Cyberattack disrupts operations of supermarkets across Russia

A popular Russian discount retail chain with over 1,000 stores nationwide was hit by a cyberattack over the weekend that disrupted its services for several days.

The supermarket chain Verny (“loyal” in Russian) confirmed the hack to several local news websites, adding they are still working to fully restore operations.

The unknown attackers took down the company's website and mobile app. Due to the attack, Verny’s supermarkets couldn’t process bank cards or receive and deliver online orders, according to the reports.

Video shared on Telegram by local customers shows Verny stores across Russia with printed signs on their doors saying they are temporarily accepting cash only. Local employees complained that many customers were frustrated with the cash-only policy and left the supermarket without buying anything.

Little is known about the scale of the attack or the culprit. However, the company's general director, Oleg Vysotsky, said in an interview that they suspect the goal was extortion, although he didn't mention if a ransom demand was made.

Verny has been operating in Russia for over a decade and employed nearly 11,000 people as of last December. The company's revenue reached nearly 124 billion rubles ($1.3 billion) in 2023, with a net profit of 220 million rubles ($2.4 million).

Local commerce experts estimate the company's losses due to the cyberattack could already be at least 300 million rubles ($3 million) and could exceed 500 million rubles ($5.6 million) if operations don't resume within the next two days, according to Russian news website Kommersant. 

Similar incidents

One week before the cyberattack on Verny, a similar incident hit CDEK, one of Russia's largest delivery companies. Reportedly carried out by a little-known Russian-speaking group called Head Mare, the attack disrupted CDEK's website and mobile app, forcing the company to suspend parcel shipments.

The hackers claimed to have encrypted CDEK's servers with ransomware and destroyed backups of their corporate systems.

Local security experts believe the attacks on Verno and CDEK might be the work of the same attackers. While Head Mare hasn't claimed responsibility for the Verno hack, some experts suggest attackers may have acted independently rather than as part of the group.

"In the current geopolitical climate, anyone could do this," Dmitry Kuzevanov, head of the UserGate monitoring and response center, told Russian news website Izvestia. "Motivations could range from destabilizing the situation by crippling a major Russian retailer to masking their deeper intentions under the smokescreen of such an attack." 

Following the CDEK attack, two unnamed sources in the retail market told Kommersant that most large retailers have begun additional security checks to identify vulnerabilities in their technology infrastructure related to deliveries and payments.

CDEK said it has almost restored normal operations as of Tuesday, however local security experts claim to have found leaked data about the company's activities from April, including invoice numbers, reasons for delivery delays, parcel descriptions, CDEK branch names, and sender information.

CDEK denied the leak, saying they store customers’ personal data in a secure, internal database, not in Google Sheets, as the alleged leak suggests.

Also on Tuesday, the pro-Ukraine group KibOrg claimed to have stolen 1.5 terabytes of data from the Russian Union of Auto Insurers. This data allegedly includes information about Russian drivers and their cars over the past 15 years.

There have been no independent verifications of these claims so far. Previously, KibOrg claimed responsibility for hacking and leaking data from Russian tourism and air travel company Sirena Travel, as well as Russia’s Alfa-Bank.