Cyber Incident Victim: CDEK

On April 28-29, 2024, CDEK Express, one of Russia’s largest delivery companies, experienced a severe service disruption lasting at least three days. The company initially attributed the outage to a "massive technical failure" affecting its website, mobile application functionality, and parcel processing systems. CDEK suspended shipments to prevent errors during manual operations, assuring customers their parcels remained secure. By May 1, CDEK’s communications director stated significant restoration progress had been made but confirmed operations were not fully restored, with a target resumption date of May 29. Customers across Russia reported delivery delays, including a Novosibirsk resident whose package intended for children remained undelivered five days after its expected arrival and another individual facing a 40,000-ruble ($450) financial loss due to the delay.

The hacker group Head Mare claimed responsibility for the incident on May 1 via X (formerly Twitter), alleging they encrypted CDEK’s servers with ransomware and destroyed backup copies of corporate systems. They criticized CDEK’s system administrators as "too weak" and declared the company’s security policies ineffective. An anonymous CDEK employee told Vedomosti the disruption resulted from a ransomware attack, while the head of the Russian State Duma’s information policy committee publicly confirmed a cyberattack caused the outage. Head Mare, active since December 2023, has previously targeted Russian internet providers, government agencies, and industrial firms but provided no motive beyond calling CDEK "one of the worst delivery services in Russia." Independent outlet Meduza noted CDEK’s prior use by Russian soldiers to send packages from the Ukrainian border early in the invasion. CDEK operates over 4,300 pickup points across 31 countries, with a 2021 valuation of $200 million. The company maintained public assurances about parcel safety and backup recovery plans but did not formally acknowledge the cyberattack.