Hackers abuse Yandex Taxi app API, causing massive traffic jam in Moscow

Anonymous hacks Yandex Taxi

This isn’t just a regular day for ordinary Russians.

It’s the morning of September 1st, 2022. In the heart of Moscow, there are huge traffic jams at an address on Kutuzovsky Prospekt (Kutuzov Prospect to some), the 6-lane major avenue running across the city. Central Moscow is brought to a standstill as cab drivers from the largest taxi service, Yandex Taxi, are all sent to the same location.

The exact location? Hotel Ukraine.

Yandex Taxi doesn’t know it yet, but the traffic jam is caused by binary bullets… cyber warfare in central Moscow, all at an entirely different scale.

Cab drivers found a massive traffic jam at the Hotel Ukraine. Drivers spent about 40 minutes at a standstill. And up to three hours more fighting through huge traffic jams, as all available taxis are still sent to the same address. But why?

The Anonymous collective claim responsibility

The Anonymous collective is a group of hackers who are frustrated with Russia’s war against Ukraine.

The hackers took control of the Yandex taxi app and directed all of the taxis to one location, causing gridlock.

Creating huge traffic jams like this in central Moscow sounds like something out of a Bond movie. But such incidents like this could cripple entire towns if such attacks are targeted.

Sending every available cab to the same address artificially accumulate cars and creates chokepoints in physical locations. In the very near future, could we see cyber criminals like the Lazarus Group doing this to prevent police from getting to a heist when they are trying to pull out their ill-gotten gains from a “final destination” bank?

Could we see cyber warfare cripple entire towns by causing large traffic jams just before an invasion or counter-offensive?

Is this a new form of hybrid warfare where the cyber causes physically distributed denial of service?

Who knows.

But this all started and stopped in Russia when hackers breached Yandex.

Who is Yandex?

The corporation Yandex is considered Russian Google. The Yandex Taxi app is even called the Uber of Russia. They are one of Russia’s largest tech companies, working on everything from search to self driving cars.

It appears the hackers manipulated the Yandex.Go app to create fake orders and sent all available taxis to the same place.

This hack is interesting for a few reasons.

Even before Anonymous claimed responsibility the company stressed that no personally identifiable information was leaked. And that they had improved their dispatch algorithm in a way that stopped attempts to artificially send dozens of available cabs to the same place.

But what the drivers didn’t know though was that hackers breached deep into Yandex, creating huge traffic jams, in response to Russia’s war against Ukraine.

Anonymous vs Yandex

This isn’t the first time Anonymous hacked the corporation Yandex.

In March of this year, Anonymous breached Yandex and leaked over 150,000 records relating to Yandex customers from the “Russian Google” network.

And back in April, the group hacked into Yandex.Navigator, replacing the voice commands in the popular Russian navigation app with that of the works of Lesia Podervianski, a Ukrainian painter, poet, playwright, and performer.

It seems Yandex Taxi is just the latest target of such attacks.

In related news, Anonymous also leaked over 120,000 records of Russian soldiers fighting in Ukraine, disclosing personal information such as names, date of birth, addresses, unit affiliation, and passport numbers. 

Seems content related to Russia is fair game for the hackers.

What we know about the Yandex Taxi hack

At this point, no one knows for sure what happened. At least, no one wants to own up to it.

There are discussions on the dark web that hackers had a foothold in Yandex for some time. That kinda makes sense when you know that Yandex had a data breach because of Anonymous way back in March.

What’s more interesting to me though is the rumors that the hackers had been reverse engineering Yandex software and figured out how to exploit some of their backend APIs.

That’s clear with the hack on Yandex.Navigator.

So it makes sense that Yandex.Go was exploited to fake orders, sending dozens of available cab cars to the same place. At the same time.

And with the exact location being at the Hotel Ukraine, it’s a clear sign that #oprussia is in full effect.

So what can we expect in the near future?

This is an exciting (and scary) time for API hackers. I expect in the very near future we will continue to see hacktivists abuse APIs to get their point across.

And cyber armies will embrace it too. A day after the Yandex taxi app was breached and Anonymous claimed responsibility, it was announced that the attack was carried out in cooperation with the IT Army of Ukraine.

APIs will be a major avenue of attack, and hybrid warfare is going to become more mainstream.

That means we need to find these vulnerabilities before other hackers do. The industry needs us to find and fix these flaws in the digital systems we are responsible for testing before threat actors start doing more damage.

It might have only been sending dozens of drivers into a large traffic jam on a major thoroughfare in Moscow this time… but imagine where this could be taken!

If you are new to API hacking and want to get started, I encourage you to download my Ultimate Guide to API Hacking Resources. If you are an old hat at this, time to step up.

We got some work to do.

Dana Epp