{ "id": "17a09e78-2c3f-4681-a05d-88900ce7ad53", "created_at": "2026-04-06T00:20:05.110728Z", "updated_at": "2026-04-10T03:21:49.462451Z", "deleted_at": null, "sha1_hash": "be39f3151ce22beab0be45793395fee3a12dd31b", "title": "FSB NKTsKI: Foreign 'cyber mercenaries' breached Russian federal agencies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 84842, "plain_text": "FSB NKTsKI: Foreign 'cyber mercenaries' breached Russian\r\nfederal agencies\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-11 · Archived: 2026-04-05 22:59:38 UTC\r\nForeign hackers have breached and stolen information from Russian federal executive bodies, the Russian\r\ngovernment said in a report published last week.\r\nThe attacks were identified in 2020.\r\nThey were detailed in a joint report authored by Rostelecom-Solar, a cybersecurity division of Russian telecom\r\ngiant Rostelecom, and the National Coordination Center for Computer Incidents (NKTsKI), a CERT-like\r\norganization created by the Russian Federal Security Service (FSB) in 2018.\r\n\"Evaluating attackers in terms of training and qualifications (used technologies and mechanisms, the speed and\r\nquality of the work done by them), we are inclined to classify this group as cyber mercenaries pursuing the\r\ninterests of a foreign state,\" the report reads.\r\nAttackers used novel malware\r\nTo breach Russian federal agencies, Rostelecom and NKTsKI said the attackers used a broad set of entry vectors\r\nthat included spear-phishing, exploiting vulnerabilities in web applications, and hacking the IT infrastructure of\r\ngovernment contractors.\r\n\"After a complete compromise of the infrastructure, the attackers proceeded to collect confidential information\r\nfrom all sources of interest: such as mail servers, electronic document management servers, file servers, and\r\nworkstations of various levels,\" the report said.\r\nOnce they breached a victim, the attackers would deploy two never-before-seen malware strains named Mail-O and Webdav-O, both stealthy backdoors that the intruders used to execute commands on infected hosts and\r\nsteal data.\r\nBoth strains exfiltrated data to command and control infrastructure hosted on local Russian cloud providers, with\r\nMail-O uploading data to Mail.ru Cloud servers and Webdav-O to the Yandex.Disk cloud.\r\nBoth Mail-O and Webdav-O were also designed to bypass Kaspersky antivirus software, which is usually installed\r\non Russian federal networks, and disguised their network traffic as legitimate communications for Mail.ru's Disk-O and the Yandex.Disk applications.\r\nThe joint report contains additional technical details about the inner workings of both malware strains.\r\nRussian authorities did not attribute the attack to any specific country as of yet.\r\nhttps://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/\r\nPage 1 of 2\n\nThe report comes a month after the US government formally attributed the SolarWinds supply-chain attack to\r\na cyber-espionage operation carried out by the Russian Foreign Intelligence Service.\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/\r\nhttps://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/" ], "report_names": [ "fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies" ], "threat_actors": [], "ts_created_at": 1775434805, "ts_updated_at": 1775791309, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be39f3151ce22beab0be45793395fee3a12dd31b.pdf", "text": "https://archive.orkl.eu/be39f3151ce22beab0be45793395fee3a12dd31b.txt", "img": "https://archive.orkl.eu/be39f3151ce22beab0be45793395fee3a12dd31b.jpg" } }