Cyber Incident Victim: Gonets
Date:
Sep 2022
Location:
Russia
Summary
Pro-Ukraine hackers affiliated with OneFist breached a Russian satellite communications network by exploiting a misconfiguration in its customer relationship management system, gaining unauthorized access as legitimate users. The attackers deleted the CRM database containing 97 client accounts—including regional offices of Russia’s Federal Security Service and missile or space technology entities—crippling the system’s ability to authenticate or bill users, thereby disrupting messaging services. The incident highlighted critical security failures, such as exposing the unsecured CRM database on the open internet without firewalls, which the hackers attributed to systemic negligence in Russian cybersecurity practices. The operation was linked to broader efforts by Ukraine-aligned groups targeting Russian infrastructure amid the ongoing conflict.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On or around September 28, 2022, pro-Ukraine hacker collective OneFist penetrated Russia’s Gonets low Earth orbit satellite communications network, disrupting its operations by deleting a critical customer relationship management (CRM) database. The attackers, including a member using the alias Thraxman, exploited a misconfiguration in Gonets’ system setup that granted them unauthorized access as legitimate users. Though unable to escalate privileges or download the entire database initially, they identified the CRM’s operational necessity: the system verified active customer accounts and processed billing for all messages sent through the satellite constellation. By wiping the database containing 97 client accounts, the hackers rendered the network incapable of transmitting messages, as no billing or account validation could occur. The compromised CRM data reportedly included Russian state and military entities, such as regional offices of the Federal Security Service (FSB), alongside commercial clients in logistics and fishing sectors. Thraxman noted approximately half the users were linked to missile or space technology organizations, though many clients did not publicly acknowledge their use of Gonets.
The breach exposed systemic security deficiencies in Gonets’ infrastructure, particularly the exposure of its CRM system on the open internet without firewalls or protective measures. OneFist member Voltage characterized this configuration as “madness” by Western security standards, attributing the vulnerability to pervasive institutional neglect within Russian cybersecurity practices. The attackers claimed affiliation with Ukraine’s IT Army, aligning the incident with a broader pattern of pro-Ukraine cyber operations targeting Russian critical infrastructure following the February 2022 invasion. While the exact duration of service disruption remains unconfirmed, the deletion of the CRM database directly impaired Gonets’ core functionality, affecting communications for remote commercial and governmental users reliant on the satellite network. No mitigation efforts by Gonets or Russian authorities were detailed in available reports. The incident highlighted the network’s role in supporting Russian state operations and underscored vulnerabilities in space-based communication systems amid escalating cyber hostilities between pro-Ukraine and pro-Russia factions.