Full Report
The Central Bank of Libya announced on Tuesday that it detected a cyber incident affecting some of its systems and technology services. The bank said the breach was discovered immediately, with emergency response protocols and business continuity plans activated according to approved standards. Necessary measures were taken to contain the incident and isolate the affected systems. In a statement, the bank said technical teams, in cooperation with relevant authorities and international cybersecurity firms, are conducting a detailed investigation and technical analysis to determine the nature, scope, and possible impact of the incident. Efforts are also underway to restore affected systems and ensure the continuity of essential business and services. The bank noted that investigations into such technical incidents require sufficient time to gather and analyze evidence before definitive conclusions can be reached. It pointed out that many financial and government institutions worldwide have faced similar attacks, which required varying periods to complete technical assessments and corrective actions.
Analysis Summary
# Incident Report: Cyber Incident Affecting the Central Bank of Libya (CBL)
## Executive Summary
On June 9, 2026, the Central Bank of Libya detected a cyber incident targeting several technology systems and services. The bank immediately activated emergency protocols, isolating affected systems to contain the breach and prevent lateral movement. Current assessments indicate no impact on customer accounts or balances, though technical investigations into the scope of data exposure are ongoing.
## Incident Details
- **Discovery Date:** Tuesday, June 9, 2026
- **Incident Date:** June 9, 2026 (Detection reported as immediate)
- **Affected Organization:** Central Bank of Libya (CBL)
- **Sector:** Financial / Banking
- **Geography:** Tripoli, Libya
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Prior to or on June 9, 2026)
- **Vector:** Unknown/Under Investigation
- **Details:** The bank has not yet disclosed the specific entry point for the threat actors.
### Lateral Movement
- **Details:** Information unavailable; however, the bank moved to "isolate systems," suggesting an effort to halt potential lateral progression toward core financial databases.
### Data Exfiltration/Impact
- **Details:** No evidence of financial theft or impact on customer balances has been found to date. The primary impact was limited to "a small number" of technology systems and services.
### Detection & Response
- **Discovery:** Detected by internal monitoring on June 9, 2026.
- **Response actions taken:** Activated business continuity plans, isolated affected systems, and engaged international cybersecurity firms for forensic analysis.
## Attack Methodology
*Note: As this is an ongoing investigation, specific TTPs (Tactics, Techniques, and Procedures) have not been fully disclosed.*
- **Initial Access:** Under investigation.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Not disclosed.
- **Lateral Movement:** Attempted; addressed via system isolation.
- **Collection:** Technical verification is ongoing to determine if any information was collected.
- **Exfiltration:** No confirmed data exfiltration at this time.
- **Impact:** Service disruption to a subset of internal systems; essential services (LYPAY and cards) remained operational.
## Impact Assessment
- **Financial:** No known impact on customer accounts or balances.
- **Data Breach:** Under investigation; technical teams are verifying data integrity.
- **Operational:** Limited disruption; several internal systems were taken offline for isolation and recovery.
- **Reputational:** High-profile target; however, the bank proactively issued a statement to mitigate public concern.
## Indicators of Compromise
- **Network indicators:** None disclosed in the initial report.
- **File indicators:** None disclosed in the initial report.
- **Behavioral indicators:** Abnormal activity in technology services/systems triggered immediate detection.
## Response Actions
- **Containment measures:** Isolation of affected systems and technology services.
- **Eradication steps:** Technical investigation in cooperation with international cybersecurity firms and relevant national authorities.
- **Recovery actions:** Gradual restoration of affected systems; maintenance of uptime for LYPAY and banking card platforms to ensure business continuity.
## Lessons Learned
- **Key takeaways:** Early detection and the immediate activation of an approved business continuity plan were critical in preventing the breach from reaching core financial ledgers.
- **What could have been done better:** While response was rapid, the incident underscores the ongoing risk to central financial institutions in the region, necessitating constant review of edge-security and system interdependencies.
## Recommendations
- **Prevention measures:**
- Conduct a full forensic review of the entry point once the international investigation is complete.
- Implement enhanced Zero Trust architecture to further segment technology services from core banking databases.
- Conduct regular stress tests of the business continuity plan to ensure essential platforms (like LYPAY) remain resilient during active incidents.