Cyber Incident Victim: Sberbank
Date:
May 2022
Location:
Russia
Summary
Sberbank, Russia's largest financial institution, faced persistent and large-scale distributed denial-of-service (DDoS) attacks linked to geopolitical tensions following the invasion of Ukraine. Pro-Ukraine hackers targeted the bank's online services using botnets comprising over 27,000 compromised devices across multiple countries, generating malicious traffic through methods such as code injections in advertising scripts, weaponized Docker containers, and malicious browser extensions. The attacks peaked at unprecedented volumes, disrupting operations and prompting continuous 24/7 defensive efforts by the bank's security team. These incidents caused significant service interruptions, with simultaneous multi-vector assaults exploiting compromised streaming platforms to amplify traffic toward the institution's infrastructure. The campaign reflected broader cyber conflict patterns amid ongoing geopolitical hostilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Sberbank, Russia's largest financial institution and third-largest in Europe with assets exceeding $570 billion, began experiencing sustained distributed denial-of-service (DDoS) attacks following Russia's invasion of Ukraine in February 2022. The bank, among the first entities sanctioned after the invasion, reported unprecedented cyberattack volumes targeting its online services over subsequent months. By May 2022, Sergei Lebed, Sberbank's cybersecurity vice president, disclosed that attackers had deployed multiple technical vectors including malicious Chrome extensions, compromised advertising scripts with injected code, and weaponized Docker containers housing DDoS tools. These attacks peaked on May 6, 2022, when the bank mitigated its largest recorded DDoS incident reaching 450GB/sec intensity. Analysis revealed this specific attack originated from a 27,000-device botnet spanning the United States, United Kingdom, Japan, and Taiwan, designed to overwhelm infrastructure and disrupt customer access to banking services.
The operational impact included continuous assault waves, with Sberbank detecting over 100,000 distinct internet users participating in attacks during the preceding months. March 2022 alone saw 46 simultaneous DDoS campaigns targeting different bank services. Attackers exploited compromised online streaming platforms and movie theater websites, injecting scripts that forced visitors' browsers to generate excessive requests to Sberbank domains. The bank's Security Operation Center maintained 24/7 threat monitoring and response throughout the crisis, though Lebed noted many Russian companies lacked equivalent defensive capabilities. The attacks persisted without abatement as of May 2022, correlating with ongoing geopolitical tensions. Industry observations indicated a trend toward fewer but more powerful attacks, exemplified by a contemporaneous 1.1 Tbps DDoS incident against a U.S. provider, suggesting escalating threat actor capabilities compared to previous years.