Cyber Incident Victim: Morikino
Date:
Jul 2022
Location:
Russia
Summary
Morikino, a Russian cinema chain, experienced DDoS attacks disrupting online ticket sales as part of a broader campaign by Ukraine's IT Army targeting commercial entities to reduce funding for Russia's war efforts. These attacks surged in frequency and duration, causing economic harm but negligible battlefield impact, with hacktivists utilizing accessible tools and apps enabling widespread participation despite limited coordination. Over 5,500 Russian websites—including banking, media, and civilian services—were affected, though unplanned overlaps sometimes nullified efforts. Both nations intensified cyber defenses in response, with Ukraine enduring over 14,000 retaliatory DDoS incidents primarily against government and media sites.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving Morikino occurred during a series of distributed denial-of-service (DDoS) attacks targeting Russian cinema chains over a weekend in July 2022. Ukraine’s IT Army, a volunteer hacktivist group, claimed responsibility for these attacks via a Telegram post on July 11, explicitly stating their objective was to disrupt online ticket sales for at least 80 Russian cinemas, including Morikino, Kinomax, Luxor, and Almaz. The attacks rendered these cinemas unable to process online transactions, directly impacting their revenue streams. The IT Army framed the operation as an economic warfare tactic, asserting that reduced ticket sales would diminish Russian state budget allocations for military operations in Ukraine. This incident exemplified a broader escalation of DDoS activities in the region, with cybersecurity firm Kaspersky documenting a 46% surge in such attacks between January and March 2022 compared to pre-war levels. While attack rates moderated slightly between April and June 2022, they remained elevated year-over-year, indicating sustained hacktivist engagement.
The attacks against Morikino and other cinemas aligned with a pattern of increasingly prolonged and innovative DDoS campaigns. Alexander Gutnikov of Kaspersky noted attacks lasting "days and even weeks," far exceeding typical durations of hours or minutes. Tools like the Liberator app—downloaded over 100,000 times—lowered entry barriers for participants, enabling non-technical users to contribute to DDoS efforts against Russian targets. IT Army reported targeting approximately 5,500 Russian websites since the war began, with banking, media, and civilian services like food delivery and e-commerce among the most frequent victims. Cloudflare data corroborated the focus on financial and media sectors, though civilian infrastructure was also affected. Ukrainian security official Victor Zhora acknowledged over 14,000 DDoS attacks against Ukrainian services in the first half of 2022, primarily targeting government websites and broadcast media. Both nations adapted by enhancing cyber defenses, with Dyma Budorin of Hacken observing that Ukrainians and Russians had become "world experts" in DDoS mitigation. Despite operational disruptions, analysts like Yegor Aushev of Cyber Unit Technologies characterized the strategic impact as negligible, emphasizing psychological and economic effects over battlefield outcomes.