Cyber Incident Victim: Warsaw Stock Exchange
Date:
Oct 2014
Location:
Poland
Summary
The Warsaw Stock Exchange experienced unauthorized access to its systems, resulting in website unavailability during trading hours. Attackers claimed responsibility, alleging retaliation against military actions in their homeland, with unconfirmed potential links to ISIS. Compromised data included approximately 30,000 investor credentials, network infrastructure details, and private email contents containing sensitive customer information. While archived simulation data was breached, the exchange confirmed transactional systems remained secure due to physical separation from affected servers. Hackers maintained control over multiple subdomains post-incident, though operational trading platforms were unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 23, 2014, the Warsaw Stock Exchange (WSE) website became inaccessible to brokers and investors between 2:00 PM and 4:00 PM Warsaw time during trading hours. A Pastebin post attributed to an individual using the name JAN_URBANOWICZ claimed responsibility for the attack, declaring it the "beginning of the FIGHT against those who’re bombing our Homeland" and concluding with "Allahu Akbar." The post asserted the theft of approximately 30,000 investor and broker login credentials. Polish cybersecurity site niebezpiecznik.pl reported confirmation from WSE via email that hackers exfiltrated roughly 30 MB of investor data, including IP addresses and network infrastructure maps, confirming unauthorized access to the exchange’s intranet. Attackers further leveraged stolen credentials to breach private email accounts associated with the exchange, extracting customer data described as including "intimate pictures." The Pastebin statement’s reference to retaliating against "bombing" operations aligned with Poland’s military commitments in Afghanistan, Iraq, and its political support for U.S.-led strikes against ISIS, though no investigating authority confirmed ISIS involvement.
WSE issued a press statement characterizing the breach as involving "unsolicited entities" accessing archived data used for trade simulation features, emphasizing no impact on the security or functionality of live transaction systems. Spokesperson Maciej Wewiór clarified that transaction system data resided in segregated infrastructure, preventing concurrent compromise. The exchange identified four specific domains—https://utp.gpw.pl/, https://gpwcatalyst.pl/, https://newconnect.pl/, and https://gpwtrader.pl/—as remaining under attacker control post-incident. While WSE sought to reassure stakeholders by distinguishing between compromised archival materials and operational systems, the breach exposed sensitive investor information, internal network schematics, and private communications, raising concerns over data security protocols. No additional technical details regarding attack vectors, remediation timelines for the compromised servers, or law enforcement findings were disclosed in the available reporting.