Cyber Incident Victim: Central Bank of Russia
Date:
Dec 2016
Location:
Russia
Summary
Hackers targeted the Central Bank of Russia using spoofed customer credentials in an attempted theft of $45 million from multiple accounts, successfully stealing $19 million after the institution blocked approximately $26 million by freezing fraudulent accounts. The incident coincided with a broader foreign plot to destabilize the country's banking system through coordinated cyberattacks on financial institutions and a social media disinformation campaign aimed at undermining public trust. Russian officials linked the operation to servers hosted by a Ukrainian-based company in the Netherlands, though the hosting provider denied evidence of malicious activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early December 2016, the Central Bank of Russia disclosed a cybersecurity incident involving unauthorized attempts to transfer approximately $45 million from customer accounts earlier that year. Attackers used spoofed credentials impersonating a legitimate bank client to initiate fraudulent transactions across multiple accounts. The bank successfully intercepted approximately $26 million of the targeted funds by freezing newly created accounts established by the hackers during the operation. Despite these containment efforts, $19 million remained unrecovered, constituting one of the larger publicly disclosed bank thefts at the time. The incident occurred against a backdrop of financial strain on Russian banks due to Western economic sanctions. Media reports conflicted regarding the attack's validity, with Russian state news agency TASS disputing CNN's original reporting on the heist while the Central Bank maintained its account of events.
Separately, Russian government officials announced on December 2, 2016, the discovery of a coordinated foreign plot to destabilize the national banking system through cyberattacks scheduled for December 5. The planned operation involved direct technical assaults on financial institutions combined with a social media disinformation campaign designed to undermine public trust in banking infrastructure. Authorities suggested parallels between the intended fake news dissemination and election interference tactics observed during the 2016 U.S. presidential campaign. Investigators traced command-and-control infrastructure to servers hosted by BlazingFast, a Ukrainian-based company operating in the Netherlands. BlazingFast's director publicly contested the allegations, stating no evidence of malicious activity had been found on their systems and denying any customer wrongdoing. The Central Bank's incident response demonstrated capacity to partially mitigate financial losses through rapid account freezing, though the full scope of compromised systems remained undisclosed.