Cyber Incident Victim: VTB Bank
Date:
Dec 2022
Location:
Russia
Summary
A massive DDoS attack targeted Russia’s second-largest bank, causing the worst cyber incident in its history by disrupting online services and mobile applications while core banking operations remained functional. The attack, claimed by the pro-Ukraine 'IT Army of Ukraine' hacktivist group, originated primarily from foreign sources but included some Russian IP addresses, prompting law enforcement involvement. The bank confirmed customer data remained secure within its internal infrastructure despite the service outages, which were intended to inconvenience clients. The state-owned institution framed the incident as a politically motivated assault, linking it to foreign actors possibly using local proxies or collaborators. The group, backed by Ukraine’s government, had previously targeted other Russian entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 1, 2022, Russia’s second-largest bank, VTB Bank, began experiencing disruptions to its online services following a distributed denial-of-service (DDoS) attack. Initial customer complaints about service accessibility surfaced on social media, which the bank initially attempted to downplay. By December 6, the attack escalated to unprecedented levels, forcing VTB to publicly acknowledge it as the largest cyberattack in its history. The DDoS campaign targeted the bank’s public-facing infrastructure, including its website and mobile applications, rendering them inaccessible to customers. VTB confirmed the attack originated primarily from foreign IP addresses, though some malicious traffic traced to Russian IPs, suggesting the use of local proxies or domestic collaborators. The bank emphasized its core banking systems remained operational throughout the incident, with customer data unaffected due to its storage within secured internal perimeters. Service disruptions were intentionally designed to inconvenience customers rather than compromise financial data or transactions.
The pro-Ukraine hacktivist group ‘IT Army of Ukraine’ claimed responsibility for the attack, having announced the campaign via Telegram in late November 2022. This group, formed with official Ukrainian government endorsement in February 2022, had previously disrupted Russian entities such as vodka distribution portals and Rostec, a major aerospace and defense conglomerate. VTB’s internal analysis concluded the attack was deliberately planned to inflict operational disruption, leveraging a high volume of malicious requests. The bank reported the identified IP addresses, including domestic ones, to Russian law enforcement for criminal investigation. As a state-owned institution with 61% ownership by the Russian government, the incident carried political implications, indirectly targeting state interests. VTB’s public admission of the attack on December 6 marked a shift from its earlier minimization of the disruptions, reflecting the severity of the sustained DDoS pressure on its digital infrastructure.