Cyber Incident Victim: Roseltorg
Date:
Jan 2025
Location:
Russia
Summary
Russia's largest state procurement platform, Roseltorg, suffered a cyberattack claimed by the pro-Ukraine group Yellow Drift, which initially led the company to attribute service outages to maintenance before acknowledging the breach. The attackers deleted 550 terabytes of data, including emails and backups, disrupting operations for government agencies, state-owned companies, and suppliers reliant on the platform for procurement processes, causing concerns over financial losses and delays. While the company restored affected data and infrastructure, extending deadlines for contractual procedures post-recovery, its website remained inaccessible at the time of reporting. The incident aligns with broader attacks by pro-Ukraine groups targeting Russian entities, including infrastructure providers and agricultural tech firms, though Roseltorg's restoration efforts aimed to mitigate operational impacts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Roseltorg, Russia’s largest electronic trading platform for government and corporate procurement, experienced significant service disruptions beginning last Thursday, initially attributed by the company to maintenance work. By Monday, Roseltorg revised its explanation, acknowledging in a Telegram statement that the outages resulted from a cyberattack characterized as "an external attempt to destroy data and the entire infrastructure of electronic trading." The pro-Ukraine hacker group Yellow Drift claimed responsibility for the attack last week, asserting it had deleted 550 terabytes of data, including emails and backups, and published screenshots of compromised systems on Telegram as evidence. The group issued a statement warning, "If you support tyranny and sponsor wars, be prepared to return to the Stone Age." Roseltorg confirmed that all affected data and infrastructure had been fully restored and anticipated trading systems would resume operations shortly, though its website remained offline at the time of the article’s publication.
The attack disrupted operations for numerous clients, including government agencies such as Russia’s Ministry of Defense and Roskomnadzor, as well as major corporations like Lukoil, Rostelecom, and Alrosa. Clients expressed concerns in Roseltorg’s Telegram comments section about potential financial losses and procurement delays. In response, Roseltorg announced that deadlines for procedures, including contract signings, would be automatically extended once systems were reinstated, eliminating the need for user requests. This incident occurred amid a wave of cyberattacks against Russian entities by pro-Ukraine groups: the Ukrainian Cyber Alliance claimed an attack on internet provider Nodex, which confirmed the breach, while Cyber Anarchy Squad allegedly targeted tech company Infobis, exfiltrating data and damaging infrastructure. Another unnamed group recently breached Rosreestr, Russia’s property and land records agency. The Roseltorg attack underscored vulnerabilities in critical procurement systems integral to defense and industrial sectors, with immediate operational and financial repercussions for stakeholders reliant on the platform.