Cyber Incident Victim: Sberbank
Date:
May 2017
Location:
Russia
Summary
A ransomware attack compromised systems at several Russian financial institutions, including Sberbank, through isolated infections. The central bank confirmed the incidents, noting that impacts were swiftly contained, though specific consequences were not detailed. While Sberbank reported its systems were not infected despite being targeted, other lenders experienced malware exposure primarily affecting non-critical infrastructure or employee workstations. Security researchers attributed vulnerabilities to outdated operating systems in embedded devices. The central bank announced enhanced monitoring and transparency measures for future cyber threats. Despite global disruption from the attack, most international banking systems outside Russia showed minimal verified compromise, with some unconfirmed reports of ransom demands on ATMs in Asia. Russian authorities emphasized ongoing efforts to combat cybercrime amid heightened scrutiny of the country's digital security landscape.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The WannaCry ransomware attack impacted Russian financial institutions in May 2017, with the Central Bank of Russia confirming on May 12 that isolated compromises had occurred within the banking sector. This marked a shift from the central bank’s initial May 10-11 statements claiming Russian banks had successfully repelled the global cyber extortion campaign. While the central bank did not disclose specific technical details about the compromises, it characterized them as limited in scope and stated that consequences were "dealt with quickly." The institution announced plans to publish regular updates about cyber attacks and security reinforcement measures on its website, while reissuing security recommendations to banks. Russia emerged as one of the most severely affected countries during the global WannaCry outbreak, which exploited vulnerabilities in outdated Windows operating systems to encrypt files and demand ransom payments in Bitcoin.
Sberbank, Russia’s largest bank, reported experiencing a virus attack during the initial wave of WannaCry infections late the previous week but maintained its systems were not compromised. The bank declined to comment on the central bank’s May 12 disclosure. Security researchers identified attacks against VTB Bank, though the extent of any system damage remained unclear. VTB confirmed normal operations across its retail and corporate banking systems, asserting its infrastructure lacked the vulnerabilities exploited by WannaCry. Kaspersky Lab researchers noted "a couple" of unnamed Russian banks encountered the malware, typically affecting employee workstations or non-critical systems rather than core banking infrastructure. They highlighted embedded systems running outdated operating systems as particularly vulnerable targets. The incident occurred amid heightened scrutiny of Russia’s relationship to cybercrime following U.S. allegations of state-sponsored hacking during the 2016 presidential election. The central bank’s disclosure represented an effort to demonstrate transparency about domestic cybercrime impacts while reinforcing the narrative that Russia itself frequently suffers such attacks.