Anonymous hacked German subsidery of russian energy gigant Rosneft, 20 terabytes of data extracted

Sicherheit (Pexels, allgemeine Nutzung)[German]Activists of the hacker collective Anonymous have announced actions against Russian companies after the Russian army invaded Ukraine. According to media reports and an article on Anonleaks, members of Anonymous successfully hacked the German branch of the Russian energy giant Rosneft. In the hack, 20 terabytes of data were siphoned off before the hack was discovered and further access was prevented.


I've seen reports yesterday reports from Reuters Reuters and some German media. But the most interesting source was the following tweet from dealing with the successful hack.

Anonymous hackt Rosneft Deutschland

The Anonleaks article is in German, so I will cover the beef. There activists from the hacker collectiv Anonymous reported on March 11, 2022 about a successful hack. They have had access to the servers of Rosneft Germany, a subsidary of the Russian oil company. The article focuses on the role of the Russian oil company Rosneft and its German subsidiary. Rosneft not only supplies Germany with products such as bitumen, aviation fuel and lubricants, but also organizes the refueling of aircraft at various airports. Russia expert Stefan Meister of the German Council on Foreign Relations is quoted there as follows:

Ex chancelor Gerhard Schröder [which is member of Supervisory Board and a fried of russian president Putin] gives the group international reputation, credibility, respectability. This is important for Rosneft, which is not a normal company, but initially served primarily the self-enrichment of people from Putin's circle.

There are sanctions against Rosneft – but a completely untouched subsidiary abroad could be used to circumvent sanctions, so that foreign currency still flushes into Russia via such holdings – it shall be mentioned, that Rosneft Germany isn't on the sanction list yet.  Anonymous cites this connection as a reason to take a closer look at Rosneft Germany's IT systems. In addition it is said:

For some Anons from Germany, this is exactly a reason to take a closer look at Rosneft Germany. Not because of the refineries, but because of the lobbying, the sanctions.

The anons didn't want to drive around directly in the Russian energy companies … especially the energy sector is a hot potato, because there are some sanctioning states whose energy supply is linked to Russia. You don't want to smash any plates or turn any pipelines on and off or anything like that. Not even by accident.

But Rosneft Germany is interesting enough. This company is mainly in distribution, buying and selling, delivering to refineries … and what else? No critical infrastructure to accidentally break. No pipelines to shut down, no nuclear reactors, even the refineries would continue to operate.

Translated with (free version)

Anonymous activists have managed to gain access to Rosneft Germany's servers and grab large amounts of data (20 terabytes). They penetrated very deeply into Rosneft Deutschland's systems, according to Anonleaks. The penetration was so deep that backups of employees' and executives' laptops were easily found.


Backups von Rosneft Deutschland
Backups from  Rosneft Deutschland, Source: Anonleaks

In addition, Anonymous claims that they had access to all of the company's virtual machines, UPS and more. The collective then started transferring the available data via FTP connection in a period of two weeks. Despite 5.5GB/s transfer rate, such a process takes some time. The activists state that the download was stopped at March 10, 2022. They say:

Not because one was caught, that not, one was for nearly two weeks continuously and non-stop in the systems and loaded the data. But last Friday the FTP connection, which was very stable in itself, broke down because their entire system went down in the evening, suddenly no more Internet. The entry point itself was still working, but we couldn't get any further because the system behind it was no longer connected to the Internet.

We don't know if someone pulled the wrong plug. According to Anons, it looked like someone had putted the system's firewall. You could no longer see any other user in the system, Internet was gone, probably Rosneft and IT itself no longer had access.

Therefore, only 20 terabytes of the 25 terabytes of possible data could be copied by Thursday, March 10, 2022. The hackers write that operators should pay more attention to the service accounts of printers in Active Directory – because it is probably the attack vector for the hack seems. A second hack was successful, but the session was closed again shortly after the download resumed. Anonymous claims to have caused a bit of confusion, however, and to have remotely reset iPhones or "remapped" devices around the network.

The hack of the Rosneft web site was undertaken by another group, as the Anonymous hacker say.

The Anonymous hackers want to sift through the captured data, and then consider what to do with it. It is already certain, according to the statement of the hackers, that this data will not be leaked publicly. Because the effect of a public leak would be less than the profit that competitors could draw from it, they write. The article on Anonleaks is very revealing.

In the meantime, the German Federal Office for Information Security (BSI) has probably confirmed the hacking attack on the German Rosneft subsidiary to media such as Spiegel and Welt. These media report that the company (which, as an energy supplier, are part of the critical infrastructure) self-reported the attack. Some media writes, that German BSI issued security alerts to other companies and organizations in the petroleum industry. The Berlin public prosecutor's office is said to have opened an investigation into the hacker attack. The Federal Criminal Police Office (Bundes­kriminalamt, BKA) has been tasked with the investigation, according to the Spiegel report.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *