Cyber Incident Victim: Yandex
Date:
Oct 2018
Location:
Russia
Summary
Western intelligence hackers infiltrated a major Russian internet company using Regin malware to spy on user accounts, targeting authentication mechanisms to potentially impersonate users and access private communications. The attack was detected early and neutralized before compromising any data, with forensic analysis linking it to the Five Eyes alliance. The breach focused on espionage rather than disruption or intellectual property theft, exploiting the company's research and development infrastructure. Security experts highlighted Regin's sophistication and its association with state-sponsored operations, noting the malware's resurgence in recent activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late 2018, hackers working for Western intelligence agencies breached Yandex, Russia’s largest internet services company, using sophisticated malware known as Regin. The attack occurred between October and November 2018 and targeted Yandex’s research and development unit. The hackers deployed Regin, a tool historically associated with the “Five Eyes” intelligence alliance comprising the United States, Britain, Australia, New Zealand, and Canada. Their objective was espionage, specifically seeking technical details about how Yandex authenticates user accounts. Access to this information could have enabled the impersonation of Yandex users to intercept private communications. The attackers covertly maintained access to Yandex systems for several weeks without initial detection. Yandex, which operates services ranging from search engines to email and taxi reservations, serves over 108 million monthly users across Russia, Belarus, Kazakhstan, and Turkey. The company’s security team identified the breach at an early stage, according to Yandex spokesperson Ilya Grabovsky, who confirmed the incident but declined to elaborate on specifics.
Yandex’s security team fully neutralized the attack before any user data was compromised or operational disruptions occurred. The company enlisted Moscow-based cybersecurity firm Kaspersky to investigate the breach. Kaspersky’s private assessment concluded that the hackers likely affiliated with Western intelligence agencies used Regin to infiltrate Yandex’s systems, targeting a group of developers within the company. Regin, described by Symantec as a “crown jewel” of espionage frameworks due to its complexity and capability, resurfaced in 2019 with new components observed by cybersecurity analysts. The malware’s architecture and victim profile suggested state-sponsored involvement, though attribution remained challenging due to obfuscation techniques. Kremlin spokesman Dmitry Peskov acknowledged frequent cyberattacks against Russian companies from Western nations but stated the government was unaware of this specific incident. Yandex, which is listed on NASDAQ and the Moscow Exchange, faced increased Russian regulatory scrutiny following new internet laws, though the breach did not result in publicized financial or reputational damage. The U.S. Office of the Director of National Intelligence and the White House National Security Council declined to comment on the incident.