Cyber Incident Victim: Almaz
Date:
Jul 2022
Location:
Russia
Summary
A DDoS attack targeted multiple Russian cinema chains, including Almaz, disrupting online ticket sales for at least 80 theaters as part of a broader campaign by Ukrainian hacktivist group IT Army to inflict economic damage on Russian entities funding the war. These attacks surged in frequency and duration, leveraging accessible tools like the Liberator app and DB1000N software, enabling non-technical participants to contribute—over 100,000 downloaded Liberator, though active usage declined over time. While the operations caused service disruptions to civilian sectors like banking, media, and e-commerce, analysts emphasized their psychological value for Ukrainian morale over strategic military impact, noting coordination challenges and Russia’s retaliatory DDoS strikes against Ukrainian government and media sites. Both nations adapted by enhancing cyber defenses amid the sustained attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving Almaz occurred during a series of distributed denial-of-service (DDoS) attacks targeting Russian cinema chains over a period of several hours in July 2022. Ukraine’s IT Army, a volunteer hacktivist group, claimed responsibility for the attacks, which disrupted online ticket sales for at least 80 cinemas across Russia, including Almaz, Kinomax, Mori Cinema, and Luxor. The IT Army announced the operation on its Telegram channel on July 11, 2022, stating its objective was to reduce revenue flowing to the Russian state budget for military operations in Ukraine. The attacks temporarily incapacitated the cinemas’ websites, preventing customers from purchasing tickets online. This incident formed part of a broader escalation in DDoS activity between Ukraine and Russia, with Kaspersky reporting a 46% increase in such attacks during the first quarter of 2022 compared to pre-war levels.
DDoS attacks against Russian commercial entities intensified throughout 2022, with the Almaz incident reflecting their growing prevalence against civilian infrastructure. The IT Army reported targeting nearly 5,500 Russian websites since the war began, focusing initially on banking, financial services, and media before expanding to sectors like e-commerce, food delivery, and entertainment. Tools enabling these attacks proliferated, including the Liberator app—downloaded over 100,000 times—which allowed users with no technical expertise to participate in DDoS campaigns. Russian entities, including Almaz’s parent organizations, faced operational disruptions but generally restored services within hours or days. In response to sustained attacks, both nations enhanced cyber defenses, with Ukrainian officials reporting over 14,000 DDoS attacks against their infrastructure in the first half of 2022, primarily targeting government sites and broadcast media. Russia adapted by hardening network resilience, while Ukraine’s volunteer-driven operations continued despite challenges in coordination and diminishing participant numbers over time.