Cyber Incident Victim: Universal Bank

On or around June 27, 2023, the pro-Russian hacktivist group known as NoName057(16) initiated a distributed denial-of-service (DDoS) campaign targeting the Ukrainian financial sector. The group announced the start of this campaign on their encrypted Telegram channel, stating, "We will start today's journey with an attack on the financial sector of Ukraine." This attack was part of a broader, sustained effort, as the group had been targeting nearly a dozen major Ukrainian banks daily for the four days preceding the report. The campaign specifically aimed to disrupt Ukraine’s online banking internet infrastructure. The list of targeted financial institutions included some of the nation's largest commercial banks: First Ukrainian International Bank (PUMB), State Savings Bank of Ukraine (Oshchadbank), Credit Agricole Bank, and Universal Bank. Additional Ukrainian banks claimed as victims by the group during this period included Ukrsibbank, Tascombank, MTB Bank, Pravex Bank, Piraeus Bank, Credit Dnepr Bank, and the Clearing House.

The attackers employed their signature DDoS method, which functions by overloading a website with a flood of traffic requests, rendering it unable to serve legitimate users and causing it to crash. Beyond simply targeting main bank websites, the group's offensive focused on critical specific services to maximize disruption. These services included online authorization systems, customer login portals, customer service platforms, and loan processing services. The gang claimed success in these efforts, stating they had knocked several bank websites completely offline and had "killed" the authorization service for internet banking at Credit Agricole Bank. The impact was a direct attempt to impair the day-to-day financial operations of the country and its citizens.

A motivational factor for this specific campaign was cited by the group itself in their Telegram posts. They indicated the attacks were a response to recent statements from Ukrainian politicians about ambitions to become the "first country in the world to completely abolish cash." The group quoted Deputy Head of the Office of the President of Ukraine Rostyslav Shurma, who suggested a ban on cash payments could help overcome corruption. NoName mocked this ambition, writing, "But we, unlike Shurma, are absolutely sure that Ukraine will never give up the money of its Western masters. But they are not endless…" The group used pejorative language, referring to the Ukrainian leadership as the "Bandera junta," a term used by Russians to describe Ukrainians who support sovereignty from the Kremlin. Their stated goal was to help this junta "reject" their banking internet infrastructure.

In a notable deviation from their primary focus on Ukraine, the NoName group briefly expanded its targeting on June 28th. This shift was an apparent gesture of solidarity towards another hacktivist group, Anonymous Sudan, which had been conducting its own campaigns against Sweden. The motivation for Anonymous Sudan's attacks was linked to protests in Stockholm that involved the burning of a Quran. NoName cited a specific event, the burning of a Quran on the first day of Eid al-Adha, which Swedish police had permitted. The group posted, "🔻Swedish police allowed to burn the Koran in Stockholm on the first day of Eid al-Adha, we read in the news🤬." They also connected the attack to Sweden's support for Ukraine, stating, "Considering that the Swedish authorities also help Ukrainian terrorists, we could not pass by." As a result, NoName launched DDoS attacks against two Swedish targets: the website of the national railway carrier SJ AB and the website of the Swedish Financial Supervisory Authority, Finansinspektionen (FI). The group claimed to have "killed" the financial supervision website. This marked an unusual moment, as it was the first observed instance of a Russian-affiliated group incorporating Islamic affairs into its motivational doctrine.

The incident involving Universal Bank is contextualized within the longer-term operations of the NoName group. The group first emerged around the time of the full-scale Russian invasion of Ukraine. Since then, its primary focus has been on NATO member nations that are allied with Ukraine. In the period leading up to and including June 2023, the group had recently targeted critical infrastructure in Poland, Denmark, and Lithuania. They had also attacked the French parliament and carried out nearly a dozen separate attacks on Switzerland’s financial and aviation sectors within the same month. Just days before the bank attacks, on June 16th, the group had claimed responsibility for hacking some of the largest European ports in Italy, Germany, Spain, and Bulgaria. The group's operational model was also noted to involve financial incentives; earlier in January 2023, NoName was discovered advertising cryptocurrency payouts to volunteer hackers in exchange for their participation in the group’s DDoS attacks. That same month, the group demonstrated its capability to cause significant disruption by taking down at least half a dozen websites belonging to candidates in the 2023 Czech presidential election, creating chaos just days before the election was scheduled to begin. The attack on Universal Bank and its peers was therefore a single component in a widespread and ongoing campaign of disruptive cyber activity conducted by a politically motivated threat actor.