Cyber Incident Victim: Meduza
Date:
Feb 2024
Location:
Russia
Summary
The Russian independent media outlet Meduza is experiencing an unprecedented cyberattack campaign involving multiple coordinated tactics. Attackers are rapidly blocking mirror servers every 10-20 minutes, deploying massive DDoS attacks that spike traffic to 200 times normal levels, and systematically targeting crowdfunding infrastructure with fraudulent transactions to disrupt financial operations. Concurrently, state-sponsored actors are attempting to compromise journalists' accounts through phishing and credential resets while flooding communication channels—including Telegram subscriptions, email newsletters, and app reviews—with disruptive bot activity. The campaign, attributed to Russian authorities and affiliated groups, appears aimed at crippling infrastructure and aligns with broader efforts to impose widespread internet restrictions ahead of national elections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In February 2024, Meduza experienced an unprecedented escalation in cyberattacks attributed to Russian authorities, marking the most intense campaign in the outlet's history. The assaults began around the time of Alexey Navalny's death and intensified in the lead-up to Russia's presidential election. Attackers targeted Meduza's infrastructure through coordinated technical and psychological operations. Mirror servers, critical for bypassing Russian censorship, faced accelerated blockades—previously lasting two weeks per server, new mirrors were discovered and blocked every 10-20 minutes starting mid-February. Distributed Denial-of-Service (DDoS) attacks surged, with one incident generating approximately 200 times normal traffic volumes, threatening site accessibility. Simultaneously, attackers launched financial sabotage against Meduza's crowdfunding channels, submitting 3-4 fraudulent credit card transactions per minute to trigger payment system disruptions and banking sanctions.
State-sponsored hacking attempts against journalists' accounts increased sharply, with Google alerting Meduza to multiple credential compromise campaigns. Employees faced orchestrated harassment including mass spam subscriptions, phishing attempts, password reset floods, and explicit threats. Platform-specific attacks emerged across Meduza's digital presence: suspicious Telegram subscriber spikes suggested planned mass reporting to disable the channel, while Mailchimp outages disrupted newsletter delivery in Russia for five days. Bots flooded Meduza's app with negative reviews, cloned employee accounts to contact associates, and coordinated complaints about content. The outlet interpreted these multi-vector operations as a resource-intensive Kremlin-backed effort to dismantle its infrastructure, potentially aligning with broader Russian internet censorship preparations ahead of elections. Meduza's technical team mitigated attacks using established protocols but acknowledged unprecedented operational strain, relying on reader donations to sustain resistance against the coordinated offensive.