Cyber Incident Victim: Metrospetstekhnika
Date:
Apr 2022
Location:
Russia
Summary
The Anonymous-affiliated group GhostSec breached the IT systems of Metrospetstekhnika, a critical provider of metro services across Russia, threatening operational disruptions. This incident occurred amid a broader campaign by Anonymous and linked hacktivist collectives targeting Russian entities, including financial institutions, defense contractors, and energy sector firms, with data theft and leaks ranging from emails to decryption keys. The attack on the metro infrastructure provider highlighted the group's focus on disrupting essential services and infrastructure supporting Russian state interests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Anonymous hacktivist collective and affiliated groups escalated cyber operations against Russian entities in April 2022, with multiple breaches occurring around April 20. Among the targeted organizations was Metrospetstekhnika, a critical infrastructure provider responsible for supporting metro systems across Russia. The Anonymous-linked subgroup GhostSec, operating under the handle @GS_M4F14, publicly announced unauthorized access to Metrospetstekhnika's IT infrastructure and issued threats to disrupt its operations. This incident formed part of a coordinated campaign that simultaneously impacted at least five other Russian organizations across financial, defense, energy, and surveillance sectors. The collective compromised entities including Tendertech (a financial document processor), GUOV i GS (a defense construction firm), Synesis (a sanctioned surveillance vendor), Neocom Geoservice (an oil/gas exploration company), and Gazregion (a gas pipeline constructor). Each breach involved data exfiltration and public leaks, with stolen materials ranging from 9.5 GB to 222 GB per organization.
Metrospetstekhnika's breach differed from other attacks in the campaign as available records specify only system access and operational threats without quantitative data theft metrics. Unlike incidents at Tendertech (426,000 emails leaked) or Gazregion (222 GB of emails, files, and decryption keys exposed), no email counts or archive sizes were documented for Metrospetstekhnika. The attack occurred concurrently with Network Battalion 65's breach of JSC Bank PSCB and GhostSec's infiltration of the Belarusian-controlled Synesis/Kipod surveillance systems. While Gazregion's compromise showed collaboration between Anonymous, NB65, and Porteur groups, Metrospetstekhnika's intrusion appeared exclusively attributed to GhostSec. The company's nationwide metro support role positioned it as critical infrastructure, though no operational disruptions or subsequent data leaks were confirmed in public reports. The incident concluded with GhostSec's access announcement and disruption threat, absent documented containment measures or organizational responses.