Hackers Disrupt Russia's Drone Weaponization Network
A volunteer-run network of service centers halts custom firmware updates for DJI drones following a cyber attack.
Can a cyber operation have an impact on drone warfare? Recent developments in Russia offer an example of how this can happen in a not-so-obvious way.
On Friday, a volunteer group Russian Hackers for the Front (“Русские Хакеры – Фронту”, RH) known for building a customized firmware for DJI drones reported a cyber attack that affected its servers and end-point devices (terminals). While recovering from the attack, RH instructed hundreds of service centers to stop using its terminals until further notice, thus pausing a wide operation of weaponizing commercial drones.
Although details are scanty, this is a rare publicly reported cyber attack that affects drones warfare and might have militarily significant consequences.
In this post I will summarize what is known about the attack and provide additional information about the impact and who might be behind it.
What Happened
Russian Hackers for the Front shared information about the cyber attack on their Telegram channel on Friday and Sunday (see the two posts auto-translated below).
The attacker reportedly gained access to RH’s servers, used this access to deface remote terminals with a false message, and turned off the servers. Since this infrastructure is used to distribute customized firmware for DJI drones there was a chance that the attackers could have also compromised this firmware and thus backdoored the drones. RH initially estimated that the probability of that was extremely low. They subsequently verified that there were no changes in the firmware installed in a week before the attack. At the same time they instructed operators of their terminals to disable them because of the risk of the attacker’s access.
An overview of RH’s activity should help understand the significance of the attack and the disruption caused by it.
What is “1001,” Firmware
The Telegram channel Russian Hackers for the Front was created in early July 2023 with the stated goal to share tools built by Russian hackers that can be used on the front. From the very start, the channel was focused on solution for DJI drones.
A few weeks after the launch, RH presented the first version of its customized “1001,” firmware for DJI Mavic 3—a commercial Chinese-produced quadcopter drone widely used by both Russian and Ukrainian forces. The “1001,” was a jailbreak version of the standard software that removed a whole set of limitations. It disabled DRONE ID rendering hacked drones invisible for drone detection tools such as AeroScope. It lifted No Fly Zone restrictions, allowed “no GPS” flights to avoid GPS spoofing, lifted height and distance restrictions, etc. After the “1001,” was installed, it was impossible to un-patch the drone. Essentially, this customized firmware made the commercial device more fit for being used as a weapon.
RH would regularly update its “1001,” firmware (the latest version is 53) making it available for other DJI models. For an English overview of the modifications check out this piece by David Hambling.
RH didn’t make its firmware publicly available but chose a different different distribution model. To rewire a drone with “1001,” one had to visit a designated service center where the customized firmware would be installed from a specialized laptop (terminal) supplied by RH. The reason RH opted for this distribution model apparently has to do with proliferation concerns: by controlling where the firmware can be installed they tried to ensure that it is only available to the warfighters, not civilians, and that the Ukrainians don’t get hold of it (still, there are occasional reports that a version of the “1001,” leaked).
Supposedly, the terminals would receive the regularly updated “1001,” firmware from RH’s remote servers. Thus, when the attackers gained access on the server side they were also able to distribute the message to end-point devices across the network. This can also be viewed as sort of an attack on supply chain, albeit the update system was not compromised.
What is the Impact
Although the attackers didn’t manage to replace the firmware with their own compromised version and didn’t cause a cinematographic effect like simultaneously seizing control of hundreds or thousands of drones, the impact of the attack might still be quite significant.
Consider these figures. Within a year, by August 2024, this firmware service was provided at more than 400 centers both across Russian regions and close to the frontline. By that time, RH claimed that the “1001,” was installed on more than 90,000 drones.
Some experts like Sam Bendett questioned this claim and argued that it’s ultimately unverifiable. But the figures are not far-fetched. On August 16, 2024, RH claimed the 100,000 rewired drones, and on March 2, 2025, this figure allegedly doubled. This would be roughly 500 drones a day, or 1-2 drones per service center a day. Which is not too many.
The pace seems to have increased in recent months. In the end of May the network of service centers that install the “1001,” claimed 250,000 rewired drones. So, this spring there were on average 560 jailbroken drones a day.
A pause caused by the cyber attack can thus slow down the weaponization of commercial DJI drones by 500-560 devices a day. The “1001,” is not the only rewiring option, so the attack does not cause a complete paralysis. But the disruption can definitely have implications for drone warfare and if the pause lasts long enough it might have consequences for the operational situation.
Who Did It
No one has claimed this attack yet, so this section is speculative.
Obviously, this was not a random hack. Since the victim is highly specialized and linked to warfighting, it is safe to assume that it was a deliberate sabotage operation.
In February 2024, there was another cyber attack with a very similar intent targeting COS Project, another Russian volunteer effort to develop customized firmware for drone controllers and monitors. During the attack, users could not update their drone controllers via COS Project servers. At that time, not one but two Ukrainian entities took credit for the disruption: the Main Directorate of Intelligence of the Defense Ministry (GUR) and IT Army of Ukraine. COS Project was apparently DDoS’ed, but it’s unclear whether other means were used by the attackers as well. From the technical standpoint this is not the same to what seems to have happened to RH, but the objective to disrupt drone warfare is comparable.
Was this recent attack launched by GUR or another Ukrainian intelligence agency? I think it a reasonable guess. In fact, in the past GUR have publicly claimed several cyber attacks on Russia, so if it was involved in this hack there might be some sort of acknowledgement this time, too.
Conclusion
To conclude, I’m not trying to overhype this reported cyber attack. Plus there are still a lot of things that we simply don’t know. But even from what is publicly available it is clear that this is a rather unique operation targeting a militarily significant system—even though run by volunteers—with possible implications for drone operations.
More generally, this case illustrates that military innovation (such as customized firmware for weaponizing commercial drones) creates new dependencies and vulnerabilities that can be better understood by the attackers than by the defenders.