Cyber Incident Victim: Moscow Exchange
Date:
Feb 2022
Location:
Russia
Summary
The Moscow Exchange website was rendered inaccessible following a distributed denial-of-service (DDoS) attack claimed by the Ukraine IT Army, a hacker collective endorsed by Ukrainian officials, which reported disabling the site within minutes. Concurrently, Russia’s largest lender, Sberbank, experienced similar disruptions, alongside targeting of the FSB security service and multiple Russian media outlets, including TASS and Forbes Russia, whose sites were defaced with anti-war messages. These incidents occurred amid a broader surge in cyberattacks against Russian infrastructure, including government and financial entities, as part of retaliatory efforts following Russia’s invasion of Ukraine, with hacktivist groups like Anonymous and Belarusian Cyber-Partisans also disrupting Belarusian railway systems in solidarity with Ukraine.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 28, 2022, the Moscow Exchange (moex.com) website became inaccessible early in the morning Moscow time. The outage coincided with a call to action by the Ukraine IT Army, a crowdsourced hacking collective endorsed by Ukrainian officials, which had instructed its members via Telegram to target the exchange. The group claimed responsibility for the disruption, asserting on Telegram that it took only five minutes to disable the site. Ukraine’s Deputy Prime Minister Mykhailo Fedorov, who had announced the formation of the IT Army days earlier, publicly celebrated the incident on Facebook, declaring, "The mission has been accomplished! Thank you!" The Moscow Exchange remained closed that day, as confirmed by Russia’s central bank, amid financial turmoil triggered by international sanctions that drove the ruble to a historic low against the dollar. Concurrently, London-listed shares of Sberbank, Russia’s largest lender, plummeted 70% during a broader selloff of Russian equities. NetBlocks, an internet monitoring organization, verified the Moscow Exchange website’s downtime but could not independently confirm the cause or full scope of the disruption. The Moscow Exchange did not publicly comment on the incident at the time.
The same day, the Ukraine IT Army expanded its operations, targeting Sberbank’s website in a coordinated effort. Fedorov claimed on Facebook that "Sberbank fell!" and NetBlocks later confirmed the site’s inaccessibility during the afternoon Moscow time. The IT Army also directed attacks against the website of Russia’s Federal Security Service (FSB). These incidents occurred amid a surge in distributed denial-of-service (DDoS) attacks against Russian entities, including state media outlets RT and TASS, both of which experienced prolonged outages. Cloudflare reported a "marked increase" in DDoS traffic originating from Ukraine, with most attacks targeting Russian (.ru) domains while Ukrainian (.ua) domains remained relatively unaffected. Separately, Belarusian railway systems were disrupted by the Belarusian Cyber-Partisans, who claimed to have paralyzed infrastructure in Minsk and Orsha in protest of Belarus’s support for Russia’s invasion. Over the preceding 24 hours, defacement attacks replaced the homepages of Forbes Russia and TASS with anti-war messages attributed to the Anonymous hacker collective. The Russian government did not issue detailed public statements regarding the cyberattacks, and Sberbank similarly did not respond to requests for comment on the disruptions to its services.