Two Ukrainian hacktivist groups are claiming to have broken into Russia's largest private bank, Alfa-Bank.
In a blog post last week, the hackers from groups called KibOrg and NLB shared screenshots of what appears to be an internal database belonging to Alfa-Bank, as well as personal details of several Russian individuals as "confirmation" of the breach. Within the database, the hackers say there are over 30 million records including names, birthdates, account numbers and phone numbers of Russian customers.
Adding some legitimacy to those claims, a Ukrainian intelligence official who requested anonymity to discuss the sensitive operation confirmed to NPR that Ukraine's top counterintelligence agency, the SBU, helped the hacktivists breach Alfa-Bank.
The official did not share additional details about how the SBU participated or any further plans for sharing the stolen data. Ukrainian journalists including from cybersecurity website The Record previously reported on the connection to the SBU.
While the hacktivists did not immediately respond to a request to discuss the breach, they wrote in the blog post — posted on their own site — that they would be sharing the data obtained from Alfa-Bank with investigative journalists.
Alfa-Bank has not publicly responded to the news of the hack.
Hacking has become a tool for Ukraine's resistance.
Alfa-Bank is known for catering to Russia's upper echelon. The U.S. government sanctioned the bank and many of its board members following Russia's full-scale invasion of Ukraine in February of 2022.
In a press release about some of those sanctions in August, Deputy Secretary of the Treasury Wally Adeyemo said that "wealthy Russian elites should disabuse themselves of the notion that they can operate business as usual while the Kremlin wages war against the Ukrainian people."
Beyond western sanctions, hacktivism and volunteer cyber operations have become important tools for Ukraine in its resistance to Russia's invasion.
While the IT Army is one of the most well-known groups, officially endorsed by Ukraine's Ministry of Digital Transformation in the early days of the war, there are many other volunteer groups launching operations ranging from mildly disruptive denial of service attacks to large-scale breaches and data dumps.
Many experts expected skilled Russian hackers to launch highly destructive and disruptive attacks on Kyiv as they have in the past, knocking out the power grid or wiping out communications. However, those expectations have not been met. Russian hackers have managed to repeatedly target and disrupt the power grid, utilities, communications providers and news outlets, among others, since the invasion. However, the impacts haven't been long lasting or permanently damaging, according to a range of Ukrainian cybersecurity officials and executives. Independent experts from cybersecurity companies, many of whom have donated their services to Ukraine, have bolstered those claims.
However, since the early days of the war, skilled Ukrainian hackers and cybersecurity experts have become hacktivists, as well as official and unofficial advisers to Ukrainian government agencies.
Those agencies have officially acknowledged their importance. During an exclusive interview with NPR in August, the head of the SBU's Cyber Division Illia Vitiuk said that it is part of his job to both monitor and to some extent "direct" or "give advice" to hacktivists supporting its work against Russian spies. "This is like our cyber territorial defense," continued Vitiuk. He says part of the reason his service works so closely with private citizens is to make sure they use their powers for good. "It's very important that after the war ... these people work for the benefit of our country."
Ukrainian hacktivists have notched several wins in recent weeks beyond the apparent Alfa-Bank breach.
Most recently, the Ukrainian Cyber Alliance broke into servers of a major ransomware gang with ties to Russia called Trigona. Cybersecurity experts told NPR the breach appeared legitimate, and the group's website was taken down. A representative of the Ukrainian Cyber Alliance who goes by @vx_her1t told NPR the group is still going through the stolen data and will release "anything of value" after their review.