Cyber Incident Victim: Russian Federation
Date:
Mar 2023
Location:
Russia
Summary
A television and radio hack in Moscow broadcast fraudulent emergency warnings instructing residents in eastern regions to take potassium iodide pills for radiation exposure and seek shelter. The alerts included visuals of spreading radiation hazards and gas mask instructions, disrupting programming in multiple areas including Yekaterinburg. This incident marked the third such breach affecting the country's broadcast systems in recent weeks, following prior hoax missile and air raid warnings. Cyber intrusions targeting media outlets have escalated amid ongoing regional conflict, with state emergency services confirming server compromises but no attribution identified for these specific attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 9, 2023, Russian television and radio channels broadcast a false emergency alert across multiple regions, including Moscow and the Sverdlovsk region. The hacked warning simulated a nuclear attack scenario, instructing residents to "urgently go to a shelter," seal their premises, and use gas masks or cotton-gauze bandages. Visual elements showed a map of Russia gradually turning red from west to east, accompanied by black-and-yellow radiation warning symbols and text stating, "Everyone immediately to shelter." A notable deviation from previous hoaxes was the specific directive to take potassium iodide pills, a medication used to protect the thyroid from radioactive iodine exposure. The broadcasts interrupted regular programming momentarily before being discontinued. Russia’s emergencies ministry attributed the incident to server compromises at radio stations and TV channels, labeling the alert as false. Affected areas included Yekaterinburg, the country’s fourth-largest city, but the ministry did not disclose technical details about the intrusion or the duration of the disruption. No immediate reports of public panic were documented in the available sources.
This marked the third media hack in Russia within 18 days, following similar false alarms on February 22 and February 28, 2023. The February 22 hack triggered a fabricated air raid alert, while the February 28 incident broadcast a "missile threat" warning. Cybersecurity disruptions targeting Russian media intensified after the 2022 invasion of Ukraine, including a February 21, 2023, attack that disrupted streaming services during Vladimir Putin’s state-of-the-nation address. Ukraine’s IT Army—a volunteer hacking collective formed after the invasion—claimed responsibility for the February 21 incident but did not assert involvement in the subsequent television and radio hoaxes. Russian authorities did not attribute the March 9 hack or its predecessors to any specific threat actor, nor did they outline countermeasures beyond acknowledging server compromises. VG TRK, the state broadcaster targeted in prior attacks, remained operational during and after the fake radiation alert, with no reports of infrastructure damage or extended service outages.