Armenia's Central Bank Exposed: Internal Network, Project Tracker, and Anonymous Access
Key Finding: The Central Bank of Armenia (CBA) -- the institution managing $3.5 billion in reserves and overseeing the entire banking system -- left its internal project management system (Jira) exposed to the public internet with anonymous access enabled. Wayback Machine cached the exposure on February 13, 2026. The same infrastructure leaked an internal IP address through a Citrix NetScaler misconfiguration, revealing the bank's network topology.
Why This Matters
The Central Bank of Armenia is not just any government agency. It is the institution that:
- Manages approximately $3.5 billion in foreign reserves
- Regulates and supervises every bank operating in Armenia
- Controls monetary policy that affects 3 million citizens
- Processes interbank settlements for the entire financial system
- Issues regulatory decisions that move currency markets
When an institution of this importance leaves its internal systems exposed, the consequences extend far beyond a single organization. Any unauthorized access to CBA infrastructure could compromise the financial stability of the entire country.
Finding 1: Jira Project Tracker -- Open to the World
On February 13, 2026, the Wayback Machine cached a snapshot of jira.cba.am -- the Central Bank's internal Atlassian Jira instance. Jira is a project management and issue tracking system widely used by software teams to manage development work, track bugs, and coordinate projects.
What makes this exposure critical is a specific configuration flag found in the cached page:
com.atlassian.jira.leaked.all.anonymous.access: true
In plain terms: anonymous access was enabled. This means anyone on the internet -- without any username or password -- could potentially browse the Central Bank's internal project boards, issue tickets, and development discussions.
The cached instance was running Jira version 9.4.9. This version, while not the oldest, has known security advisories. More importantly, the mere fact that it was publicly accessible represents a fundamental security failure for a financial regulator.
What Could Be Exposed Through Jira
A Jira instance with anonymous access enabled at a central bank could expose:
- Project names and descriptions -- revealing what systems the bank is building or modifying
- Issue tickets with internal discussions -- staff conversations about bugs, features, and system architecture
- Employee names and email addresses -- from ticket assignees and reporters
- Deployment schedules -- when systems are being updated (ideal timing for attacks)
- Internal system names and architecture -- a roadmap for deeper penetration
- Security vulnerabilities being tracked -- if bug reports include security issues, attackers get free intelligence
Finding 2: Internal IP Leak via Citrix NetScaler
Analysis of the CBA's web infrastructure revealed that a Citrix NetScaler JavaScript file exposed an internal IP address:
Internal IP: 192.168.93.214Source: Citrix NetScaler client-side JavaScript
For non-technical readers: 192.168.x.x addresses are "private" -- they are used only inside an organization's internal network and should never be visible from the outside. This leak tells an attacker:
- The internal network range the CBA uses (192.168.93.x)
- That the CBA uses Citrix NetScaler for remote access -- a product with a history of critical vulnerabilities (CVE-2023-4966 "Citrix Bleed" being the most notorious)
- A specific internal host address that can be targeted if an attacker gains network access
This is the digital equivalent of a bank accidentally printing its vault combination on the outside of the building.
Finding 3: Full Atlassian Stack Exposed
The investigation revealed that the CBA does not just run Jira. It operates a full Atlassian development stack, each component publicly discoverable:
| System | Purpose | Risk Level | What It Could Expose |
|---|---|---|---|
Jira 9.4.9jira.cba.am |
Project management and issue tracking | CRITICAL | Internal projects, staff names, development plans, potentially security bug reports |
Bamboo CI/CDbamboo.cba.am |
Continuous integration and deployment automation | CRITICAL | Build configurations, deployment credentials, source code paths, server addresses |
FishEyefisheye.cba.am |
Source code review and repository browser | CRITICAL | Actual source code of banking applications, commit history, developer identities |
| eazyBI | Business intelligence and reporting plugin for Jira | HIGH | Aggregated project data, custom reports, potentially financial metrics |
McAfee Secure Web Mailsecurewebmail.cba.am |
Encrypted email gateway | HIGH | Confirms email encryption infrastructure -- useful for targeted phishing |
| Citrix NetScaler | Remote access / VPN gateway | CRITICAL | Remote access point -- if compromised, provides internal network entry |
Together, these systems form the complete software development lifecycle of the Central Bank. An attacker with access to this stack would have visibility into what the CBA is building, how it is built, the actual source code, and how it gets deployed to production.
Finding 4: securewebmail.cba.am -- McAfee Secure Web Mail
The discovery of securewebmail.cba.am running McAfee Secure Web Mail confirms that the CBA handles sensitive communications requiring encryption. While the existence of encrypted email is positive, its public discoverability gives attackers specific targets for phishing campaigns. An attacker could craft emails that mimic the CBA's secure mail system to trick employees into revealing credentials.
The Bigger Picture: Armenia's Cyber Catastrophe
This CBA exposure is not an isolated incident. It is part of a systemic failure across Armenian state institutions that OWL has documented in our Armenia Cyber Catastrophe investigation:
| Institution | Compromised Accounts | Weak Passwords | Last Known Breach |
|---|---|---|---|
| gov.am (Government) | 279 | 77% | March 4, 2026 |
| mfa.am (Foreign Ministry) | 12 | 65% | March 9, 2026 |
| parliament.am | 13 | 100% | May 2024 |
| cba.am (Central Bank) | 13 | 69% | January 6, 2026 |
| sns.am (NSS -- National Security) | 10 | 100% | November 1, 2025 |
| police.am | 5 | 67% | September 2023 |
| armlex.am (Judicial) | 8 | 82% | June 2024 |
| TOTAL | 351+ | Catastrophic | Active |
The CBA specifically has 13 compromised accounts with 69% weak passwords, with the most recent credential theft dated January 6, 2026 -- just weeks before the Jira exposure was cached. This means the Central Bank was simultaneously leaking credentials through malware AND leaving its development infrastructure open to the internet.
Attack Scenario: From Exposure to Financial Catastrophe
Here is how a sophisticated attacker could chain these findings:
- Reconnaissance: Browse jira.cba.am anonymously to map internal projects, identify staff, learn system architecture
- Credential Access: Use the 13 already-compromised CBA credentials (available on dark web markets) to attempt login to Jira, Bamboo, FishEye
- Network Entry: Target the Citrix NetScaler gateway using known CVEs or stolen credentials to get internal network access
- Lateral Movement: Use the leaked internal IP (192.168.93.214) as a starting point to map and traverse the internal network
- Source Code Access: FishEye provides direct access to banking application source code -- find vulnerabilities in payment systems
- Supply Chain Attack: Bamboo CI/CD pipeline compromise could inject malicious code into production banking systems
- Financial Impact: Manipulate interbank settlements, drain reserves, or disrupt the entire Armenian financial system
This is not theoretical. Every component in this chain has been documented as exposed.
How to Verify
All findings in this investigation are based on publicly available, passive sources. No active scanning or unauthorized access was performed. Anyone can verify:
- Wayback Machine: Search for
jira.cba.amat web.archive.org. The February 13, 2026 snapshot contains the Jira instance with the anonymous access flag. - Certificate Transparency Logs: Search crt.sh/?q=cba.am to see all SSL certificates issued for CBA subdomains, confirming the existence of jira.cba.am, bamboo.cba.am, fisheye.cba.am, and securewebmail.cba.am.
- DNS Records: Standard DNS lookups for the subdomains listed above will confirm their existence (or recent removal).
Methodology Note
OWL conducts passive OSINT research only. We do not perform active scanning, penetration testing, or unauthorized access. All data in this article comes from: Wayback Machine cached pages, Certificate Transparency logs (crt.sh), publicly available breach databases, and CyberHUB-AM published reports. We have not accessed any CBA systems.
Recommendations
For the Central Bank of Armenia:
- Immediately restrict Jira, Bamboo, and FishEye to internal-only access (VPN/firewall). These should never be reachable from the public internet.
- Audit all Citrix NetScaler configurations and ensure patches for CVE-2023-4966 (Citrix Bleed) and related vulnerabilities are applied.
- Rotate all credentials for the Atlassian stack -- assume they are compromised.
- Review Jira audit logs for any anonymous access that occurred while the system was exposed.
- Conduct a security audit of the entire development pipeline before any further deployments.
- Mandate strong passwords and multi-factor authentication across all systems. The 69% weak password rate is unacceptable for a financial regulator.
Timeline
| Date | Event |
|---|---|
| Jan 6, 2026 | Most recent CBA credential theft detected (stealer malware) |
| Feb 13, 2026 | Wayback Machine caches jira.cba.am with anonymous access enabled |
| Apr 11, 2026 | OWL publishes this investigation |