Cyber Incident Victim: Dozor

On or around May 31, 2023, unidentified hackers initiated a cyber attack against Dozor, a Russian satellite telecommunications provider operating as part of the Amtel group of companies. The attack targeted the infrastructure of a provider known to service a wide range of critical Russian entities, including power lines, oil fields, military units of the Russian Defense Ministry, the Federal Security Service (FSB), the pension fund, the northern merchant fleet, and the Bilibino nuclear power plant. The group’s first message, posted to Telegram late on Wednesday night, claimed that Dozor had been compromised, declaring the provider had "gone to rest." The message detailed the technical impact of the intrusion, stating that part of the satellite terminals had failed, switches had rebooted, and information on the servers had been destroyed. This initial claim of a disruptive attack was corroborated by external internet monitoring. Doug Madory, the director of internet analysis for Kentik, confirmed that Dozor’s connection to the internet went down at approximately 10 p.m. ET on Wednesday, May 31, and that it remained unreachable as of the following day. One of the network routes previously used by Dozor was observed being switched to its Moscow-based parent company, Amtel-Svyaz, likely as a reactive measure to restore connectivity.

Concurrently with the disruptive attack on Dozor's infrastructure, the hackers engaged in a separate but thematically linked information operation. They defaced four seemingly unconnected Russian websites, replacing their content with messaging that was supportive of the Wagner Group private military company. The defacements featured the Wagner insignia and included a message that referenced the group's recent armed uprising against the Russian military leadership, which had culminated just days prior. The message stated, "We agreed to a peaceful solution because we achieved the main thing — we showed our capabilities and full social approval of our actions," and went on to express dissatisfaction with the outcome, noting that the military leadership had not been removed and criminal cases had not been closed. It concluded with a direct claim of responsibility for the ongoing cyber attacks: "We take responsibility for hacking. This is just the beginning, more to come." This public declaration explicitly linked the cyber activity to the Wagner Group's broader political grievances.

The following day, on June 1, the hacking group escalated its information operation by exfiltrating and leaking data. The group posted a link to a zip file on Telegram containing 674 individual files, including PDFs, images, and documents. Subsequently, they posted three additional files that appeared to contain sensitive information pertaining to the relationship between Dozor and the FSB. According to translations, these leaked files detailed connections between the FSB and the satellite provider and, more specifically, contained the passwords that Dozor employees were instructed to use for verifying they were communicating with genuine FSB representatives. The leak indicated a structured verification system, with one unique password valid for each two-month period throughout the year 2023. The public release of this purported internal security material was intended to demonstrate a successful penetration of Dozor's systems and to expose its operational ties to Russian intelligence services.

The immediate impact of the incident was the confirmed disruption of Dozor's internet connectivity, which remained offline for at least several hours. The claimed destruction of server information and failure of satellite terminals suggested a potentially significant operational impact on the provider itself and, by extension, on its diverse customer base of Russian military and critical infrastructure organizations. However, the specific downstream effects on these end-users, such as the military units or power lines, were not independently verified or detailed in the available reporting. The defacement of the four websites, while disruptive to those specific entities, primarily served a propaganda purpose, amplifying the message of the attack and associating it with the Wagner brand. The data leak represented a potential compromise of sensitive authentication protocols, potentially damaging the operational security of communications between Dozor and the FSB.

The response to the incident involved technical containment measures, as observed by external network analysts who noted the rerouting of Dozor's internet traffic through its parent company, Amtel-Svyaz. This action was likely taken to isolate the affected systems and restore basic services. Attempts to reach both Amtel-Svyaz and the Wagner Group for official comment were unsuccessful, as neither organization provided a public statement. The incident prompted analysis from security experts, who expressed skepticism regarding the attackers' claimed affiliation. Oleg Shakirov, a cyber policy expert and consultant at the Moscow-based PIR Center think tank, assessed that Wagner's involvement was "very unlikely," characterizing the event as appearing like "Ukrainian false flag trolling." He elaborated that while the "hack and leak looks very real," it was not consistent with the Wagner Group's historical behavior or its current motives following its recent armed rebellion. The true identity and motivation of the threat actors behind the attack on Dozor remained officially unconfirmed.