Cyber Incident Victim: Nodex
Date:
Jan 2025
Location:
Russia
Summary
A Russian internet provider suffered a destructive cyberattack claimed by the Ukrainian Cyber Alliance, resulting in complete network destruction and widespread service disruptions affecting both fixed-line and mobile connectivity. The company is restoring systems from backups after infrastructure was wiped, with partial services like DHCP returning, while hackers asserted data exfiltration and backup destruction; this incident follows similar Ukrainian cyber operations targeting critical Russian infrastructure entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 7, 2025, Russian internet provider Nodex announced via VKontakte that its network infrastructure had been destroyed in a cyberattack suspected to originate from Ukraine. The St. Petersburg-based company described the incident as a "planned" overnight assault that rendered its systems inoperable, collapsing connectivity at midnight according to NetBlocks telemetry. Both fixed-line and mobile services were affected, leaving customers without internet access and unable to reach Nodex’s website, which remained offline. The company immediately initiated recovery efforts using backups but provided no estimated timeline for full restoration, prioritizing telephony services and call center functionality first. By January 8, Nodex partially restored its DHCP server, instructing customers to reboot routers to regain internet access while continuing broader repair operations. Social media complaints from users highlighted ongoing service disruptions, with NetBlocks confirming the connectivity collapse persisted through its monitoring period.
The Ukrainian Cyber Alliance claimed responsibility for the attack on January 6, 2025, declaring they had "completely looted and wiped" Nodex’s systems while exfiltrating data, leaving "empty equipment without backups." The group substantiated its claim by publishing screenshots of compromised systems and stolen data on Telegram. Active since 2016, the pro-Ukraine collective has repeatedly targeted Russian infrastructure following the invasion of Ukraine, including a 2023 attack disabling parking enforcement in Tver and a breach of Russia’s national payment system. The Nodex incident coincided with other Ukrainian cyber operations against Russian critical infrastructure, including a January 2025 attack by Ukraine’s military intelligence (HUR) that destroyed servers and backups of a railway operator and a December 2024 strike on Gazprombank that disrupted financial transactions for hundreds of thousands of customers. Neither the railway operator nor Gazprombank publicly acknowledged those attacks, contrasting with Nodex’s confirmation of infrastructure destruction and operational impacts.