Cyber Incident Victim: Joint-Stock Commercial Bank for Reconstruction and Development Ekonombank
Date:
Jan 2016
Location:
Russia
Summary
Turkish hackers operating under the group name WKPF defaced the official website of Russia's Ekonombank, replacing its homepage with messages condemning Russia's actions following the downing of a Turkish jet near Syria. The attackers, identifying themselves as Whiteweasel, Krypton, the pahtron, and Fresh, prompted the bank to take its site offline, redirecting users to an online banking portal with a maintenance notice citing technical work. The defacement explicitly referenced geopolitical tensions stemming from the SU-24 jet incident, reflecting ongoing retaliation by pro-Turkish entities against Russian targets. The bank's website remained inaccessible through its primary domain following the compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 5 actors | Available to members | Available to members |
Description
On January 19, 2016, the official website of Russia’s Joint-Stock Commercial Bank for Reconstruction and Development "Ekonombank" (econombank.ru) was defaced by a Turkish hacker group identifying itself as WKPF. The attack occurred the prior Monday, replacing the bank’s homepage with anti-Russian messages referencing the November 2015 downing of a Russian SU-24 fighter jet by Turkish forces near the Syrian border. The hackers explicitly named four individuals involved in the operation using the aliases Whiteweasel, Krypton, the pahtron, and Fresh. The defacement page condemned Russia’s military actions in Syria and mocked the jet incident, leveraging the bank’s digital platform for geopolitical messaging. Evidence of the compromise, including a mirror of the defaced site, was publicly documented on Zone-H (mirror ID 25455477). The attackers’ statements to media outlet HackRead confirmed the operation’s retaliatory motive amid heightened Turkey-Russia tensions following the aerial incident.
The defacement rendered Ekonombank’s primary website inaccessible, forcing the institution to redirect users to an online banking portal with a notice citing “technical work” and apologizing for disruptions. At the time of reporting, the main site remained offline, indicating prolonged service disruption for customers seeking non-banking information. The incident coincided with a separate defacement of the Russian embassy in Israel’s website by pro-Turkish actors, suggesting coordinated efforts to target Russian entities. No data theft or financial system breaches were disclosed in available reports, with impact confined to reputational damage and temporary loss of web presence. Ekonombank did not release additional technical details regarding attack vectors, internal detection methods, or full restoration timelines beyond the redirect message. Turkish authorities had previously asserted the SU-24 violated their airspace, while Russia denied the claim and accused Turkey of colluding with extremist groups—a geopolitical context directly cited by the hackers as motivation for the cyber intrusion.