Cyber Incident Victim: Infotel JSC

On or around June 8, 2023, the Russian telecommunications provider Infotel JSC suffered a significant cyber attack. The incident was claimed by a Ukrainian hacktivist group known as Cyber.Anarchy.Squad. The group announced the attack on their Telegram channel, stating that all of the company's infrastructure had been destroyed and that nothing living was left there. They characterized the event as a complete takedown of the provider's systems. Infotel JSC, based in Moscow, is a critical service provider for the Russian financial sector, offering connectivity services between the Russian Central Bank and numerous other Russian banks, online stores, and credit institutions. The company itself later confirmed the incident on its website, describing it as a "massive hacker attack" that resulted in damage to some of its network equipment.

The attack had immediate and severe consequences for the Russian banking sector. Following the incident, multiple major banks across Russia had their access cut off from the country's banking systems. This disruption meant the affected banks could no longer process online payments. The initial report of these banking disruptions came from the Ukrainian news site Economichna Pravda. The scale of the impact was underscored by the attackers' claim that Infotel JSC had approximately four hundred clients, with a quarter of them being banks and the rest consisting of credit institutions and car dealerships. The disruption to this client base represented a significant blow to financial and commercial operations within Russia.

Technical analysis from Georgia Tech's Internet Outage Detection and Analysis (IODA) project provided an external timeline and confirmation of the outage. The IODA data indicated that the Central Bank of Russia's Internet provider, understood to be Infotel JSC, went offline on June 8, 2023, at approximately 11:00 AM UTC. The project further confirmed that the Russian company was actively working on restoring its systems and noted that the provider remained offline 34 hours after the initial outage began, indicating a prolonged period of disruption and a complex recovery process.

In response to the attack, Infotel JSC publicly acknowledged the incident and initiated restoration work. The company's statement expressed hope for understanding and continued cooperation from its clients while noting that additional deadlines for completing the restoration work would be announced later. This public communication was a key part of the company's response to manage the crisis and inform its customer base of the ongoing efforts to mitigate the damage. The nature of the response suggests a focus on physical network hardware repair and replacement.

As proof of their involvement, the Cyber.Anarchy.Squad group released evidence on their Telegram channel. This evidence included screenshots purporting to show access to Infotel's internal network. The released materials consisted of a network diagram and what appeared to be a compromised email account belonging to the company. This action by the attackers is consistent with their established patterns of operation. The Cyber.Anarchy.Squad group has targeted other Russian companies since its emergence following Russia's invasion of Ukraine. In previous operations, the group has leaked online databases stolen from breached Russian companies, including a retailer and a jewelry manufacturer. Those prior leaks contained millions of records with employee and customer information, as well as internal company emails.

The incident represents a direct attack on critical infrastructure supporting the Russian financial system. The primary impact was the widespread disruption of online payment processing for a significant portion of the Russian banking sector, affecting both institutions and their customers. The long duration of the outage, as tracked by third-party analysts, points to the severity of the damage inflicted on Infotel JSC's network infrastructure. The company's own characterization of the attack as "massive" and the attackers' boast that the infrastructure was completely destroyed align with the observed operational impact and the extended recovery time required. The attack did not involve a ransom demand but was presented as a disruptive operation with geopolitical motivations, carried out by a group aligned with Ukrainian interests. The consequences were operational and financial, stemming from the forced disconnection of critical interbank communication links rather than from the theft or public exposure of sensitive financial data. The response was focused entirely on physical restoration and rebuilding damaged network equipment to re-establish connectivity for their clients.