Cyber Incident Victim: MegaFon
Date:
Jan 2025
Location:
Russia
Summary
Ukrainian Defense Intelligence's Main Directorate (HUR) conducted a cyberattack against Russian telecommunications operator MegaFon, causing widespread disruptions to mobile and internet services for customers in Moscow, St. Petersburg, and central regions. The incident also impacted other providers like Yota and NetByNet, temporarily restricting Russian access to third-party platforms including Steam, Twitch, and Discord—services reportedly utilized by military and intelligence personnel. Russia's communications regulator acknowledged the outage, attributing it to a successful distributed denial-of-service (DDoS) attack, while the targeted company claimed network operations were normal but cited unspecified external factors affecting connectivity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 24, 2025, cyber specialists from Ukraine’s Main Intelligence Directorate (HUR) executed a cyberattack targeting MegaFon, one of Russia’s largest telecommunications providers. The attack commenced in the morning and caused widespread disruptions to MegaFon’s mobile and internet services. The incident also impacted other Russian telecom operators, including Yota and NetByNet, indicating collateral damage or interconnected infrastructure failures. Residents of Moscow, St. Petersburg, and multiple central Russian regions reported significant service outages, affecting both personal and commercial connectivity. The disruptions extended beyond basic telecommunications, temporarily restricting Russian access to international platforms such as Steam, Twitch, and Discord. Ukrainian intelligence sources emphasized that these platforms were actively utilized by Russian military and intelligence personnel for communication and operational coordination, amplifying the attack’s strategic impact. Roskomnadzor, Russia’s federal communications regulator, publicly acknowledged MegaFon’s service disruption but did not initially attribute it to a cyberattack. Russian media outlets later characterized the incident as a “successful carpet DDoS attack,” suggesting a large-scale distributed denial-of-service campaign targeting critical network infrastructure. MegaFon issued a statement asserting its network was functioning “normally” but cautioned customers about potential access difficulties due to unspecified “independent reasons,” avoiding explicit confirmation of the cyberattack’s severity.
The HUR operation against MegaFon followed a pattern of Ukrainian cyber activities targeting Russian logistical and communications infrastructure, including a January 4, 2025, attack on Regiontransservice, a freight wagon maintenance firm supporting Russian military logistics. The MegaFon incident’s scale became evident through its cascading effects on third-party services and regional connectivity, with prolonged outages reported across multiple population centers. No technical details regarding attack vectors, malware deployment, or network intrusion methods were disclosed by either Ukrainian or Russian sources. Roskomnadzor’s confirmation of the disruption contrasted with MegaFon’s subdued public response, reflecting divergent communication strategies between regulators and the affected entity. The incident underscored the integration of civilian telecommunications infrastructure with military operations in Russia, as emphasized by HUR’s focus on platforms used by defense and intelligence personnel. Service restoration timelines and specific mitigation measures undertaken by MegaFon or partner firms were not publicly documented in available reports. The attack represented a continuation of Ukraine’s cyber-enabled interdiction efforts against Russian logistical networks, aligning with prior kinetic and digital operations targeting military supply chains and command systems.