Cyber Incident Victim: State Savings Bank of Ukraine

On or around June 27, 2023, the pro-Russian hacktivist group known as NoName057(16) initiated a distributed denial-of-service (DDoS) campaign targeting the Ukrainian financial sector. The group announced the start of this campaign on their encrypted Telegram channel, stating, "We will start today's journey with an attack on the financial sector of Ukraine." This incident was part of a broader, sustained offensive by the group that had begun four days prior to this announcement, during which nearly a dozen major Ukrainian banks were hit daily with DDoS attacks. The specific targets named by the group included four of Ukraine's largest commercial banks: First Ukrainian International Bank (PUMB), State Savings Bank of Ukraine (Oshchadbank), Credit Agricole Bank, and Universal Bank. The campaign's stated objective was to disrupt Ukraine’s online banking internet infrastructure.

The group claimed success in knocking several bank websites completely offline. Beyond targeting the main public-facing websites, the attackers specifically focused on critical online banking components, including authorization services, login portals, customer service systems, and loan processing services. This precision targeting aimed to cause maximum disruption to customer access and essential financial operations. The list of affected institutions extended beyond the initial four, also encompassing Ukrsibbank, Tascombank, MTB Bank, Pravex Bank, Piraeus Bank, Credit Dnepr Bank, and the Clearing House. The attacks employed the group's signature DDoS method, which functions by overwhelming targeted web properties with a flood of traffic requests, rendering them inaccessible to legitimate users.

NoName057(16) provided a motivational rationale for this campaign on their Telegram channel, linking it to a recent announcement by Ukrainian politicians regarding a potential move towards a cashless society. The group quoted Deputy Head of the Office of the President of Ukraine Rostyslav Shurma, who stated the country wanted to ban cash payments to overcome corruption. Mocking this ambition, the group wrote, "But we, unlike Shurma, are absolutely sure that Ukraine will never give up the money of its Western masters. But they are not endless…" In the same post, they used the pejorative term "Bandera junta" to describe the Ukrainian government, a phrase referencing World War II-era Ukrainian nationalism. They stated their actions were meant to help Ukraine "reject" its banking internet infrastructure, specifically citing the successful targeting of the authorization service for Credit Agricole Bank's internet banking platform.

In a related but distinct development on June 28, the group temporarily diverged from its focus on Ukraine to conduct attacks against two Swedish targets: the website of the Swedish railway carrier SJ AB and the website of the Swedish Financial Supervisory Authority, Finansinspektionen (FI). NoName cited a Quran burning incident permitted by Swedish police in Stockholm on the first day of Eid al-Adha as the motivation for these attacks. The group also referenced Sweden's support for Ukraine as a contributing factor, stating, "Considering that the Swedish authorities also help Ukrainian terrorists, we could not pass by." This action was presented as a gesture of solidarity towards another hacktivist group, Anonymous Sudan, which had been targeting Sweden. This marked an notable expansion of NoName's typical motivational doctrine, as it was the first time a Russian-affiliated group had publicly linked Islamic affairs to its operations.

The incident involving Oshchadbank and the other financial institutions is consistent with NoName's established modus operandi and broader campaign history. The group first emerged around the time of the full-scale Russian invasion of Ukraine. Since then, its primary focus has been on NATO member nations allied with Ukraine. In the months leading up to this incident, the group had targeted critical infrastructure in Poland, Denmark, and Lithuania, attacked the French parliament, and executed nearly a dozen attacks on Switzerland’s financial and aviation sectors. Just days before the bank attacks, on June 16, the group had claimed responsibility for hacking some of the largest European ports in Italy, Germany, Spain, and Bulgaria. The group's operations are characterized by relentless DDoS campaigns aimed at causing widespread disruption and garnering attention through public claims on Telegram.

A significant aspect of NoName's operational model involves recruiting volunteer hackers to amplify its attack capabilities. Earlier in January 2023, the group was discovered advertising cryptocurrency payouts in exchange for participation in its DDoS attacks. This crowdsourced approach allows the group to scale its operations and maintain persistent pressure on its targets. The effectiveness of this model was demonstrated around the same time in January when the group successfully took down at least half a dozen websites belonging to candidates in the 2023 Czech presidential election, creating significant chaos just days before the election was scheduled to begin. The attacks on Ukrainian banks followed this same pattern of employing volunteer-driven DDoS to achieve disruptive effects.

The immediate impact of the incident was the temporary unavailability of critical online banking services for customers of Oshchadbank and the other targeted financial institutions. The successful targeting of authorization services and login portals would have prevented customers from accessing their accounts online, while the disruption to customer service systems would have hindered their ability to seek assistance. Attacks on loan processing services would have delayed or halted important financial transactions for both individuals and businesses. The overall effect was a degradation of trust in the reliability of digital financial infrastructure during a period of conflict. The group's claims of knocking websites completely offline indicate successful interruptions to public access and information dissemination for these banks.

The incident did not occur in isolation but was part of a multi-day offensive against Ukraine's financial sector, indicating a sustained effort to cause prolonged disruption. The group's announcement that it had been attacking banks daily for four days prior to June 27 suggests a pre-meditated and coordinated campaign rather than a one-off event. The selection of targets included a wide range of banks, from large state-owned institutions like Oshchadbank to smaller commercial banks, aiming for a broad impact across the entire Ukrainian banking ecosystem. The inclusion of the Clearing House, a key financial intermediary, indicates an attempt to disrupt interbank operations and settlement processes, potentially amplifying the consequences of the attacks.

NoName's public statements on Telegram served both as a claim of responsibility and a tool for psychological impact, using mocking and politically charged language to demoralize its targets and justify its actions to its followers. The reference to the cashless society proposal was used to frame the attacks as a form of political commentary or retaliation. The subsequent, unexpected shift to target Sweden demonstrated the group's flexibility and its willingness to exploit current global events to expand its targeting and forge alliances with other groups, such as Anonymous Sudan, which many security analysts believe to be Russian-affiliated. This incident underscored the blurred lines between hacktivism and state-sponsored activity within the cyber domain, particularly in the context of the ongoing conflict in Ukraine. The primary consequence was a demonstration of the vulnerability of critical financial infrastructure to relatively unsophisticated but voluminous DDoS attacks, causing tangible disruption to economic activity and daily life.