Cyber Incident Victim: Deutsche Bahn AG
Date:
Nov 2022
Location:
Germany
Summary
An initial access broker claimed to have compromised Deutsche Bank's network, offering access for sale at approximately $156,274 (7.5 Bitcoin). The threat actor alleged control over roughly 21,000 machines—primarily Windows systems protected by Symantec EDR—along with domain administrator privileges, internal communication channels, and file servers containing 16 terabytes of data including employee shared folders and financial databases. The broker advertised VPN and VDI access alongside domain password dumps, while emphasizing proof-of-funds requirements for potential buyers. Security researchers noted similarities to prior incidents involving the same actor, including a recent breach targeting an Australian health insurer.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 11, 2022, security researcher Dominic Alvieri reported that an initial access broker (IAB) publicly claimed to have compromised Deutsche Bank's corporate network. The announcement appeared on Telegram, where the threat actor advertised unauthorized access to approximately 21,000 machines within the bank's infrastructure, predominantly Windows systems protected by Symantec endpoint detection and response (EDR) solutions. The IAB asserted administrative control over the domain, including Domain Administrator (DA) privileges, and detailed access to internal communication channels, file servers containing over 16 terabytes of data, and specialized banking databases such as Flexcube. Network filtering configurations for TCP, UDP, HTTP, and HTTPS protocols were also allegedly compromised. The broker offered Virtual Desktop Infrastructure (VDI) and VPN access alongside domain password dumps in exchange for 7.5 Bitcoin (approximately $156,274 at the time), while stipulating proof of financial capacity from potential buyers to avoid "time wasters."
The threat actor's advertisement emphasized access to employee chat services and individual user share folders across the network. File servers reportedly contained extensive internal data repositories, though specific document types or customer information weren't enumerated. Alvieri observed similarities between this offering and a prior IAB listing for Australian health insurer Medibank's systems, suggesting potential connections between the campaigns. The broker noted receiving numerous inquiries about the Deutsche Bank access, indicating significant criminal interest. No corroborating evidence of data exfiltration or operational disruption was disclosed in the available report, nor were containment measures or official responses from Deutsche Bank documented in the source material. The incident represented a high-value corporate network compromise claim typical of initial access brokerage operations targeting financial sector entities.