Full Report
In a recent Telegram statement, Roseltorg disclosed that it had been targeted by "an external attempt to destroy data and the entire infrastructure of electronic trading."
Analysis Summary
# Incident Report: Cyberattack on Roseltorg E-Trading Platform
## Executive Summary
The main Russian electronic trading platform, Roseltorg, suffered a significant cyberattack resulting in service outages and an alleged attempt to destroy its data and infrastructure. The pro-Ukraine hacker group Yellow Drift claimed responsibility, stating they deleted 550 terabytes of data. While Roseltorg reported all infrastructure was fully restored, the company's website remained offline at the time of reporting, impacting government and corporate procurement processes.
## Incident Details
- Discovery Date: Last Thursday (when services were initially suspended)
- Incident Date: Last week (specific start date not provided)
- Affected Organization: Roseltorg (Russia's main electronic trading platform for government and corporate procurement)
- Sector: Government Procurement, Trading, Defense, Construction
- Geography: Russia
## Timeline of Events
### Initial Access
- Date/Time: Last week
- Vector: External cyberattack (Specific entry vector not detailed in the source)
- Details: The attack was described by Roseltorg as an "external attempt to destroy data and the entire infrastructure of electronic trading."
### Lateral Movement
- Details: Not explicitly detailed, but the scope suggests deep access if 550 TB of data and infrastructure were targeted.
### Data Exfiltration/Impact
- Details: The hacking group Yellow Drift claimed to have deleted 550 terabytes of data, including emails and backups. The primary operational impact was the suspension of trading services, affecting government agencies and corporate clients (including Lukoil, Rostelecom, and the Ministry of Defense).
### Detection & Response
- Date/Time: Initially last Thursday (suspension confirmed)
- Details: Roseltorg initially claimed outages were due to "maintenance work," later disclosing the cyberattack. The company stated that all affected data and infrastructure had been fully restored, and trading systems were expected to resume shortly. All affected deadlines will be automatically extended.
## Attack Methodology
- Initial Access: Unknown/External Attempt
- Persistence: Not explicitly detailed.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Not explicitly detailed.
- Credential Access: Not explicitly detailed.
- Discovery: Not explicitly detailed.
- Lateral Movement: Not explicitly detailed, but likely necessary to target bulk data and infrastructure.
- Collection: Claimed deletion of 550 TB, including emails and backups.
- Exfiltration: The primary claim was data *deletion*, though this often accompanies exfiltration.
- Impact: Destruction of electronic trading infrastructure and data; service outages.
## Impact Assessment
- Financial: Pending; clients expressed concerns over potential financial losses and delays in the procurement process.
- Data Breach: Claimed deletion of 550 TB of data, including emails and backups.
- Operational: Significant disruption to public procurement, contract signings, and operations for government agencies and major state-owned corporations.
- Reputational: Initial attempt to mask the outage as "maintenance" potentially damaged trust, although rapid recovery was claimed.
## Indicators of Compromise
- Network indicators: None provided (Defanged context required).
- File indicators: None provided.
- Behavioral indicators: Service outages confirmed on Thursday; public claims of data destruction via Telegram.
## Response Actions
- Containment measures: Suspension of services to limit further impact.
- Eradication steps: Not detailed, but Roseltorg claimed all affected data and infrastructure were fully restored.
- Recovery actions: Systems expected to resume operations shortly; deadlines for procedures automatically extended.
## Lessons Learned
- Situational Awareness: Critical infrastructure operators must swiftly and accurately communicate security incidents rather than initially attributing them to standard maintenance.
- Data Redundancy: The targeting of backups emphasizes the critical importance of immutable, off-network backups for key infrastructure.
## Recommendations
- Enhance network segmentation to limit the scope of potential infrastructure destruction attempts.
- Review and test incident communication protocols to ensure transparency and prompt disclosure in the event of a sophisticated attack.
- Implement advanced endpoint detection and response (EDR) capabilities to better trace and attribute initial access vectors used by external threat actors.