Cyber Incident Victim: VTB Bank
Date:
Dec 2016
Location:
Russia
Summary
A Russian state-owned bank experienced a distributed denial-of-service (DDoS) attack targeting its internet infrastructure, though no system breach occurred and operations continued normally without client disruptions. The incident coincided with warnings from national security authorities about thwarted foreign cyberattacks allegedly planned via servers in the Netherlands operated by a Ukrainian hosting provider, which denied involvement and stated no evidence supported the claims. This followed a separate breach at the country’s central bank involving stolen funds, where authorities asserted they prevented a larger theft by detecting the intrusion early.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 6, 2016, Russia’s state-owned VTB Bank reported a distributed denial-of-service (DDoS) attack targeting its internet sites. The bank issued a public statement confirming the incident but emphasized that its IT infrastructure remained operational throughout the attack, with no service disruptions for clients. VTB explicitly stated no data breach occurred and systems returned to normal functionality following the mitigation efforts. The bank did not attribute the attack to any specific threat actor or provide technical details about the scale, duration, or methods of the DDoS campaign. This incident occurred against the backdrop of heightened tensions in Russia’s financial sector, as the Federal Security Service (FSS) had recently disclosed intelligence about a separate, thwarted cyberattack plot against Russian banking infrastructure. The FSS alleged foreign intelligence services planned to use servers based in the Netherlands and operated by Ukrainian hosting provider BlazingFast to execute attacks, though BlazingFast denied any involvement, stating it found no evidence of malicious activity on its networks and had received no communication from Russian authorities.
The VTB attack followed a separate high-profile breach of Russia’s central bank just weeks earlier, where attackers successfully stole $31 million. FSS officials claimed the central bank attackers had intended to steal more funds but were detected and blocked. While the article noted temporal proximity between these incidents, no confirmed link was established between the VTB DDoS, the central bank theft, or the alleged foreign intelligence operation described by the FSS. VTB’s public communications focused exclusively on confirming the DDoS incident’s containment and lack of operational impact, without referencing other events. The absence of attributed responsibility or detailed forensic findings in public statements left the threat actor’s identity and motivations unconfirmed. BlazingFast’s rebuttal of the FSS’s earlier allegations further complicated the context, as the hosting provider challenged the validity of the intelligence claims while asserting its systems showed no signs of compromise.