Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

Reports: Hackers Steal $31 Million from Russia's Central Bank

Federal Security Service Claims to Have 'Neutralized' Other Banking Attacks
Reports: Hackers Steal $31 Million from Russia's Central Bank

(This story has been updated.)

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Hackers apparently stole 2 billion rubles (US $31 million) from accounts that banks keep at Russia's central bank in a series of cyberattacks this year, according to several news reports. The news comes as the country's security service also claims to have fought off broader attacks against the financial services industry.

CNN reports that the central bank confirmed hackers tried to steal 5 billion rubles, but the central banking authority managed to stop them and redirect some of the funds. "We were lucky to return some of the money," a central bank spokesperson told CNN. The central bank did not say when the cyberheists occurred but said they took place over 2016, CNN reports.

Reuters reported that the bank released a report on Dec. 2 describing a cyberattack that involved "faking a client's credentials." Further details were not available.

The stolen money came from accounts held by banking clients at the central bank, The Wall Street Journal reported.

But Tass, the Russian news agency, claimed that the nation's central bank disclaimed the reports of money being stolen from correspondent accounts. "The reports about stolen two billion rubles from the Bank of Russia's correspondent accounts in a hacker attack are not true to life," TASS quotes the regulator's press service as saying. "[In] the review of financial stability, which was presented on Friday evening, the bank reported the losses commercial banks and their clients suffered in hacker attacks during the year 2016."

'Neutralizing' Other Attacks

Meanwhile, Russia's Federal Security Service says it has taken steps to "neutralize" attacks against its financial system. In a statement, the Federal Security Service said it had received information that large-scale cyberattacks were planned starting on Dec. 5.

The attacks, which allegedly were expected to strike several dozen Russian cities, would be accompanied by the mass sending of SMS messages and a social network and media campaign telegraphing a crisis in the Russian financial system, the Federal Security Service claimed.

The command-and-control server for the attacks is located in the Netherlands and is run by a Ukrainian hosting company called BlazingFast, the Federal Security Service also claimed. BlazingFast responded on Facebook that it had not been contacted by the Federal Security Service but would cooperate if its network was used for illegal activity.

"As soon as BlazingFast became aware of this report, we reviewed all our systems and network and we have not found any abnormal pattern changes that could lead to [Federal Security Service's] allegations," the company says.

SWIFT Related?

The apparent theft from Russia's central bank comes as cyberattackers have had success this year penetrating deeply into banks' networks. The most notable thefts have involved fraudulent money-moving requests being sent via SWIFT, the financial messaging system used by 11,000 banks for international and domestic transfers. SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, is based in Brussels.

The largest known theft to date involving fraudulent SWIFT messages targeted Bangladesh's central bank, which saw $81 million transferred from its account with the New York Federal Reserve to the Philippines. The attack used a combination of malicious software and deceptive tactics to exploit poor security controls. Hackers tried to transfer $951 million, but some transfers were blocked, one after someone noticed a spelling mistake (see Bangladesh Eyes Insider Angle for SWIFT Bank Attack).

In January 2015, $12.2 million was stolen from Banco del Austro in Ecuador after hackers accessed its systems and initiated SWIFT transfers. A Vietnamese bank, Tien Phong Commercial Joint Stock Bank, blocked an attempt to transfer $1.36 million from its accounts in late 2015 (see Another SWIFT Hack Stole $12 Million).

Banks have also seen sophisticated attacks, known as jackpotting, designed to reprogram ATMs to disgorge cash. Once in place, the malware allows hackers to trigger a withdrawal by inserting a special ATM card or sending a command via mobile phone (see 'Ripper' ATM Malware: Where Will Cybercriminals Strike Next?).

The Russian security company Group-IB says banks across Europe and Asia have been targeted lately in attacks that begin with spear-phishing emails. Those targeted email are crafted so that a victim will open a dangerous attachment or link that delivers malware (see Report: European Banks Struck by ATM Jackpotting Attacks).

Once inside a bank's systems, an ATM's software logic is changed. ATM vendors, including NCR and Diebold Nixdorf, have warned of these so-called logic attacks and advised banks on defenses.


The targeting of Russia is not surprising given the mix of opportunist cybercriminals, politically motivated hackers and possible state-level actors worried about President Vladimir Putin's muscle flexing.

In October, the U.S. blamed Russia for hacking the Democratic National Committee along with the email accounts of party officials. The emails ended up on WikiLeaks and other websites, fueling unending media attention and further skewing an already unconventional presidential campaign (see Microsoft Says Russian DNC Hackers Targeted Zero-Day Flaws).

U.S. Vice President Joe Biden obliquely warned soon after the charge that the U.S. had the capacity to send a "message" to Russia and would do so when the circumstances have the greatest impact, according to The New York Times..

It's not clear if the U.S. has acted yet. In January, the U.S. Treasury directly accused Putin of being corrupt, alleging that he has amassed a fortune that has been masked through longtime training and practices, according to the BBC. U.S. spy agencies could conceivably be tasked with using offensive cyberattacks to expose Putin's finances.

Russia has consistently denied the hacking accusations while casting itself as a victim. In July, the FSB said malicious software infected 20 organizations, with targets including public authorities, scientific and military institutions.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.