Cyber Incident Victim: Skolkovo Foundation

On or around May 28, 2023, the Skolkovo Foundation, a Russian organization overseeing a high-tech business area intended to rival Silicon Valley, experienced a cyberattack. A group of Ukrainian hacktivists publicly claimed responsibility for the breach, sharing screenshots of the accessed systems on the Telegram messaging platform. The attackers announced their success with a message directed at the foundation, stating, “Your infrastructure has been destroyed. We have all the documents and the project source codes. Stay tuned.” This claim of extensive access and data exfiltration was a central feature of the public announcement of the incident.

In response to the attack, the Skolkovo Foundation issued an official statement detailing the scope of the intrusion. The organization confirmed that the threat actors had managed to gain access to certain of its information systems. Specifically, the compromise included the foundation's file hosting service, which was operated on physical servers. This admission confirmed the attackers had penetrated beyond superficial layers of the network and reached systems used for storing and managing internal files and documents. The company's public-facing website, however, remained operational throughout the incident and was accessible at the time of publication of the initial reports.

The restoration of Skolkovo's affected services was not immediate. According to the foundation's own reporting, it took their technical teams approximately a full day to fully restore all services that had been impacted by the cyberattack. This downtime period indicates a disruptive event that required significant effort to mitigate and return to normal operations. The incident prompted the involvement of Russian law enforcement agencies, which were brought in to investigate the breach. This is a standard procedure for significant cyber incidents within Russia, particularly those targeting a state-affiliated entity of high-profile importance.

Analysis of the compromised data, as reported by a Russian Telegram group specializing in examining data leaks, suggested the practical impact of the breach may have been more symbolic than critically damaging. The analysis indicated that no critical user data was compromised during the attack. Instead, the information accessed by the hackers was reported to consist of presentations, photographs, contracts, and various lists containing the names of partners and counterparties associated with the foundation's legal entities. While this constitutes a breach of corporate information, it did not include the type of sensitive personal data that often leads to direct harm for individuals.

The symbolic significance of the target, however, was substantial. The Skolkovo Foundation was established in 2010 by then-Russian President Dmitry Medvedev with the explicit goal of creating a Russian counterpart to the American Silicon Valley innovation ecosystem. The foundation represents a major state-sponsored initiative aimed at fostering high-tech development and business within Russia. Furthermore, due to its close ties with Russia's defense sector, including entities involved in weapon development that have been sanctioned by the United States, the U.S. government had previously imposed sanctions on the Skolkovo Foundation itself in response to Russia's invasion of Ukraine. This made the foundation a high-value target, representing both Russia's technological aspirations and its military-industrial complex.

The attack is situated within the broader context of the ongoing virtual conflict between Ukraine and Russia that has run parallel to the physical war. Numerous Ukrainian hacktivist groups operate within this space, some under the loose umbrella of the IT Army of Ukraine, while others, like the group claiming this attack, work independently. The activities of these groups often include distributed denial-of-service (DDoS) attacks aimed at knocking Russian websites and services offline. The attack on Skolkovo, however, represented a more sophisticated operation involving a network breach and data access, moving beyond simple website defacement or temporary disruption of service.

The incident was described by the Skolkovo Foundation as a significant cybersecurity event. In their characterization of the attack, the company referred to it as “the largest cyberattack in its history,” noting that the hackers had attempted to destroy its infrastructure. This statement suggests the attackers' actions may have included destructive elements beyond data access, potentially aiming to delete or corrupt systems to cause maximum operational disruption. The claim of infrastructure destruction made by the attackers and the foundation's description of the attack's scale and intent point towards a potentially disruptive event, though the full restoration of services within a day suggests these destructive efforts were ultimately contained or were not fully successful.

The public nature of the attack, with the claiming group using Telegram to broadcast their success and share evidence, is a hallmark of the cyber conflict between the two nations. These public claims serve a propaganda and morale purpose, demonstrating capability and striking at symbolic targets. The targeting of Skolkovo, a project initiated by a political figure who initially presented pro-Western leanings but later became a vocal supporter of the invasion, adds another layer of symbolic resonance to the operation. The incident stands as an example of how cyber operations are used to project power, gather information, and strike at entities of national importance within the context of modern geopolitical conflict.