Hackers destroyed the website of Makhachkala International Airport. Who is to blame for the missed attack?

In 2022, as a result of a hacker attack, the website of the Makhachkala International Airport was destroyed. At the end of 2022, the airport filed a lawsuit with the court for compensation for damage to the contractor who developed the site and assumed obligations, including to ensure information security. In 2023, the case went through the first and appellate instances, both of which denied the airport its claims. The proceedings can be continued, it follows from the case card in the open file of arbitration cases: after the last consideration in August, it was again sent to the court of first instance.

As indicated in the published decision of the Moscow Arbitration Court, the contract for the development of the site was concluded by Makhachkala International Airport with the Moscow company "Defa" in 2014, and in 2017 an agreement was signed for services for the placement of the site on the virtual hosting platform of the contractor with certain parameters^[1].

The appendix to the 2017 agreement stipulated the contractor's obligations to ensure, among other things, the information security of the customer's web system. This includes protection against unauthorized access to confidential information of the web system; protection against access to content editing functions; content integrity monitoring; protection against DDOS attacks on the customer's web systems, etc. The airport believes that there was an improper fulfillment of obligations by the contractor under this agreement, which led to the loss of the site and the impossibility of restoring it.

Hackers attacked a server cluster rented by a contractor to host the airport website "(photo from the mintransdag.ru website)"

On April 9, 2022, Makhachkala International Airport received a letter from Def stating that "as a result of force majeure circumstances that occurred at the data center," there was a massive malfunction of servers rented by Def to host sites, as a result of which access to the airport website is temporarily limited.

Later, on April 22, Defa informed the customer that it was a hacker attack on a server cluster rented by their company. This was confirmed by a letter from the owner and landlord of the server cluster - MSTN. As a result of the attack, the entire server infrastructure was destroyed, including: Defa client sites and services, including its own site, as well as the entire development infrastructure and all Defa archive projects in 20 years.

MSTN said that the attackers gained access to the server virtualization system and, using a script, deleted all virtual machines and data. They also gained access to servers with backups, which were also deleted.

In this regard, "Defa" was no longer able to provide services under the contract with the airport and offered to terminate it. The company refused to compensate for losses to the airport.

A hacker attack on a rented server cluster in "Defa" is called a force majeure circumstance - force majeure. The Moscow Arbitration Court pointed out that in accordance with the rules of# block_431 of Article 431 of the Civil Code of the Russian Federation, when interpreting the terms of the contract, the court takes into account the literal meaning of the words and expressions contained in it. The court did so and saw that the controversial agreement did not provide for the contractor's obligation to protect against hacker attacks, malware aimed at completely destroying the site's infrastructure.

... under the agreement, the defendant did not undertake to protect against actions aimed at the complete destruction of the site infrastructure (web system), - says the decision of the Moscow Arbitration Court.

The court also had questions about the losses declared by the airport of 1.47 million rubles: the loss was determined based on the cost of services for creating the site in 2014. The court found that this is an improper way of calculating, since the cost of then creating a site does not indicate the cost of restoring the site in 2023. In addition, there is no evidence that the volume of work on the creation of the site in 2014 and the volume of work on its restoration in 2023 will coincide, the court noted.

At the same time, the airport submitted to the case file a contract concluded by him in October 2022 for the creation of an Internet site, the cost of work under which is less - 900 thousand rubles than declared for collection from "Def." The new site is located at https://mcx.aero.

The defendant, in turn, submitted to the materials a court flash drive with a copy of the website of the Makhachkala airport (web system) and all the data as of the summer of 2018. An airport spokesman said the data was outdated. But, again, the court says, no evidence is presented that the files in question cannot be used to restore the site.

The Court considers that in this case, the plaintiff is not presented with relevant, admissible and reliable evidence of the existence of grounds for bringing the defendant to civil liability in the form of compensation for losses, namely: there is no evidence of the defendant's unlawful behavior, expressed in improper performance of the terms of the contract, the amount of losses caused has not been proved and evidence of a direct causal relationship between the defendant's improper performance of contractual obligations and the losses caused to the plaintiff, which is the basis for refusing to satisfy the claims, - said in the ruling of the Moscow Arbitration Court.

The airport filed an appeal against the decision of the court of first instance, but it was not satisfied^[2].

Notes