Cyber Incident Victim: The City Bank
Date:
May 2016
Location:
Bangladesh
Summary
A Turkish hacker group known as Bozkurtlar (Grey Wolves) breached multiple international financial institutions, including The City Bank, leaking sensitive customer data such as transactions, credentials, and contact information. The attackers reportedly exploited SQL injection vulnerabilities using the Hajiv tool, compromising systems to exfiltrate data ranging from 11.2 MB to 6.97 GB across affected banks, which also included server backups and financial reports. Prior incidents involving the same group targeted Qatar National Bank and InvestBank, with some victims disputing the origin of leaked data as recycled from earlier breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2016, the Turkish hacker group Bozkurtlar, also known as the Grey Wolves, conducted a series of cyberattacks targeting multiple international financial institutions. The group initially gained attention for breaching Qatar National Bank and UAE-based InvestBank, with Qatar confirming the incident while InvestBank disputed the novelty of its leaked data, attributing it to recycled information from a prior compromise. Between May 14 and May 16, 2016, Bozkurtlar expanded their operations by leaking datasets from six additional banks. The first batch included Dutch Bangla Bank (312 KB), The City Bank (11.2 MB), Trust Bank (96 KB), Business Universal Development Bank (251 MB), and Sanima Bank (47 MB). A subsequent breach involved Commercial Bank of Ceylon, with 6.97 GB of data exposed. The compromised materials from these institutions included customer transaction records, login credentials, contact information, PHP application files, internal financial reports, and server backup archives. Analysis by BankInfoSecurity indicated the attackers likely exploited SQL injection vulnerabilities across all incidents, potentially leveraging a tool called Hajiv to automate these attacks.
The breaches exposed highly sensitive financial and personal data, escalating risks of fraud, identity theft, and corporate espionage. For The City Bank, the 11.2 MB data dump contained customer transactions and credentials, directly compromising account security. Commercial Bank of Ceylon’s breach was notably severe due to the volume of exfiltrated data (6.97 GB), which included server backups capable of revealing broader infrastructure weaknesses. While Qatar National Bank acknowledged its breach, other affected entities like InvestBank attempted to downplay the incidents by attributing leaks to historical compromises. The scale of the Commercial Bank of Ceylon breach prompted BankInfoSecurity to highlight its operational significance, noting the inclusion of financial reports and backups could facilitate further attacks or financial manipulation. No specific containment measures or remediation actions by the impacted banks were detailed in the available reports.