Cyber Incident Victim: Amtel-Svyaz
Date:
May 2023
Location:
Russia
Summary
Hackers targeted a Russian satellite telecommunications provider servicing military units, security services, and critical infrastructure, causing satellite terminal failures, server data destruction, and network disruptions. The attackers claimed affiliation with the Wagner Group, defacing websites with Wagner insignia and messages referencing the group's recent uprising, while leaking files allegedly showing connections between the provider and the FSB, including employee verification passwords. Despite the claims, experts assessed Wagner's involvement as unlikely due to lack of motive and history of such operations, suggesting a potential false flag by Ukrainian actors. The parent company's internet connectivity was disrupted following the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 1, 2023, unidentified hackers targeted Dozor, a satellite telecommunications provider under the Amtel-Svyaz corporate group, which serviced Russian military units, the Federal Security Service (FSB), power lines, oil fields, the pension fund, the northern merchant fleet, and the Bilibino nuclear power plant. The attackers claimed responsibility via Telegram, stating they caused satellite terminal failures, forced switch reboots, and destroyed server data. Concurrently, they defaced four unrelated Russian websites with messages supporting the Wagner Group private military company, displaying its insignia alongside statements referencing Wagner’s short-lived uprising against Russian military leadership. The defacement messages asserted the hack was retaliation for Wagner’s expulsion from Russia and the unresolved status of criminal cases against the group, warning, "This is just the beginning." The hackers distributed a zip file containing 674 files (PDFs, images, documents) and later released three additional files appearing to expose FSB-Dozor operational ties, including password verification procedures between Dozor employees and FSB representatives for 2023.
Internet monitoring confirmed Dozor’s connectivity dropped around 10 p.m. ET on May 31, with traffic rerouted to parent company Amtel-Svyaz. The attack disrupted critical infrastructure dependencies but yielded no public technical mitigation details from Amtel-Svyaz or Wagner Group. Cybersecurity analysts questioned Wagner’s involvement due to the group’s lack of historical cyber operations and perceived absence of motive post-uprising, suggesting potential false-flag activity. No further containment actions, forensic findings, or recovery timelines were disclosed by the affected entities or Russian authorities following the initial disruption.