Cyber Incident Victim: Toronto-Dominion Bank
Date:
Feb 2023
Location:
Canada
Summary
Toronto-Dominion Bank experienced a cyberattack claimed by a pro-Russian hacking group identifying as the "We Are Russian Hackers Community," marking the first such incident against a Canadian financial institution since the onset of the Ukraine conflict. The hacktivists, operating in support of Russia, reportedly executed a DDoS attack that disrupted the bank’s mobile and tablet website services for several hours, though desktop access remained functional. The group publicly asserted responsibility via Telegram, aligning the targeting with Russia’s cyber campaign against nations it perceives as adversarial. Despite prolonged outreach, the bank did not publicly acknowledge or detail the incident. Security analysts characterized the attack as part of broader, unpredictable hacktivist activities aimed at high-profile entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 26, 2023, Toronto-Dominion Bank (TD Bank) experienced a Distributed Denial of Service (DDoS) attack that disrupted its mobile website for approximately seven hours. The pro-Russian hacker group "We Are Russian Hackers Community" claimed responsibility for the attack through a Telegram post written in Russian, identifying TD Bank as "one of Canada’s largest banks" and framing the action as support for Russia in cyberspace. Between 7:30 AM and 2:30 PM, users attempting to access TD's mobile website encountered a "503 - service unavailable" error message, rendering digital banking services inaccessible on smartphones and tablets while the desktop version remained operational. Cybersecurity monitoring group Cyberknow later confirmed this as a deliberate DDoS attack involving traffic flooding to overwhelm the mobile platform. This marked the first publicly acknowledged cyberattack by Russian-aligned actors against a Canadian financial institution since Russia’s invasion of Ukraine began.
The incident followed Canada's February 24 announcement of strengthened cybersecurity aid to Ukraine, a timing noted by researchers as consistent with hacktivist motivations. Cyberknow characterized the attackers as targeting nations perceived as "russophobic," identifying Canada as a secondary priority compared to primary targets like the U.S. and Germany. TD Bank did not acknowledge or respond to repeated media inquiries over the following week, providing no official confirmation, explanation, or recovery details. Cybersecurity analysts Alexis Rapin and Steve Waterhouse emphasized the operational reality of the disruption and its alignment with unpredictable hacktivist tactics seeking visibility. Waterhouse noted unresolved questions regarding TD's specific selection as a target, while Cyberknow contextualized the attack within broader pro-Russian cyber campaigns, having previously warned of 98 such groups actively targeting Western entities. Concurrently, Czech bank ČSOB sustained similar disruptions on March 3, suggesting coordinated regional targeting of financial infrastructure.