Russian state-owned Sberbank hit by 1 million RPS DDoS attack

Russian financial organization Sberbank states in a press release that two weeks ago it faced the most powerful distributed denial of service (DDoS) attack in recent history.

Sberbank is a majority state-owned banking and financial services company and the largest institute in Russia, holding about a third of all assets in the country.

Following Russia’s invasion of Ukraine, the bank faced international blockades and sanctions and was the target of west-aligned hacktivists multiple times.

Russian outlet Interfax reports that the attack reached one million requests per second (RPS), which the organization said was roughly four times the size of the most powerful DDoS Sberbank had experienced up until then.

“We noticed that these are some new hackers. Their fingerprint is not known to us. That is, some new, very qualified criminals appeared on the market who began to systematically attack the largest Russian resources,” stated the head of Sberbank (machine translated).

While one million RPS is clearly significant, it does not compare to record-breaking DDoS attacks that use the new ‘HTTP/2 Rapid Reset’ technique to generate an impact a hundred times bigger than what Sbersbank experienced.

In late August, Amazon detected a DDoS attack that peaked at 155 million RPS. Cloudflare mitigated a 201 million RPS one, while Google dealt with a DDoS attack that peaked at 398 million requests per second.

Previous attacks

In May 2022, Sberbank announced it was targeted by unprecedented hacker attacks, including massive DDoS waves aimed at its online customer services.

The bank said it managed to repel a DDoS attack that measured at 450GB/sec, which was generated by a botnet of 27,000 compromised devices.

A more recent blow sufferend by Russia’s financial system concerns the National Payment Card System (NSPK), the Mir card operator, whose website became unavailable on October 30, 2023, and was later defaced to post messages about a client-impacting data breach.

NSPK told the press that the attackers couldn’t have stolen any sensitive customer data as the website does not store such information and assured them that the cyberattack hadn’t impacted the payments system.

TheRecord later reported that hacktivists from the ‘DumpForums’ group and the Ukrainian Cyber Alliance had taken responsibility for the attack, also claiming to have stolen 31 GB of data.