Cyber Incident Victim: Dozor-Teleport

On or around June 28, 2023, a group of previously unknown hackers claimed responsibility for a cyberattack on the Russian satellite communications provider Dozor-Teleport. The company provides services to Russian energy companies, including Gazprom and Rosatom, as well as the country's defense and security services, such as the FSB. The group behind the attack claimed affiliation with the Wagner Group, a Russian private mercenary army that had recently rebelled against the Russian government. The network monitoring company Kentik, through its head of internet analysis Doug Madory, confirmed that Dozor-Teleport had been disconnected from the internet and was unreachable. According to data from the IODA project, which tracks internet outages worldwide, the network had been down since 10 p.m. Eastern Standard Time on Wednesday, June 28. The company’s public-facing website was also inaccessible at the time of reporting.

The parent company of Dozor-Teleport, Amtel Svyaz, also experienced a significant network outage beginning late on Wednesday, June 28. The hackers claimed their actions resulted in damage to some satellite terminals. They further asserted they had leaked and subsequently destroyed confidential information stored on the company's servers. As evidence of their breach, the group posted approximately 700 files, comprising documents and images, to a dedicated leak site. They also shared some of this data on a newly created Telegram channel. Among the leaked documents was a purported agreement suggesting that Russian security services were granted access to subscriber information from Amtel Svyaz. The authenticity of these documents could not be independently verified by reporters.

The impact of the cyberattack was assessed by several external experts. Tom Hegel, a threat researcher at cybersecurity firm SentinelLabs, stated that the hack "appears to be legitimate and has indeed had an impact." The scale of the disruption was compared to the earlier attack on satellite provider Viasat, which occurred at the onset of the Russian invasion of Ukraine. However, Doug Madory noted that Viasat’s network was significantly larger than that of Dozor-Teleport, and while only about half of Viasat's routers were disabled in that incident, the more recent attack resulted in a complete disconnection of Dozor-Teleport from the internet. Sean Townsend, a spokesperson for the Ukrainian Cyber Alliance who uses the online handle "Herm1t," provided an estimate for recovery. He stated that if the claims of damage to Dozor services were accurate, restoring the core network could take from a few days to several weeks. The process of reprogramming user equipment to achieve a full restoration of services was estimated to potentially take several months.

The claims of Wagner Group affiliation were met with widespread skepticism from security experts and regional analysts. There was no official mention of the cyberattack on the Wagner Group's own Telegram channel. Oleg Sharikov, a former Russian journalist, expressed doubt regarding the group's involvement, suggesting the attack and concurrent website defacements attributed to Wagner could instead be "Ukrainian false flag trolling." He stated that "Wagner’s involvement is very unlikely," a sentiment echoed by other observers who questioned the legitimacy of the affiliation claim. The incident occurred amidst a wave of cyberattacks and website defacements targeting Russian entities, with some also being attributed to the Wagner Group in the aftermath of its short-lived rebellion.

Dozor-Teleport did not issue a public statement or respond to inquiries regarding the attack. The cyberattack represents a significant disruption to a critical communications infrastructure provider with ties to key Russian industrial and military sectors. The incident is noted as the second major breach of a satellite telecommunications service provider following the Viasat attack, though the technical scope and scale of the two events differ. The full extent of the damage, particularly the claimed physical damage to satellite terminals, remains unconfirmed by independent sources. The ultimate objective and identity of the threat actors, beyond their own claims, were not definitively established by the available public information at the time of reporting. The incident highlights the ongoing targeting of critical infrastructure within the context of the broader geopolitical conflict.