Ukrainian hackers paralyse Russian banks in largest DDOS attack

The Ukrainian hacker group IT Army claims to have conducted a large-scale cyber-attack on the Russian payment system Mir and the largest banks on 20 June. According to experts, it was one of the most severe attacks on the financial sector in years, although customer losses were limited.

On 20 June, the Russian payment system Mir and the services of the largest banks, including VTB, Alfa Bank, Gazprombank, and Sberbank, were paralysed for several hours due to a hacker attack. The Ukrainian volunteer cyber group IT Army claimed responsibility for the action. After several hours of paralysing the banking system, the attack was repelled using the DDoS (distributed denial-of-service) method.

IT Army stated on the messaging platform Telegram that they had kept the promise given the day earlier. The group called their attack "probably the largest DDoS attack in history." According to the Ukrainian hackers, the action wholly cut off the Mir system and affected many smaller banking services besides the main institutions. It was another high-profile attack by the IT Army – previously, the group disrupted the public transport payment system in Moscow and Kazan.

Experts cited by the Kyiv Post confirm that the attack was the most serious of its kind since September 2021, when card payments and transfers were disrupted for three hours. At that time, the target of the attack was Orange Business Services, through which a significant volume of large bank transactions passed. Kommersant's sources claim that the previous attack was noticeably stronger, covering online payments and transactions in shops and ATMs.

Independent Russian-language media report that the day before hitting the Mir system, the same hacker group unsuccessfully attempted to attack several large Russian banks. A newspaper source speculates that the perpetrators may have been "training" on the banks before attacking a more critical target. Kommersant's interlocutors reveal that the hackers used so-called carpet attacks, simultaneously hitting all the resources of a given institution, leading to infrastructure overload and network connectivity loss. This type of attack is harder to repel than a classic DDoS.

One of Kommersant's informants critically assesses the NSPK's (National Payment Card System) response to the attack as insufficiently efficient. In his opinion, NSPK should have instantly activated backup servers when the payment gateway servers were hit, but they did not.

A source claims that the hackers were very well-versed in the workings of the Russian payment system and knew how to bypass the security measures. "Some monitoring systems of NSPK did not work. Backup capacities were not connected. It was chaos combined with a well-prepared attack," the newspaper's source summarised.

NSPK stated in a communication that it is prepared for similar situations and has sufficient means to monitor and prevent attacks. They assured us that the incident had affected a small number of services and that its effects were short-lived.

Cybersecurity experts emphasise that although customers did not suffer severe losses, additional protection measures will be needed to avoid similar problems. They evaluate the attack as successful mainly in temporary destabilisation rather than causing specific damage.