Cyber Incident Victim: Central Bank of Russia
Date:
Nov 2022
Location:
Russia
Summary
Ukrainian hacktivists affiliated with the IT Army claimed responsibility for breaching Russia's central bank, allegedly exfiltrating and publicly releasing 27,000 internal documents totaling 2.6 GB. The leaked materials reportedly included operational details, security policies, employee personal data, and strategic plans to transition to domestic technology amid international sanctions. The bank denied a breach, asserting the documents were already publicly available. The same group previously disrupted services at Gazprombank through a DDoS attack that temporarily halted customer transactions and mobile banking. Russian financial institutions face heightened cyberattack risks due to sanctions-driven departures of global cybersecurity firms, with hacktivists explicitly aiming to impede payment processing and undermine confidence in the banking sector.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 7, 2022, Ukrainian hacktivists affiliated with the IT Army—a volunteer cyber collective formed after Russia’s invasion of Ukraine—claimed responsibility for breaching the Central Bank of Russia and leaking 27,000 internal documents totaling 2.6 GB. The leaked files, released publicly on Telegram, purportedly contained operational details of the bank, security policies, and personal data of current and former employees. The group questioned the bank’s ability to safeguard the Russian financial system, stating, "If Russia’s Central Bank cannot protect its own data, how can it guarantee the stability of the ruble?" The Central Bank of Russia denied the breach, asserting through state media that all leaked documents were already publicly accessible. This followed a similar claim by the Anonymous hacktivist group in March 2022, which allegedly leaked 35,000 documents from the same institution.
Analysis of the leaked files revealed documents spanning nearly two decades, including strategic plans for the bank’s operations over the subsequent two years. Specific records detailed efforts to replace imported software with domestic technology to maintain payment system functionality amid sanctions-driven departures of international tech firms like Cisco and Oracle. The leak also reportedly included personal data of Russian military personnel, such as phone numbers and bank account details. Concurrently, the IT Army referenced prior cyber operations against Russian financial institutions, including a September 2022 DDoS attack on Gazprombank—Russia’s third-largest bank—which disrupted website access and transactional services for four hours. The group claimed to have developed specialized tools to bypass Russian DDoS protections, with Gazprombank’s vice president acknowledging the attack’s sophistication and its collateral impact on national internet infrastructure. Russian media reported heightened demand for cybersecurity services across the banking sector following these incidents, exacerbated by the absence of global cybersecurity vendors. The IT Army reiterated its objective to impede payment processing, delay financial obligations, and erode trust in Russian banking systems.