until the end of 2016 Sberbank is going to implement the second stage of works in the field of SOC. The project carries the name SOC 2.0.

SOC 2.0 is a new level of information security risk management and removal of critical risks which Sberbank finds out in work of any systems of bank, including those which clients use, - Stanislav Kuznetsov told.

He added that the project assumes implementation of a number of the new systems which these risks will reveal and eliminate. In them developments in the field of Big Data technologies and, perhaps, elements of artificial intelligence will be used.

According to the deputy chairman of board of Sberbank, in 2015 the bank in total spent about 1.5 billion rubles for the actions connected with information security. How many it will be spent for the same purposes in 2016, he preferred not to sound yet. As of the middle of year, according to Stanislav Kuznetsov, in Sberbank "several hundred" employees are engaged in cybersecurity.

Throughout development of the cybersecurity direction, in 2016 the bank founded Safe Information Area subsidiary company (the short name – Bison) which will conduct activity in the field of cybersecurity. In particular, it will keep the analysis of a situation in the world in the field of cyberthreats, to hold testing of all systems of Sberbank regarding their vulnerability and also to carry out expertizes, connected with cyberrisks. This company also gives support for work of SOC, Stanislav Kuznetsov added.

The laboratory of cyber security created at SberTech in 2016 became one more element in a chain of cyber defense of Sberbank. The deputy chairman of board of Sberbank explained TAdviser that she will be engaged in development of prototypes of solutions in the field of cybersecurity for the subsequent use in bank: "it will take some ideas and to bring them to prototype level". Based on some of their these prototypes and their implementation either SberTech, or third-party contractors will be engaged in creation of industrial solutions afterwards.

In the spring of 2016 Sberbank also sent group of the experts to the USA to study the best foreign practices of counteraction to cyberthreats in financial institutions. With this purpose they visited CitiBank and also met representatives of world IT vendors, such as IBM,Microsoft,Dell and others.

IBM is selected by developer of the cybersecurity Center of Sberbank

At the end of December, 2015 Sberbank announced[13] at the choice of suppliers of consulting services within development of the uniform operational center for cybersecurity (Security Operation Center, SOC). The maximum price of the contract is 60.9 million rubles. IBM became the winning bidder. In more detail about the project - according to the link.

2014: Sberbank prevented plunder of 2.9 billion rubles from customer accounts

In materials of the annual report published in May, 2015, Sberbank told about results of activities for information security support and counteraction to fraud for last year.

According to bank, in 2014 was 71 attempts of embezzlement of legal and over 87 thousand attempts of embezzlement of individuals are stopped. The amount of the prevented damage was more than 2.9 billion rubles. Also attempts of fraud in the outlets accepting bank cards for payment via payment terminals Sberbank for the amount about 0.8 billion rubles were revealed and prevented. Data on volumes of plunders according to the results of successfully performed fraudulent operations in Sberbank were not provided.

In 2014 Sberbank installed more than 13 thousand sets of the active antiskimmingovy equipment on self-service devices
In 2014 Sberbank installed more than 13 thousand sets of the active antiskimmingovy equipment on self-service devices

The bank notes that in cooperation with law enforcement agencies last year activity of several cybercriminal groups performing mass attacks on clients of their bank was stopped guilty persons are delayed and made responsible.[14] was announced one of such episodes[15] in March, 2014: then with assistance of Kaspersky Lab and Sberbank the group of the malefactors organizing both plunder of the money at banks and which were carrying out cyber attacks to regulatory authorities was delayed. Then, according to Sberbank, plunder of "tens of millions of rubles" from accounts of his clients was prevented.

In 2014 Sberbank also carried out planned work on technical protection of devices of self-service against a skimming: the bank set more than 13 thousand sets of the active antiskimmingovy equipment and developed an order of interaction of the divisions at verification of messages about suspicion on a skimming.

As a result we warned 702 cases of a skimming and 142 sets of the skimmingovy equipment are withdrawn, and the amount of the damage prevented by us from a skimming was about 4.7 billion rubles", - note in Sberbank.

Regarding increase in security of information systems of bank for personal data protection of clients in 2014 the system of information loss prevention of confidential character was implemented (DLP system) outside and certification audit of the main processing center Sberbank on compliance to the international standard of security of the industry of the PCI DSS payment cards (Payment Card Industry Data Security Standard) was booked. This standard is intended for security of processing, storage and data transmission about holders of payment cards in information systems of the companies working with international payment systems of Visa,MasterCard and others.

Audit according to the same standard was undergone in the division Yandex.Money which was a part of Sberbank in 2013. In addition, in Yandex.Money in 2014 the procedure of fight against a phishing was debugged and the system of the round-the-clock video surveillance at offices is implemented, said in reporting materials of bank.

2013: Sberbank prevented damage from skimmingovy transactions for 5.6 billion rubles

In the report on corporate social liability for 2013 published in June, Sberbank told about results of activities for information security support and counteraction to fraud for last year.

In the document it is said that in cooperation with law enforcement agencies in 2013 members of two criminal groups infecting computers of users with harmful viruses including the developer of a bank trojan Carberp were delayed.

Also last year the first mass attacks on the clients using mobile application "Sberbank Onl@yn" from "modern mobile viruses" were revealed and prevented and also DDoS attacks on infrastructure from radical international hacker groups.

In 2013 attempts of fraud in outlets were revealed and prevented, accepting bank cards for payment via payment terminals of Sberbank, for the amount more than 1 billion rubles and also the damage from skimmingovy transactions for the amount about 5.6 billion rubles is prevented, follows from the report of bank.

Also in 2013 fraud with 5-thousand notes took place: with them in the system of Sberbank, several million false rubles arrived. In response to fraudulent activity security measures were strengthened: in particular, ATMs of bank are converted by advanced bill acceptors.

In the report it is noted that last year in Sberbank four cases of disclosure of personal data of clients were recorded.

All cases at the same time had local character and affected very small amount of clients. Nevertheless we made the decision to improve policy for personal data processing, having involved in its development employees from different departments and having turned on in it a number of supplementary procedures on protection, said in the report of Sberbank. - Also in territorial banks since 2013 regular inspections of premises are carried out and additional measures for protection of material carriers are taken".

In 2013 compulsory procedures of check of information systems of subsidiary banks of group of Sberbank were undergone. In particular, we carried out certification of information systems on compliance to security requirements of information and certificates compliance for 20 objects of informatization are obtained.

IT projects in Sberbank

Описание проектаWitte of the Innovation, Inleksys, EPAM SystemsProjects of IT outsourcingIT outsourcing2020
Описание проектаExoAtlant2019
Описание проектаMedical service (DocDoc)2019
Описание проектаNational settlement depositary (NPO of JSC NSD) Non-bank credit organizationNSD E-voting Electronic voting system2019
Описание проектаDialogDialog messengerCybersecurity - Biometric identification, Office applications2019
Описание проектаOctavaOctava MKE-series Condenser microphonesAudiovisions2019
Описание проектаSAP CISSAP SuccessFactors HCMHRM, SaaS - Software as service, Systems of distance learning2018
Описание проектаMind (Maynd Labs, Mayndsoft, Intermaynd)Mind of the VIDEOCONFERENCING, Audiovisions (projects)Video conferencing, Audiovisions2018
Описание проектаRecFacesRecFaces Id-MeCybersecurity - Biometric identification2018
Описание проектаEverpointEverGIS, Everpoint: Geomonitoring of the real estateGIS - Geographic information systems, BI, Time recording2017
Описание проектаBell Integrator (Bell Integrator, BIG Group)Projects of IT outsourcingIT outsourcing2015
Описание проектаMICS (Mix, distribution company), Digital MachinesLenovo ThinkCentre Desktop computersOffice equipment---
Описание проектаWithout involvement of the consultant or not dataThe projects of control systems of access based on identification of the person (biometrics)Cybersecurity - Biometric identification, ACS are Control and management systems for access---
Описание проектаWithout involvement of the consultant or not dataProjects of use of UAVs (UAV drones)Robotics---
Описание проектаWithout involvement of the consultant or not dataAvaya Aura Communication Manager, Aurus PhoneUP, OpenScape VoiceCall centers, IP telephony---
Описание проектаWithout involvement of the consultant or not dataZabbix a System for monitoring of networks and applicationsNetwork Health Monitoring - Monitoring of network or management of health performance of IT Infrastructure, Management systems for performance of network applications---