22.12.2025
2 min
444
A hacker attack on the Kazan-based IT company “Mikord” exposed internal materials related to one of Russia’s most sensitive state projects — the Unified Military Conscription Register. Leaked documents, internal correspondence, and technical descriptions made it possible for the first time to see how a system designed for digital control and mass mobilization is actually being built. Journalists analyzed more than 100 gigabytes of data, spoke with company employees and government project supervisors, and consulted independent technical experts to assess the register’s architecture.
Below is what was uncovered.
On the evening of December 5, Mikord employees gathered at a bar in Kazan. At that moment, they had no idea that the company’s entire infrastructure had already been destroyed, and that its website, social media accounts, and internal systems were under hacker control.
Several hours later, employees noticed a statement posted by the attackers on the company’s Instagram account. Panic spread through internal chats — nothing was working and access to systems was completely lost.
The Kazan-based company Mikord is one of the key developers of Russia’s Unified Military Conscription Register. After the breach, hackers obtained access to internal documents and passed the data to the human rights project “Idite Lesom”, which then shared it with journalists.
The company has operated for 18 years, founded in 2007 by IT entrepreneur Alexander Nikolaev. Initially, Mikord worked on small regional government contracts in Tatarstan and implemented proprietary IT solutions for businesses.
In 2016, the company secured a major contract to develop the Unified Civil Registry (ZAGS), digitizing handwritten records and automating regional registry offices. After that, Mikord worked on dozens of large government systems, including projects for Rosatom, regional government databases, and the “Work in Russia” portal.
Mikord’s success is believed to be linked to the founder’s connections. Alexander Nikolaev was associated with the family of Nikolai Nikiforov, former Minister of Communications of Tatarstan and later of Russia, who subsequently joined the board of Rostelecom. It was during Nikiforov’s time at the federal level that Mikord began gaining access to major national IT systems.
In 2024, Mikord was brought into the development of the Unified Military Conscription Register. There are no publicly available contracts, but leaked materials include an additional agreement showing that the company effectively joined the project in February 2024.
The contract was signed with RT Communications Systems, a Rostelecom subsidiary. Mikord received at least 377.5 million rubles for its work. The choice of Mikord was driven by prior experience — the company had previously built a special module for security agencies within the ZAGS system.
The company was responsible for several critical components of the system:
The personal user account for conscription notices
Analytical dashboards for military leadership, including senior Ministry of Defense officials
A special module for security agencies
Technical documentation shows that Mikord was not merely a subcontractor, but effectively provided Rostelecom with its own Web-BPM technology platform, which underpins much of the register’s functionality.
Although the register was supposed to launch in 2024, deployment was repeatedly delayed. The Ministry of Digital Development cited “strict information security requirements.”
In reality, those requirements were routinely ignored. As early as summer 2024, Mikord employees were formally instructed not to share documents or access credentials via messengers. Leaked materials show that this rule was violated by both regular staff and project managers.
Employees exchanged workstation passwords via Telegram, asked colleagues to log in on their behalf, and even clocked working hours for one another. According to a source involved in the breach, these practices significantly simplified access to the company’s infrastructure.
As a result of the attack, hackers gained access to source code, documentation, and correspondence with Rostelecom, the Ministry of Defense, and RT Communications Systems. More than 80 servers and 43 terabytes of data, including backups, were destroyed. Hackers estimate that full recovery could take several months.
Company director Ramil Gabdrakhmanov confirmed during an internal call that operations were effectively halted until at least mid-December, affecting not only Mikord staff but also RT CS developers.
Formally, the register’s customer is the Ministry of Digital Development, but the actual end user is the Ministry of Defense. Other agencies were also involved. The Analytical Center under the Russian Government approved the architecture and personal data storage.
In spring 2024, the center conducted a closed usability study and deemed the system unfit for industrial deployment, citing strong negative user feedback. Despite this, the system was repeatedly demonstrated to the prime minister, the defense minister, and senior digital officials under intense pressure and tight deadlines.
Although publicly described as a “civil” system, internal documents show otherwise. The technical specification explicitly includes mobilization functionality.
A dedicated “general’s dashboard” allows filtering potential conscripts by age, gender, family status, and medical criteria. The system can send unlimited numbers of draft notices and process hundreds of thousands of travel restrictions.
Special attention is given to the Unified Integration Component (UIC / ECS). This module allows security agencies to delete or modify records without leaving any trace. All actions are performed without logging, and even deletion records are destroyed.
This makes oversight impossible and allows any individual to be erased from the register. Citizens can be removed either individually or in bulk, by uploading entire lists.
The Mikord breach did not provide direct access to the conscription database itself, which is located within a closed perimeter accessible only after FSB clearance. On January 9, 2025, an explanatory note was officially approved, which describes in detail the method of implementing the EKS. It follows from it that all data entering the register must first be blocked for three days. During this time, the EKS operators check them and, if necessary, change the data about a person so that he becomes unrecognizable, or clean up the necessary people. “If it is necessary to demolish, mask data about a citizen, we erase all the cards with wool and change the surname everywhere,” explained the principle of “editing or depersonalizing” data at the development stage, the chief architect of the ERVU Yuriy Kiryanov. People can be deleted en masse, by downloading an entire list, or pointwise.
However, experts highlight two major risks:
the massive volume of collected personal data and the existence of the ECS module, which enables silent manipulation. In the event of an internal leak, consequences could be severe.
The register is designed to store data on 25 million people, with more than 300 parameters per individual. Its capacity allows the issuance of up to one million draft notices per year.
Human rights advocates describe the system as a “digital Gulag” — a tool that makes draft evasion nearly impossible and turns mobilization into a fully managed digital process.
Leaked materials show that the register is being built by a young regional team. Many employees did not want to participate; some quit for moral reasons. Internal chats are filled with fatigue, irritation, and cynicism.
One analyst summed up the project’s theme in a single word: “dirt.” That word became its unofficial internal name.
The Mikord hack was a rare opportunity to look inside a system that the state has tried to hide from public scrutiny for years. The leaked materials show that the Unified Military Registration Registry is not just a bureaucratic tool, but a complex digital infrastructure with elements of manual control, selective “invisibility” and the potential for mass control. The combination of outdated security approaches, the human factor and excessive concentration of personal data makes the system vulnerable not only to external attacks, but also to internal abuse. In the long term, this creates serious risks both for citizens themselves and for the stability of state digital services.
