DDoS attacks on banks in Russia

The main articles are:

• Information security in banks
• Distributed Denial-of-Service, DDoS
• DDoS attacks in Russia
• Protection against DDoS attacks

2024

Sberbank recorded the largest cyber attack in its history - it lasted 13 hours

Sberbank was subjected to the largest DDoS attack in its history. The duration of the attack was more than 13 hours. This was announced in September 2024 by the Deputy Chairman of the Board of Sberbank Stanislav Kuznetsov, specifying that a record cyber attack was recorded in July 2024. Read more here.

Russian banking sector subjected to massive DDoS attack

On July 23-24, 2024, the Russian banking sector was subjected to a massive DDoS attack initiated from abroad. Failures occurred in the work of mobile applications and some services of VTB, Rosbank, Alfa-Bank, Gazprombank and other credit institutions.

According to Interfax, Raiffeisen Bank customers complained about problems with the availability of services. The site of this organization was either downloaded with errors, or did not open at all. In addition, users could not log into the mobile application. The bank confirmed the presence of failures.

𝓲

Freepik

Now our services can work unstable. We are working hard to fix everything as soon as possible and will definitely report the recovery. We apologize for the inconvenience caused, - said in a message on the Telegram channel of Raiffeisen Bank.

Various failures were also observed at Gazprombank, Rosselkhozbank and Rosbank. VTB said that due to a DDOS attack planned from abroad, some customers faced "point restrictions on the operation of banking applications" due to the high load of the Internet provider infrastructure. The situation was also commented on by representatives of Alfa-Bank: they said that due to technical work, some users may temporarily experience difficulties with logging into the mobile application and Alfa-Online.

Daniil Shcherbakov, Deputy General Director of Servicepipe, notes that the attacks of "politically motivated hackers" that were observed on July 23, 2024, and the DDoS attacks carried out the next day are very similar. The attackers acted according to the traditional scheme: they scanned the victims' infrastructure, found potentially vulnerable places and then organized an attack. Banks, together with Internet providers, are taking measures to reduce the impact of attacks on work.^[1]

2023

"Sberbank" survived the most powerful DDoS attack in history

On November 7, 2023, the head of Sberbank, German Gref, announced the largest DDoS attack on a credit institution. According to the press service of Sberbank, hackers tried to disable the bank's IT infrastructure, sending 1 million requests per second. Read more here.

3-day DDoS attack on Uralsib

On March 17, 2023, Uralsib announced a protracted cyber attack on the bank's IT infrastructure, which forced the credit institution to turn off several services. Read more here.

2022

The number of DDoS attacks on financial organizations in Russia has grown 4 times

In 2022, the number of DDoS attacks on financial institutions in Russia almost quadrupled compared to 2021. This was announced in mid-February 2023 by the Deputy Chairman of the Central Bank Philip Gabunia. According to him, the number of cyber threats against financial institutions increased by 2%.

On February 16, 2023, the product director of the anti-defense solutions company cyber attacks Servicepipe Danila Jezhin , in a conversation with "," RIA Novosti noted that the average duration of DDoS attacks on Russian over the banks year increased 6 times and amounted to just over three hours, while the longest attack in 2022 = m lasted 87 hours.

The frequency and intensity of attacks on Russian banks has increased

According to the expert, attacks on applications pose a particular danger to banks: their share from the end of February 2022 to February 2023 increased to 60% from 40%. At the same time, the average load on banking applications at the time of attacks increased to more than 300 thousand requests. At the same time, the normal load on banking resources does not exceed 5 thousand requests, depending on the size of the credit institution.

Deputy Chairman of the Central Bank German Zubarev in October 2022 called the situation in the field of cybersecurity of financial organizations as "consistently tense." Then he talked about doubling the number of DDoS attacks in the third quarter of 2022 compared to the same period in 2021. And attacks using malicious software grew by about a quarter, Zubarev noted.

He drew attention to the peculiarities of DDoS attacks - they have become more intense, but easier from the point of view of the organization. At the same time, the number of targeted attacks that are organized by professional hacker groups has increased, the deputy chairman of the Central Bank pointed out. Such attacks are distinguished by "sophistication," duration and complexity of detection, he said. In these cases, the Central Bank also recorded the use of phishing and attempts to find an employee-violator in the organization on which the attack is planned.

Sberbank in 2022 repelled a little less than 500 large and very complex DDoS attacks. Stanislav Kuznetsov, deputy chairman of the board of the credit institution, announced this on February 16 , 2023.^[2]

VTB is experiencing the largest DDoS attack in its history

On December 6, 2022, VTB representatives informed TAdviser that the bank's technological infrastructure was under "an unprecedented cyber attack from abroad." According to them, it became the largest not only in 2022, but also for the entire time of the bank. Read more here.

Sberbank repelled a DDoS attack in which 100 thousand hackers participated

On October 25, 2022, Sberbank spoke about the largest cyber attack in the history of a credit institution. It lasted more than a day.

We withstood the largest attack, which took place on October 7, when, according to a prepared plan with very long preparation, a special operation was planned, a special DDoS attack, in which at least 104 thousand hackers participated, which was carried out from an infrastructure located in foreign countries, numbering at least 30 thousand devices, Stanislav Kuznetsov, deputy chairman of the board of Sberbank Bank, said in an interview with the Russia 24 TV channel (quoted by RIA Novosti).

Sberbank repelled DDoS attack

Stanislav Kuznetsov said that Sberbank withstood about 450 DDoS attacks during the third quarter of 2022, which exceeds the total number of cyber attacks on the systems of the bank and its subsidiaries over the past five years. In general, according to Sberbank, from the beginning of 2022 to October, the number of cyber attacks on Russian companies increased 15 times. According to Kuznetsov, the main goal of such cyber attacks is to destabilize and disable the country's critical infrastructure in all areas.

Sberbank previously reported that on May 6, 2022, it repelled one of the most powerful cyber attacks (then it did not affect the availability of the bank's resources). In the summer, the credit institution recorded a decrease in the number of DDoS attacks.

On October 25, 2022, Deputy Head of the Department of International information security MFA Russia Vladimir Shin announced USA offensive cyber operations against Russia, primarily with the help of the IT Army of Ukraine. Kuznetsov also said in an interview that "large-scale cyber warfare" is being waged against Russia from the territory of this country, and the actions of hackers are supported by the Ukrainian government. [^[3]

Sberbank repelled the most powerful DDoS attack in its history

May 19, 2022 Sberbank announced - DDoSattacks unprecedented power and new tactics. cybercriminals

On May 6, 2022, Sberbank repelled a powerful DDoS attack in its history. Read more here.

The Ministry of Digital Development helps banks in the fight against DDoS attacks after the start of Russia's special operation in Ukraine through filtering foreign traffic

On March 17, 2022, it became known about the decision of the Ministry of Digital Development of the Russian Federation to help Russian banks in the fight against DDoS attacks that are carried out from abroad after the start of Russia's special operation in Ukraine.

As RBC writes with reference to the letter that the Central Bank of the Russian Federation sent to credit institutions, if banks are interested in assistance from the Ministry of Digital Development, they can send to the financial regulator a list of information systems potentially susceptible to the threat of DDoS attacks, and other information.

The Ministry of Digital Development offered banks to help in the fight against DDoS attacks

According to the representative of the Ministry of Digital Development Science, the department organizes the filtration of foreign traffic using technical means to counter threats and conducts interdepartmental coordination in the new conditions. The Central Bank said that the regulator is taking measures to additionally support banks in countering cyber attacks in order to prevent a violation of the availability of their resources.

Qrator Labs CEO Alexander Lyamin considers the initiative Ministry of Digital Development appropriate for many banks, since, according to the expert, it will reduce the power of foreign attacks. DDoS attacks, by their definition, are distributed in nature, their traffic comes from various countries of the world, including from Russian addresses, so the method of filtering traffic by geolocation is inaccurate and ineffective, since Russian addresses can be blocked together with foreign IP addresses, Lyamin believes.

According to cybersecurity experts cited by the publication, by mid-March 2022, the banking sector was experiencing a fourfold increase in attacks relative to February 2022. So, for the whole of February, about 100 DDoS attacks were recorded on banks, since the beginning of March - already about 400, said Yegor Valov, head of WAF and Anti-DDoS at Rostelecom-Solar.^[4]

2021

The finsector was most affected by DDoS attacks in Russia

On January 26, 2022, the company specializing information security Stormwall in published a study listing the industries in Russia that faced the most - DDoS atak. The most affected in 2021:

• financial sector (43%);
• retail (31%);
• the gaming industry (18%);
• telecom (4%);
• education sector (3%);
• the rest (1%).

Read more here.

VTB survived the largest DDoS attack

On October 1, 2021, VTB announced the reflection of the largest cyber attacks in its history. The bank's specialists noted a sharp increase in the number of DDoS attacks in September. Read more here.

Attackers began to use the TCP SYN/ACK Amplification vector to attack financial institutions

Cybercriminals resumed large-scale DDoS-attacks on the Russian financial sector after a week of calm. The company Orange Business Service announced this on September 29, 2021. At the same time, the number of attacked organizations increased. Attackers use vectors and techniques that were not previously used, the nominal power attacks has decreased, but their complexity has increased. More. here

Hackers target Russian financial sector

Since the beginning of August 2021 Russian financial , the market has been subjected to constant large-scale DDoS-. to the attacks This became known on September 13, 2021. At the same time, attackers continue to systematically increase the number and intensity, attacks as well as use not only well-known, but also their most recent types. More. here

In the Russian Federation recorded "the most powerful attack in the world on the financial sector"

At the end of August 2021, Sberbank repelled "the world's most powerful attack on the financial sector." This was reported by Kommersant with reference to the deputy chairman of the board of the credit institution Stanislav Kuznetsov.

Such attacks were made on other financial structures of Russia. Some of them... had some kind of loss in their performance, - said the top manager of Sberbank, adding that the attack was carried out from the territory of foreign countries, including through several thousand hacked webcams.

Russia recorded the world's most powerful cyber attack on the financial sector

Kuznetsov explained that at its peak, the power of the attack made it possible to withdraw the information systems of many Russian companies for some time, and Sberbank coped with it, thanks to a well-equipped network protection system.

According to the publication "Kommersant," the peak of the attack fell on the period from 13 to 16 August. Its capacity at its peak exceeded 50 Gbps. The newspaper, citing its sources, writes that at least 12 large Russian banks, as well as processing companies and Internet providers, were attacked. Several interlocutors of the newspaper clarified that the requests came from the United States, Latin America and Asia.

According to one Kommersant source, first of all, the attack was aimed at, servers 3D-Secure some of the providers suffered from it, but thanks to backup channels, banks did not stop services.

The Central Bank confirmed the fact of the attack:

In the period from August 13 to 16, a distributed attack of the DDoS type was recorded on a number of large financial organizations. The attack was detected by the FinCERT system at an early stage, constant communication with market participants was carried out.

From the report of FinCERT of the Bank of Russia, issued in 2021, it follows that the most powerful attack identified in 2019-2020 was carried out with an intensity of 49 Gbps, which is 2 Gbps higher than the 2018 record.^[5]

2016

Rostelecom repelled DDoS attacks on the largest banks and financial organizations in Russia

Rostelecom repelled DDoS attacks on the 5 largest banks and financial organizations in Russia in December 2016. The reflected attacks had a similar handwriting: type - TCP SYN Flood. Peak power was 3.2 million packets per second. At the same time, the longest attack lasted more than 2 hours. All repulsed attacks were recorded on December 5, 2016.

"An analysis of attack sources conducted by Rostelecom specialists revealed that some of the traffic was generated from users' home routers, which are usually attributed to IoT devices. A distinctive feature of the attacks was that they were organized using devices that support the CWMP management protocol (TR-069). A few weeks ago, a serious vulnerability was identified in the implementation of this protocol on devices from a number of manufacturers, allowing attackers to form a botnet in order to organize DDoS attacks. In particular, at the beginning of last week, the largest German operator Deutsche Telecom, as well as the Irish provider Eircom, were attacked on users' home devices, "said Muslim Mejlumov, director of the Cybersecurity Center of PJSC Rostelecom

The organization of DDoS attacks using botnets from the IoT segment is becoming more widespread, and the number of devices participating in these attacks exceeds hundreds of thousands. There are already examples when the peak attack power using this technology exceeded 1 Tbit/s.

Rostelecom offers its customers the Traffic Monitoring and Protection against DDoS Attacks service, which allows you to cope with DDoS attacks on any information resource as soon as possible. Each client is given access to his personal account, where he can receive all the necessary information on the detected anomalies and observe the progress of repelling the attack. The service "Protection against DDoS attacks" is additional to the Internet access service and allows Rostelecom corporate users to receive comprehensive communication services and security guarantees under one agreement. The service is provided 24 hours a day 365 days a year. Rostelecom used protection against DDoS attacks when implementing large-scale national projects: organizing a video surveillance system for the presidential elections in 2012, conducting annual "direct lines" with the President, as well as supporting the Winter Olympic Games in Sochi.

Central Bank: Five large Russian banks were subjected to DDoS attack

On November 10, 2016, the Central Bank of the Russian Federation announced that five Russian banks were hacked by^[6]. Representatives of three of them confirmed this information. The power of the attacks ranged from "weak" to "powerful," they said; interaction with customers was not affected.

Under attack were, Sberbank, Alfa-Bank"," "" and OpeningBM-Bank Russia. Rosbank According to "," Kaspersky Lab DDoS the attacks (they generate traffic overloading the system) began at 16:00, each lasted at least an hour, and the longest - almost 12 hours. Some banks were subjected to a series of two to four attacks that occurred at short intervals. The attackers used a botnet (a network of infected devices), which, according to experts, included 24 thousand machines from "Internet things" (infected hosts in this case could be, for example, connected to the Internet to TVs or cameras). video surveillances

The first to report the attack on Russian banks was the American edition of Motherboard, the scientific division of Vice. On November 8, Motherboard spoke about correspondence with a hacker under the nickname vimproduct. He said that he takes responsibility for the attack on VTB, Rosbank, Alfa-Bank and the Moscow Exchange (the latter noted the increased load on the site, but explained this by the presidential elections in the United States^[7].

"Vimproduct sent us links to fully operational sites one by one, after moments they stopped responding," Motherboard said in a note. The publication also gives a screenshot of the website of Alfa-Bank, which gives an internal error. The attacker explained the attack by saying that "his customers were unhappy with Russia's interference in the American elections," and also noted that he attacked the website of the Ministry of Economic Development of the Russian Federation several times, but to no avail.

DDoS attacks on large Russian banks

On November 9, 2016, Sberbank repelled a powerful DDoS attack. RIA Novosti was told about this in the press service of the bank. Experts say that not only Sberbank was attacked.

The attacks were organized from botnets, including tens of thousands of cars geographically distributed across several dozen countries, Sberbank said.

DDoS attacks on Sberbank's IT systems were carried out during the day, while the power of cyber attacks increased: the first attack was recorded in the morning, the next attack in the evening already consisted of several stages, each of which was twice as strong as the previous one.

Hackers attacked the largest Russian banks

Sberbank information security specialists were able to quickly identify and localize the attack. There were no failures in the work for the bank's customers.

The bank's protection systems worked reliably, the attack was promptly detected and localized by the cyber defense units of Sberbank, - assured the largest credit institution in Russia.

In addition to Sberbank, several more large Russian banks survived powerful DDoS attacks, RIA Novosti was told in Kaspersky Lab. According to the agency, the attacks were aimed at the five largest banks in the top 10. The fact of the attack was confirmed by Alfa Bank.

The company told RIA Novosti that the attack was "quite short-term and weak." The incident did not affect the operation of the bank's business systems in any way, representatives of the credit institution assured. What other banks were attacked is not specified.

The average duration of each DDoS attack on Russian banks was about an hour, the longest lasted almost 12 hours. Some banks, according to Kaspersky Lab, have been attacked by cybercriminals several times - in a series of two to four attacks with a small interval. What other credit organizations were attacked is not specified.^[8]

24% of Russian banks are subjected to DDoS attacks

In June 2016, Qrator Labs and Wallarm (Valarm) Onsec (Onsec) published the results of a study of the information security situation in the financial sector. The survey showed that almost a quarter of Russian banks face DDoS attacks.

150 representatives (heads of IT departments, their deputies, as well as heads of departments responsible for information security issues) of more than 130 banks and 12 payment systems were interviewed to compile the report.

According to the results of the study, 24% of Russian banks in 2015 survived DDoS attacks. Another 21% and 17% of institutions faced phishing and hacking, respectively. 34% of respondents had no information security problems.

Attempts to hack applications were recorded by 17% of respondents, so companies are paying more and more attention to protecting their perimeter. More than 80% of companies regularly conduct security audits.

Experts note that despite the difficult situation in the economy, banks are trying to maintain information security expenses at a high level. About a third of respondents increased their information security budget in 2015 and another 44% retained it in the same volume.

Most survey participants (69%) consider the operator's DDoS protection solution to be the most effective countermeasure. However, Qrator and Wallarm experts warn that this method is outdated. Only 9% of respondents consider cloud solutions effective.

The study also showed that the industry understands the main risks and consequences of information security incidents: 61% of respondents say that security problems can lead to the revocation of a bank license.

Information security is an important priority for financial sector organizations. The severity of cyber threats is sufficiently recognized here, which indicates the achievement of a certain maturity in information security issues, the researchers said.

Notes