Russian ISP confirms Ukrainian hackers "destroyed" its network

​Ukrainian hacktivists, part of the Ukrainian Cyber Alliance group, announced on Tuesday they had breached Russian internet service provider Nodex's network and wiped hacked systems after stealing sensitive documents.

"The Russian internet provider Nodex in St. Petersburg was completely looted and wiped. Data exfiltrated, while the empty equipment without backups was left to them," the Ukrainian hacktivists announced yesterday on Telegram.

The hackers also shared screenshots of the Russian ISP's VMware, Veeam backup, and Hewlett Packard Enterprise virtual infrastructure they hacked during the breach.

On Tuesday, Nodex confirmed the Ukrainian Cyber Alliance's claims by telling customers in a VKontakte post that its "network is destroyed" following what it described as a planned attack likely originating from Ukraine.

"Dear subscribers! Last night, an attack was carried out on our infra (presumably from Ukraine). The network has been destroyed. We are restoring it from backups," Nodex said. "There are no timelines or forecasts at the moment. Our priority is to first restore telephony and the call center."

Internet monitoring organization NetBlocks also saw fixed-line and mobile services connectivity collapsing on Nodex's network internet operator yesterday at midnight, following the ISP's confirmation it was dealing with a cyberattack.

​The Record first reported the attack, saying Nodex's website was still down and the Russian Internet provider was still working on restoring systems. However, the company could not provide a timeline for when systems would return online.

Since then, Nodex has issued more updates on the restoration process, telling subscribers that "the network core has been restored" and that its engineers are still working on resetting switches.

Three hours later, the Russian ISP said that a DHCP server had been brought online and that Internet connectivity should now be available for many customers.

"Many people should be able to use the Internet. Please reboot your routers," Nodex said in another update on the Russian VKontakte social media network.

The Ukrainian Cyber Alliance has been active since 2016, when multiple hackers and hacker groups (e.g., FalconsFlame, Trinity, RUH8, and CyberHunta) banded together to defend their country from Russian aggression in cyberspace and registered as a non-governmental organization.

Since then, UCA cyber activists have claimed many breaches impacting various Russian organizations, including the Russian Ministry of Defense​​​​​, Commonwealth of Independent States Institute (financed by the Russian state company Gazprom), the Donetsk People's Republic's Ministry of Coal and Energy, Vladimir Putin's political adviser Vladislav Surkov, and multiple Russian military officers and media outlets, among others.

In October 2023, the Ukrainian hacktivists also hacked the Trigona ransomware gang's servers and wiped them clean after exfiltrating all data, including source code, database records, and cryptocurrency hot wallets.