Full Report
A hacking group it had maintained access to the firm's systems for several months and had destroyed parts of the company’s infrastructure.
Analysis Summary
# Incident Report: Breach of Russian Military Draft Database Developer (Mikord)
## Executive Summary
An anonymous hacker group successfully breached the systems of Mikord, a Russian tech firm allegedly developing components for Russia’s unified military registration database. The attackers maintained persistent access for several months, exfiltrating sensitive documents and destroying parts of the firm's infrastructure. The breach was brought to light when the hackers contacted an anti-war human rights group, leading to public disclosure and the company's website going offline.
## Incident Details
- Discovery Date: Early December 2025 (When hackers contacted Idite Lesom and defaced the website)
- Incident Date: Ongoing access confirmed for "several months" prior to discovery.
- Affected Organization: Mikord (Russian tech firm)
- Sector: Technology/Government Services (Allegedly critical infrastructure support)
- Geography: Russia
## Timeline of Events
### Initial Access
- Date/Time: Unknown, but access maintained for "several months" leading up to December 2025.
- Vector: Not specified in the report, but targeted a software development firm.
- Details: Attackers infiltrated the firm's servers.
### Lateral Movement
- Details: Attackers were able to maintain access for an extended period, suggesting successful establishment of persistence and internal reconnaissance within the network.
### Data Exfiltration/Impact
- Date/Time: Ongoing during the "several months" of access.
- Impact: Stolen documents included source code, technical and financial records, and internal correspondence related to Mikord's operations. Attackers also **destroyed parts of the company’s infrastructure**.
### Detection & Response
- Date/Time: Early December 2025.
- Detection: The breach was externally discovered when hackers contacted Grigory Sverdlov of the human rights monitoring group *Idite Lesom* and began defacing the company website.
- Response actions taken: Mikord's director admitted to the hack; the company website displayed a maintenance message; Russia’s Ministry of Defense publicly dismissed claims of a data leak related to the *unified military registration database*.
## Attack Methodology
- Initial Access: Undisclosed.
- Persistence: **Maintained access for several months.**
- Privilege Escalation: Not specified, but likely required to gain access to source code and financial records.
- Defense Evasion: Effective for several months, suggesting evasion of standard security monitoring.
- Credential Access: Likely involved in accessing specific document repositories (source code, financial records).
- Discovery: Inferred internal network reconnaissance occurred to locate relevant data.
- Lateral Movement: Inferred to move to core infrastructure containing sensitive documents.
- Collection: Source code, technical records, financial records, and internal correspondence.
- Exfiltration: Data was provided to the *Idite Lesom* group, with intent to provide to journalists and publish publicly.
- Impact: **Destruction of parts of the company’s infrastructure** and exposure of sensitive operational data.
## Impact Assessment
- Financial: Mikord's financial records were compromised, but specific costs are unknown. Extensive operational downtime due to infrastructure damage is implied.
- Data Breach: Source code, technical documentation, financial records, and internal correspondence related to a high-profile government project (military draft database). The scope of Personally Identifiable Information (PII) exposure from the draft database itself is officially denied by the MoD.
- Operational: Mikord's website was offline; parts of its infrastructure were destroyed.
- Reputational: Significant reputational damage due to association with Russia's military draft database, leading to public defacement and investigation by outlets like iStories.
## Indicators of Compromise
- Behavioral indicators: Unauthorized access maintained over multiple months; infrastructure destruction activity.
- Network indicators: Defacement of company website; communication with external human rights organizations.
- File indicators: Release of internal Mikord documents (source code, financial records).
## Response Actions
- Containment measures: Mikord placed its website into maintenance mode.
- Eradication steps: Unknown, pending investigation into the multi-month breach.
- Recovery actions: Unknown, though the Ministry of Defense claims the military database is "operating normally."
## Lessons Learned
- Long-term persistence is possible even in high-stakes environments, requiring continuous visibility rather than just initial intrusion detection.
- Third-party and supply chain vendors (like Mikord) handling sensitive government projects can be significant weak points.
- Infrastructure integrity must be protected not only from data loss but from destructive cyber operations.
## Recommendations
- Implement continuous, high-fidelity threat hunting across critical vendor environments to detect long-term dwell time.
- Review access controls and segregation of duties for development environments storing source code related to national security projects.
- Enhance data backup and disaster recovery protocols specifically targeting the resilience of core infrastructure against destructive attacks.