Cyber Incident Victim: Neopharm
Date:
Jul 2025
Location:
Russia
Summary
Neopharm and Stolichki pharmacy chains were forced to suspend operations after cyberattacks disabled their digital infrastructure, affecting over 1,100 locations in more than 80 cities and disrupting prescription access, loyalty programs and point‑of‑sale systems. Stolichki, with over 1,000 stores across Moscow, St Petersburg and surrounding regions, confirmed the attack and placed some staff on unpaid leave while assessing damage; the other chain, operating over 110 pharmacies in Moscow and St Petersburg, sent employees home as its systems remained nonfunctional. Both chains initially cited technical issues before acknowledging the cyber incident. Previously, the chains were controlled almost entirely by businessman and former State Duma deputy Yevgeny Nifantiev, who transferred his stake to the Zdravinvest fund after sanctions related to Ukraine. The pharmacy outages followed a separate cyberattack on Aeroflot claimed by Ukrainian and Belarusian hacking groups, which destroyed thousands of servers and crippled airport operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On Tuesday, Neopharm and Stolichki suspended operations across several regions following cyberattacks that disrupted digital infrastructure. The closures impacted over 1,100 pharmacy locations in more than 80 cities across central Russia. Customers were unable to access prescriptions, medication reservations, loyalty programs, or point-of-sale systems. Neopharm, which runs over 110 pharmacies in Moscow and St. Petersburg, experienced similar shutdowns; employees were sent home as IT systems remained nonfunctional. Stolichki, the larger chain with more than 1,000 locations operating across Moscow, St. Petersburg and the Leningrad, Tula and Vladimir regions, posted notices on its website apologizing for the disruption and promising that unavailable features would be restored soon.
Initially both chains cited technical reasons for the outages; Stolichki later confirmed that the suspensions were caused by a cyberattack and that restoration efforts were underway. According to the Telegram news channel Mash, all Stolichki locations in the Moscow area were forced to close entirely, with cash registers and accounting systems taken offline, some employees placed on unpaid leave while the company assessed the damage, and sources indicated the outages could last up to two days. Prior to mid‑2022, both Neopharm and Stolichki were controlled almost entirely by businessman and former State Duma deputy Yevgeny Nifantiev, who transferred his stake to a closed‑end mutual investment fund called Zdravinvest after being sanctioned over his support of Russia’s invasion of Ukraine. Sergei Shulyak, CEO of DSM Group, noted that such fund structures can serve as protective mechanisms against secondary sanctions, allowing sanctioned individuals to maintain indirect control over their business interests while providing legal separation from direct ownership.
The pharmacy outages followed closely on the heels of another major cyberattack against flagship airline Aeroflot. On Monday, Ukrainian hacking group Silent Crow and Belarusian group Cyber Partisans claimed responsibility for destroying 7,000 Aeroflot servers, crippling operations at Moscow’s airports and causing nationwide disruptions. Russia’s Prosecutor General’s Office confirmed that Aeroflot’s system failures stemmed from unauthorized access. The Cyber Partisans later claimed the airline’s systems still ran on the outdated Windows XP platform and that CEO Sergei Aleksandrovsky had not updated his password since 2022.