Cyber Incident Victim: UniCredit SpA

In July 2015, cybersecurity researchers at Cyphort Labs identified a malware infection on the Ukrainian website of UniCredit Bank (unicredit.ua). The compromise involved the RIG exploit kit, a tool designed to redirect visitors to malicious sites hosting exploit code. UniCredit Group, a major European commercial bank operating across 17 countries with 149,000 employees and €950 billion in assets, saw its Ukrainian subsidiary's website targeted in this attack. The compromised unicredit.ua domain ranked as Ukraine's 704th most popular website according to Alexa traffic metrics. The exploit exhibited selective activation, with redirection to malware-laden sites not occurring during every site visit, suggesting the attackers implemented logic to control infection timing or target specific user sessions. This discovery was publicly reported on July 16, 2015, though the initial compromise timeline remains unspecified beyond the detection date.

The incident formed part of a broader campaign targeting prominent Ukrainian online properties. Two days prior to the UniCredit disclosure, on July 13, 2015 at 09:31 UTC, the same threat actors compromised RBC.ua – the digital platform of RosBusinessConsulting (RBC), a major media group listed on the Russian stock exchange as RBCM. RBC employed over 1,500 staff and reported $81 million in annual revenue. Technical analysis indicated strong similarities between the attacks on both unicredit.ua and rbc.ua, including the deployment methodology of the RIG exploit kit. The coordinated timing and matching attack patterns led researchers to attribute both compromises to the same threat group, though no specific actor identification or motivation was disclosed in the findings. Both incidents involved high-traffic Ukrainian domains serving as infection vectors through drive-by download techniques.