Cyber Incident Victim: The City Bank
Date:
May 2016
Location:
Bangladesh
Summary
A financial institution, The City Bank, was compromised in a series of cyberattacks attributed to the Turkish hacker group Bozkurtlar, resulting in unauthorized exposure of sensitive customer data including transactions, credentials, and contact information. The breach, part of a broader campaign targeting multiple international banks, involved the exfiltration of 11.2 MB of data from the institution, with analysis suggesting potential exploitation of SQL injection vulnerabilities and use of tools like Hajiv. This incident coincided with wider attacks on SWIFT messaging systems, where threat actors leveraged malware to manipulate financial databases and conceal fraudulent transactions, though no direct link between the SWIFT compromises and The City Bank breach was established in the provided information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2016, Turkish hacker group Bozkurtlar (Grey Wolves) claimed responsibility for breaching multiple international banks, including The City Bank. The group leaked 11.2 MB of data from The City Bank during the first wave of attacks, which also compromised Dutch Bangla Bank, Trust Bank, Business Universal Development Bank, and Sanima Bank. The leaked data included customer transaction records, login credentials, and contact information. A subsequent breach targeted Commercial Bank of Ceylon, exposing 6.97 GB of PHP files, financial reports, and server backups. BankInfoSecurity analyzed the leaks and noted the use of Hajiv, an SQL injection tool, across all attacks. While Qatar National Bank acknowledged a prior breach attributed to similar methods, InvestBank disputed the authenticity of its leaked data.
The incidents followed a pattern of SQL injection exploits targeting bank databases. Bozkurtlar's activities coincided with SWIFT's confirmation of unrelated cyberattacks against financial institutions' messaging systems globally, though no direct connection existed between the two campaigns. The City Bank breach formed part of a broader data exfiltration effort rather than fund transfer attempts like the Bangladesh Bank SWIFT heist. Forensic analysis indicated attackers accessed internal systems to extract structured financial data and administrative files. The scale of Commercial Bank of Ceylon's breach suggested extensive network penetration, with server backups compromising institutional infrastructure integrity. Neither The City Bank nor most affected institutions publicly confirmed remediation steps, though SWIFT separately mandated software updates for messaging system customers following its independent incident disclosures.