Cyber Incident Victim: Министе́рство иностра́нных дел Росси́йской Федера́ции
Date:
Jul 2020
Location:
Russia
Summary
Hackers compromised the official Twitter account of Russia’s Ministry of Foreign Affairs, posting an advertisement in Russian offering a stolen database of tourist payment records from June 2020 for sale at 66 bitcoins (~$499,000). The ministry subsequently deleted the unauthorized tweet and publicly denied the data breach claims, though the account's unauthorized access was confirmed. The legitimacy of the advertised database and breach allegations remained unverified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 2, 2020, the verified Twitter account (@MID_travel) operated by Russia’s Foreign Ministry’s Crisis Management Centre was compromised by unauthorized actors. The account, which typically shared routine retweets of Russian government and embassy advisories for citizens traveling abroad, posted a Russian-language message advertising the sale of a stolen database. The hackers claimed the database contained records of tourist payments processed through the Russian Federation’s Public Services Portal during June 2020. They demanded 66 bitcoins (equivalent to approximately $499,000 USD at the time) for the data. The tweet did not provide evidence validating the existence or authenticity of the alleged database, leaving the legitimacy of the hackers’ claims unverified. The incident marked a significant breach of a Russian government-affiliated social media channel, though the exact method of initial account access remained unspecified in official statements.
Russian authorities swiftly responded to the compromise by deleting the fraudulent tweet. The Foreign Ministry’s Crisis Management Centre subsequently posted a follow-up message, translated via Google, explicitly denying any data breach had occurred. The statement refuted the hackers’ assertions but confirmed the account’s unauthorized access. Public reporting of the incident highlighted the discrepancy between the hackers’ sale offer and the government’s denial, without independent verification of the data’s existence. The compromise exposed vulnerabilities in the account’s security controls, with analysts suggesting phishing or password reuse as potential attack vectors based on common intrusion patterns. No further details regarding the investigation’s findings, data leak impacts, or perpetrator attribution were disclosed in the immediate aftermath. The incident concluded with the restoration of the account’s normal operations following the tweet’s removal and the issuance of the rebuttal.