Cyber Incident Victim: First Ukrainian International Bank

On or around June 27, 2023, the pro-Russian hacktivist group known as NoName057(16) initiated a distributed denial-of-service (DDoS) campaign targeting the Ukrainian financial sector. The group announced the start of this campaign on their encrypted Telegram channel, stating, "We will start today's journey with an attack on the financial sector of Ukraine." This incident was part of a broader, sustained offensive that had been ongoing for four days prior to the announcement, during which nearly a dozen major Ukrainian banks were hit daily. The primary objective of the campaign, as stated by the threat actors, was to disrupt Ukraine’s online banking internet infrastructure.

The First Ukrainian International Bank (PUMB) was named as one of the primary targets, alongside other major Ukrainian commercial banks including the State Savings Bank of Ukraine (Oshchadbank), Credit Agricole Bank, and Universal Bank. Additional financial institutions claimed as targets by NoName during this campaign included Ukrsibbank, Tascombank, MTB Bank, Pravex Bank, Piraeus Bank, Credit Dnepr Bank, and the Clearing House. The group employed its signature DDoS attack method, which functions by overloading targeted websites with a flood of traffic requests, rendering them inaccessible and causing them to crash.

Beyond simply targeting the main public-facing websites of these banks, the attackers specifically focused on critical online banking components to maximize disruption. The gang claimed to have attacked authorization services, login portals for customer access, customer service systems, and loan processing services. The group boasted about the effectiveness of their attacks, claiming to have knocked several bank websites completely offline and to have "killed" the authorization service for internet banking at Credit Agricole Bank. The impact of these attacks would have prevented customers from accessing their accounts online, conducting transactions, or utilizing essential banking services, thereby causing significant operational disruption.

The motivation for this specific campaign, as provided by NoName on their Telegram channel, was linked to a recent political announcement within Ukraine. The group cited statements by Rostyslav Shurma, the Deputy Head of the Office of the President of Ukraine, regarding ambitions to move toward a cashless society. NoName mocked this ambition, writing, "According to the Deputy Head of the Office of the President of Ukraine Rostyslav Shurma, the country wants to ban cash payments, which will make it possible to overcome at least 95% of corruption." The group used this announcement as a pretext for their attacks, framing them as an effort to help the "Bandera junta" reject their banking infrastructure. "Bandera junta" is a pejorative term used by Russian sympathizers to describe the Ukrainian government, referencing historical Ukrainian nationalist Stepan Bandera.

In a notable deviation from their primary focus on Ukraine, NoName briefly expanded their targets on June 28th in a show of solidarity with another hacktivist group, Anonymous Sudan. This group had been conducting its own campaigns, primarily against Sweden, following the public burning of a Quran in Stockholm. After a second Quran burning occurred on the first day of Eid al-Adha, NoName publicly expressed outrage and launched DDoS attacks against two Swedish entities: the website of the national railway carrier SJ AB and the website of the Swedish Financial Supervisory Authority, Finansinspektionen (FI). The group justified these attacks by stating, "Considering that the Swedish authorities also help Ukrainian terrorists, we could not pass by." This marked a rare instance of a Russian-affiliated group incorporating Islamic affairs into its motivational doctrine, a tactic more commonly associated with groups like Anonymous Sudan, which many security analysts believe to be operated by or aligned with Russian interests.

The incident involving PUMB and the other Ukrainian banks is consistent with NoName's established modus operandi and broader strategic goals. The group first emerged around the time of the full-scale Russian invasion of Ukraine and has since primarily focused on targeting NATO member nations and other allies that provide support to Ukraine. In the months leading up to this incident, the group had claimed attacks on critical infrastructure in Poland, Denmark, and Lithuania, as well as against the French parliament. Throughout June 2023, the group executed nearly a dozen attacks on Switzerland’s financial and aviation sectors. Just days before the bank attacks, on June 16th, NoName claimed responsibility for hacking some of the largest European ports in Italy, Germany, Spain, and Bulgaria.

The group's operational capabilities are enhanced by its recruitment and incentivization of volunteer hackers. Earlier in January 2023, NoName was discovered advertising cryptocurrency payouts to individuals in exchange for their participation in the group’s DDoS campaigns. This crowdsourced approach allows the group to amplify the scale and persistence of its attacks. This model had proven effective previously; around the same time as the cryptocurrency recruitment drive, the group successfully took down at least half a dozen websites belonging to candidates in the 2023 Czech presidential election, creating significant chaos in the days immediately preceding the election.

The immediate consequence of the DDoS attacks on PUMB and the other financial institutions was the temporary unavailability of critical online services, leading to operational disruption and potential financial losses. Customers would have been unable to perform routine banking activities, and the banks' reputations would have been impacted by the public nature of the attacks and the subsequent claims made by the threat actors. The incident also highlighted the persistent vulnerability of critical national infrastructure, particularly the financial sector, to relatively simple but high-volume DDoS attacks orchestrated by politically motivated hacktivist groups. The public Telegram posts by NoName served both as a claim of responsibility and as a tool for psychological impact and propaganda, aiming to demoralize the targeted nation and its population while justifying the group's actions to its followers. The specific technical response actions taken by PUMB or the other banks to mitigate the DDoS attacks, such as engaging with DDoS mitigation services or Internet Service Providers (ISPs) to filter malicious traffic, are not detailed in the available information. Similarly, the exact duration of the downtime for each bank's services and the full extent of the financial impact remain unspecified in the source material.