Cyber Incident Victim: Crédit Agricole
Date:
Jun 2023
Location:
Ukraine
Summary
A pro-Russian hacktivist group known as NoName conducted a DDoS campaign targeting the Ukrainian financial sector, with Credit Agricole Bank among the major institutions impacted. The attack was aimed at disrupting the bank's online infrastructure, specifically targeting its authorization service, login portals, and customer service systems to render them inaccessible. The group cited a Ukrainian political announcement regarding moving to a cashless society as motivation for the campaign.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2023, the pro-Russian hacktivist group NoName057(16) announced a new campaign targeting the Ukrainian financial sector. The group posted on its encrypted Telegram channel, stating, "We will start today's journey with an attack on the financial sector of Ukraine." This announcement marked the beginning of a sustained distributed denial-of-service (DDoS) campaign against nearly a dozen major Ukrainian banks. The threat actors had initiated this activity four days prior to the article's publication date of June 28, meaning the attacks began around June 24. The campaign involved daily attacks on these financial institutions.
The list of targeted banks included four of Ukraine's largest commercial banks: First Ukrainian International Bank (PUMB), State Savings Bank of Ukraine (Oshchadbank), Credit Agricole Bank, and Universal Bank. Other financial entities claimed as victims by the group during this campaign included Ukrsibbank, Tascombank, MTB Bank, Pravex Bank, Piraeus Bank, Credit Dnepr Bank, and the Clearing House. The group's stated objective was to disrupt Ukraine’s online banking internet infrastructure. The attackers employed their signature DDoS method, which functions by overloading a website with traffic requests to cause it to crash and become unavailable.
The group provided specific details regarding the systems they targeted within the financial infrastructure. Beyond aiming to knock bank websites completely offline, NoName057(16) specifically went after authorization services, login portals, customer service systems, and loan processing services. In a Telegram post, the group explicitly mentioned helping the "Bandera junta" to reject their banking internet infrastructure and kill the authorization service for the internet banking of Credit Agricole Bank. The term "Bandera junta" is a pejorative used by Russian sympathizers to describe Ukrainians who support sovereignty from Russia.
The hacking group cited a specific motivational trigger for this campaign. They claimed it was spurred by a recent announcement from Ukrainian politicians about ambitions to become the "first country in the world to completely abolish cash." The group quoted Deputy Head of the Office of the President of Ukraine Rostyslav Shurma, who stated that banning cash payments could help overcome at least 95% of corruption. NoName057(16) mocked this concept, expressing certainty that Ukraine would not give up the money of its "Western masters" and stating that these funds were not endless. Their attacks were framed as a direct response to this political announcement.
In a related but separate action on June 28, the group momentarily shifted its focus from Ukraine. NoName057(16) picked up on a post by another hacktivist group, Anonymous Sudan, which had been targeting Sweden since a Quran burning incident in Stockholm in January. In an apparent gesture of solidarity, NoName cited a second Quran burning permitted by Swedish police on the first day of Eid al-Adha as its reason for attacking two Swedish targets: the website of the Swedish railway carrier SJ AB and the website of the Swedish Financial Supervisory Authority, Finansinspektionen (FI). The group also linked its actions to Sweden's support for Ukraine, stating, "Considering that the Swedish authorities also help Ukrainian terrorists, we could not pass by and killed the website of the financial supervision of Sweden." This marked the first observed instance of a Russian-affiliated group incorporating Islamic affairs into its motivational doctrine.
The group NoName057(16) first emerged around the time of the Russian invasion of Ukraine. Since its inception, the gang has primarily focused on NATO member nations allied with Ukraine. Its activities have recently included targeting critical infrastructure in Poland, Denmark, and Lithuania, attacking the French parliament, and executing nearly a dozen attacks on Switzerland’s financial and aviation sectors in the month preceding this incident. Some of the largest European ports in Italy, Germany, Spain, and Bulgaria were also hacked by the group on June 16. The group's operational model was previously discovered to include advertising cryptocurrency payouts to volunteer hackers in exchange for their participation in the group’s DDoS attacks. Around January 2023, the group successfully took down at least half a dozen websites belonging to candidates in the Czech presidential election, causing disruption just days before the elections were scheduled to begin. The impact of the late June attacks on the Ukrainian banks involved website downtime and the disruption of critical online banking services for customers, though specific duration details were not provided in the source material. The article did not detail any specific response or containment actions taken by the victim banks or Ukrainian authorities in reaction to these attacks.