Cyber Incident Victim: Yandex
Date:
Sep 2021
Location:
Russia
Summary
Yandex experienced the largest distributed denial-of-service (DDoS) attack in Russian internet history, originating from a new botnet called Meris utilizing compromised network equipment from the Baltic region. The sustained assault targeted the company's infrastructure but was successfully mitigated through filtering measures, resulting in no disruption to services or compromise of user data. Cloudflare confirmed the attack's unprecedented scale, while collaborative analysis with Qrator Labs identified the botnet responsible. The incident raised concerns about national infrastructure threats due to its magnitude, though internal audits prevented full disclosure of technical details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early September 2021, Russian internet conglomerate Yandex came under an unprecedented distributed denial-of-service (DDoS) attack described as the largest in the history of RuNet—Russia’s sovereign internet segment designed to operate independently from the global web. The assault began during the weekend preceding September 5th and persisted into the following week, overwhelming Yandex’s infrastructure with massive volumes of malicious traffic. Russian business publication Vedomosti reported that Yandex encountered significant challenges mitigating the attack despite its partnership with Qrator Labs, a DDoS protection provider. U.S.-based infrastructure firm Cloudflare independently verified the attack’s record-breaking scale, though neither company disclosed technical specifics such as peak bandwidth or request volume. Yandex confirmed the incident through a spokesperson, stating its network filtering systems successfully blocked the malicious traffic, preventing any disruption to user services or compromise of data. The company declined to provide further details due to an ongoing internal audit, characterizing the event as a national-scale infrastructure threat.
Subsequent joint analysis by Yandex and Qrator Labs identified the attack’s source as a previously unknown botnet dubbed "Meris," which leveraged compromised network equipment from a Baltic region manufacturer. Qrator Labs CEO Alexander Lyamin initially suggested the involvement of a novel botnet prior to its formal identification, noting its utilization of vulnerable hardware to generate attack traffic. This botnet’s emergence followed two other historically large DDoS incidents: a 2.3 terabits-per-second attack mitigated by Amazon Web Services in Q1 2020 and a July 2021 assault on Cloudflare peaking at 17 million requests per second. The Meris botnet’s targeting of Yandex underscored RuNet’s vulnerability to large-scale disruptions despite its design for operational isolation during international cyber conflicts. Yandex’s defensive measures ultimately contained the attack without operational consequences, though the event highlighted evolving DDoS capabilities exploiting non-traditional IoT devices.