Cyber Incident Victim: Федеральная налоговая служба

On December 1, 2023, Ukraine’s Defence Intelligence Directorate (GUR) publicly claimed responsibility for a large-scale cyberattack against Russia’s Federal Taxation Service (FNS), marking its second acknowledged operation against a Russian state agency following a November attack on Rosaviatsia, the civil aviation authority. According to GUR statements, cyber units infiltrated one of FNS’s heavily secured central servers in Moscow and subsequently compromised over 2,300 regional servers across Russia and occupied Crimea during the operation. The attackers deployed malware across all breached systems, targeting both FNS infrastructure and Office.ed-it.ru, a Russian IT firm responsible for maintaining the tax service’s database. This dual assault resulted in the complete destruction of configuration files critical to the tax system’s operations, alongside the eradication of primary databases and backup copies. GUR emphasized that the malware paralyzed internet connectivity between FNS’s central office and its regional branches, as well as between FNS and Office.ed-it.ru, which functioned as the tax data repository. Russian authorities reportedly attempted unsuccessfully for four consecutive days to restore service functionality, with GUR estimating system paralysis would persist for at least one month and asserting full recovery would be impossible due to irreversible infrastructure damage. The operation disrupted Russia’s capacity to collect taxes and fees, temporarily depriving the Kremlin of administrative control over fiscal operations at a national scale. GUR also claimed acquisition of extensive internet traffic data encompassing nationwide Russian tax information, though specifics regarding data type or volume were undisclosed. Independent verification of these claims remained absent at the time of reporting, with Russian state media and FNS officials offering no public acknowledgment or response to the alleged incident.

The attack represented an escalation in GUR’s direct involvement in high-impact cyber operations, contrasting with earlier incidents where pro-Ukrainian hacktivist groups like Blackjack predominantly claimed credit for breaches against Russian entities such as airlines, banks, and ministries. Ukrainian security services had previously collaborated with such groups, as evidenced by an October 2023 operation against Russia’s largest private bank and a November hack of Russia’s Labor Ministry attributed to Blackjack and Ukraine’s Security Service (SBU). The FNS operation’s technical execution focused on permanent infrastructure destruction rather than temporary disruption, distinguishing it through the deliberate targeting of configuration files and backups essential for system restoration. Consequences extended beyond immediate operational paralysis, as the destruction of historical tax data and regional coordination mechanisms imposed long-term logistical and administrative burdens on Russian authorities. GUR framed the attack as both a strategic blow to Russia’s governance capabilities and a continuation of Ukraine’s cyber campaign against critical state functions, mirroring the Rosaviatsia operation that compromised aviation agency data. The incident underscored the integration of military intelligence units into offensive cyber operations within the Ukraine-Russia conflict, with GUR transitioning from supporting hacktivist allies to conducting large-scale, direct attacks on core Russian administrative systems.