Cyber Incident Victim: State Savings Bank of Ukraine
Date:
Feb 2022
Location:
Ukraine
Summary
A Ukrainian state-owned bank and military agencies were targeted by DDoS attacks, disrupting online banking services and preventing customer access to accounts while causing intermittent website outages. The incident coincided with disinformation campaigns, including fraudulent SMS messages falsely claiming ATM failures, which authorities identified as part of coordinated hybrid warfare efforts to sow panic and erode public trust. Ukrainian cybersecurity agencies attributed these attacks to threat actors linked to hostile foreign intelligence services, noting connections to known hacking groups that had previously targeted national infrastructure with phishing campaigns and botnet operations. Service interruptions extended to payment processing and mobile banking applications, with some institutions implementing geofencing measures to mitigate the attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 15, 2022, Ukrainian state-owned banks Oschadbank and Privatbank, alongside the Ukrainian Ministry of Defense and Armed Forces websites, experienced significant disruptions due to coordinated distributed denial-of-service (DDoS) attacks. The attacks began in the afternoon, with Ukraine’s State Service for Special Communication and Information Protection confirming a "powerful DDOS attack" targeting multiple Ukrainian information resources. The Ministry of Defense reported an excessive volume of requests per second, leading to its website being taken offline. Oschadbank and Privatbank suffered service interruptions, particularly affecting online banking access, though their websites remained partially accessible. Customers were unable to log into their accounts, and Privatbank users additionally reported payment processing failures, mobile app malfunctions, and display errors involving balances and transaction histories. Concurrently, bank customers received fraudulent text messages falsely claiming ATM outages, which Ukraine’s Cyberpolice identified as part of a coordinated information attack designed to spread misinformation. Privatbank implemented a geofencing measure via its web application firewall, blocking non-Ukrainian IP addresses and displaying a defensive message to thwart foreign traffic.
The incident occurred within a broader context of hybrid warfare activities against Ukraine, as described by the Security Service of Ukraine (SSU), which had previously warned of coordinated efforts to destabilize public confidence through cyber and psychological operations. The SSU reported dismantling bot farms involved in disseminating bomb threats and fabricated news to incite panic. Ukraine’s Computer Emergency Response Team linked the attacks to the Gamaredon hacking group, which Ukrainian authorities associate with Russia’s Federal Security Service (FSB). Microsoft had earlier documented Gamaredon’s persistent spear-phishing campaigns targeting Ukrainian entities since October 2021. While the DDoS attacks disrupted critical financial and military services, Ukrainian agencies emphasized operational continuity and publicly countered disinformation to mitigate public anxiety. No data breaches or permanent system compromises were reported in connection with the DDoS incidents affecting Oschadbank or the other entities.