Photo: Shutterstock

When the Wagner Group turned its guns against Moscow on June 23, 2023, the world watched a mercenary group openly defy the Kremlin. Just days later, on June 29, a crippling cyberattack struck Dozor-Teleport, one of Russia’s key satellite communication providers. Then came a twist: a mysterious Telegram account calling itself “Richard W” claimed responsibility, fueling speculation that Wagner’s rebellion had spilled into cyberspace. Rumors swirled over who the real perpetrators were.

Two years later, on August 14, 2025, the Ukrainian Cyber Alliance (UCA) broke its silence, admitting it was behind the attack all along. The revelation exposes not just the murky world of cyber self-attribution, but also the dangerous entanglement of hacktivist groups, state intelligence services, and the fragile infrastructure of the space sector. Communication about an attack is sometimes as important as the attack itself.

Blurry Attribution

For the past two years, the attribution of this cyber operation has been fuzzy. Initially, a Telegram channel named “Richard W,” took responsibility for the attack. “Richard W” was the only account that leaked Dozor’s internal documents and shared screenshots of the breached IT environment. The channel also released a video with Russian audio that claimed it was part of the Wagner Group. Telegram users quickly questioned whether the “Richard W” channel truly belonged to the Wagner Group as it was created only on day prior to the attack. No other Wagner-affiliated account reshared its content, or talked about the cyberattack.

Then, on June 29, Andriy Baranovych from the hacktivist group RUH8, which is part of UCA, reported on the incident with a link to the then unknown “Richard W” channel. The news was rapidly picked up by various Ukrainian hacktivist accounts, including pro-Ukrainian “Cyber Anarchy Squad.” Some started to claim that the Squad took responsibility for the attack, but their official Telegram account did no such thing.

Think tank experts and cybersecurity companies also started to analyze the incident. Oleg Shakirov, a Russian cyber expert at the PIR Center, immediately doubted Wagner’s involvement, outlining that it was more likely to be “Ukrainian false flag trolling.” Shakirov noted that “The whole hack and leak looks very real, but it’s not something Wagner does. They don’t have a motive now and no history of such [cyber]attacks.”

He further told Bloomberg that the timing, five days after the failed mutiny, was illogical, noting that it would have been far more effective to disrupt communications while Wagner troops were advancing toward Moscow. Vito Alfano, an analyst at cybersecurity company Group-IB also doubted Wagner’s involvement in the attack and instead pointed the finger at UCA.

Self-attribution by UCA

Two years later, the Ukrainian Cyber Alliance officially took responsibility for the attack against Dozor-Teleport. UCA was founded in 2016 through the merger of four hacktivist groups: Falcons Flame, Trinity, RUH8, and Cyber Hunta. Their goals are patriotic and their operations target Russian entities. Among others, UCA targeted major Russian drone manufacturer Gaskar, accessed and destroyed 47 terabytes of data, including technical documents about production and the company’s cooperation with China.

On August 14, 2025, Baranovych, noted on his Telegram channel that UCA strategically avoided claiming the operation as long as operational security considerations were a constraint. The same day, Baranovych appeared in an episode of the Ukrainian podcast Hack Your Mom, hosted by former Ukrainian Security Service (SBU) cybersecurity officer Mikita Knysh, and confirmed that they intentionally disguised the hack as if Wagner did it. Although Dozor was not down when Wagner was marching towards Moscow, the timing was UCA’s original goal.

There was also another objective to the attack: retaliation for the Russian cyberattack against Viasat, which crippled Ukrainian communications at the start of the invasion. On the podcast, Baranovych highlighted “That was nasty and had consequences. Well, a year ago, we did the same to Dozor Telecom, a Russian satellite operator serving, among others, the FSB. Payback. … We knocked out more than 3,000 ground stations. And just like with Viasat, we disabled not only the station that uplinks to the satellite but also the user terminals.”

Although the operating mode of Dozor’s hack remains unknown, its destructive aspects, consequences and the track record of past UCA operations may hint at a wiper malware, which was also used during Viasat’s hack. The interview also clarified that hacking Dozor took a few weeks and UCA aimed at targeting terrestrial providers and ground stations as they are easier to hack than a satellite in orbit, which is a common tactic when hacking space systems.

The self-attribution game is one that often has a low credibility metric. UCA did not share new details to prove its involvement in the attack against Dozor. So far though, UCA never self-attributed a campaign that they were not involved in.

Coordination with State Actors

UCA likely collaborated with the Ukrainian Armed Forces. Several hints go into this direction. When answering questions from his Telegram community, he justified that “The defense forces we work with sometimes come up with interesting ideas based on targets that have already been worked out. In turn, when all such projects are completed, why not boast about them? This is not the only such ‘quiet target.’ Moreover, there are teams that do not release anything to the public at all and believe that intelligence loves silence, but there is more than one opinion on this matter.”

Unlike the IT Army of Ukraine, which was set up by the Ministry of Digital Transformation, UCA was created independently from the state. However, over time, it started to share intelligence with the state. Today, UCA considers the Armed Forces as its customers. UCA likely conducted the hack alone but acted as a sub-contractor. This cooperation raises questions as to whether UCA ought to be viewed a purely civilian hacktivist group. It also raises questions about the state’s responsibility in this operation.

Baranovych seemed to express some frustration in the coordination process with the Armed Forces, suggesting that they had different visions about public attribution. While they may have the same strategic long-term objectives, state actors and hacktivist groups may have diverging short term objectives. Hacktivist groups only maintain their ranking and continue to generate if they share operational successes. State actors meanwhile benefit from minimal communication, leading to less political scrutiny and risks of retaliation.

Military Targets

What stood out in the initial self-attribution of the “Richard W” Telegram channel was the emphasis on Dozor-Teleport providing services to the Russian military. When Dozor publicly confirmed the attack, he also stated that misinformation was being spread regarding Dozor-Teleport’s links with the Ministry of Defense, suggesting it was a misunderstanding due to the letter “Z” being prominently displayed on Dozor’s logo.

Richard W then replied to Dozor’s comments and threatened to leak more data if it did not admit that it provides services to the Russian military. “Richard W” never released the data. This behavior is more consistent with that of state actors or some pro-Ukrainian hacktivist groups than that of Wagner. Ukrainian groups often tend to justify the military nature of their targets to make their operations lawful with regard to international law.

Further Analysis

A study published in 2025 by ETH Zurich identified 161 cyber operations which were conducted against the space sector in the context of the war in Ukraine. Some of these operations  were carried out in response to kinetic strikes and public announcements of new weapons deliveries. Yet, not a single one among these 161 cases was conducted in retaliation for an attack against a satellite system. If the Dozor hack was really conducted in retaliation for the Viasat hack, this would mark the first tit-for-tat case ever.

By claiming responsibility for this attack, UCA brings a symbolic victory, which may have a deterrent effect regarding future cyber operations against satellites. It also reduces the risks for escalation that a public state attribution would entail. With this new claim, UCA wants to position itself on the same level as the Russian intelligence services, which targeted Viasat, since both attacks had similar consequences.

However, the incident underscores a central lesson: in cyber operations, timing is everything. A strike that hits on the day of an invasion when satellite links are vital can sway the course of a military operation. The same strike delivered at the wrong moment, for example after a failed coup, is just a disruption for a company and its bottom line, not a strategic blow. In cyber conflict, what matters isn’t always the type of attack. Timing is the decisive capability, the element that turns a technical disruption into strategic power.

Clémence Poirier is a Senior Cyberdefense Researcher at the Center for Security Studies (CSS) at ETH Zurich, Switzerland. She is the author of the report, “Hacking the Cosmos: Cyber Operations Against the Space Sector.”