Cyber Incident Victim: Gazprom
Date:
Jan 2023
Location:
Russia
Summary
The IT Army of Ukraine claimed responsibility for compromising a Russian state-controlled energy giant, accessing a 1.5 GB archive containing over 6,000 files related to financial and operational activities, including sensitive reports on drilling, testing, and automated system implementations at a major gas field. The hackers asserted the breach targeted a primary funder of Russia's military actions against Ukraine, releasing documents purportedly confirming the archive's confidentiality to substantiate their claims. This incident aligns with broader cyber efforts by Ukrainian-linked groups, supported by volunteer hacktivists, to disrupt critical Russian infrastructure amid the ongoing conflict.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 29, 2023, the IT Army of Ukraine, a volunteer hacktivist collective supporting Ukraine, publicly claimed responsibility for a cyber intrusion targeting Gazprom, the Russian state-controlled energy conglomerate. The group announced via Telegram that it had exfiltrated a 1.5 GB archive containing over 6,000 internal files from Gazprom’s systems. These files reportedly documented financial and operational activities, including detailed reports on testing, drilling operations, and the implementation of automated systems at the Koviktinsky gas well in Russia’s Irkutsk region—a critical asset for Gazprom’s gas production. The hackers characterized the breach as compromising data from the “main sponsor of terrorism and the invasion of Ukraine,” framing the operation as retaliation for Russia’s military actions. To substantiate their claims, the IT Army released a confidentiality agreement believed to be part of Gazprom’s internal documentation. While the group did not disclose specific intrusion methods, the breach highlighted vulnerabilities in Gazprom’s digital infrastructure, potentially exposing sensitive operational and financial data.
This incident occurred against a backdrop of escalating cyber operations linked to the Russia-Ukraine conflict. Earlier in 2022, cybersecurity experts had attributed computer network operations (CNO) against Gazprom to cyber operators affiliated with Ukraine’s Main Directorate of Intelligence (GUR MO). The IT Army of Ukraine, alongside groups like Anonymous and Hacker Forces, emerged as key actors in Ukraine’s asymmetric cyber strategy, targeting Russian critical infrastructure and state-linked entities. Ariel Parnes, COO of cybersecurity firm Mitiga, noted that Ukraine lacked a formal cyber military force and relied on volunteer hacktivists to disrupt Russian operations. The Gazprom breach underscored the persistent focus on energy sector targets, which hold strategic economic and symbolic value. While the immediate operational impact on Gazprom’s infrastructure remained unconfirmed, the exfiltration of internal documents posed reputational and intelligence risks to the company, potentially revealing vulnerabilities in its security practices or operational details exploitable for future attacks.