Pro-Ukrainian hacktivist group DumpForums has announced it breached Dr.Web, a prominent Russian cybersecurity firm, allegedly stealing over 10 terabytes of sensitive information. This theft reportedly includes internal projects, client databases, and access to critical infrastructure.
The breach was revealed by DumpForums in a Telegram post on October 8, 2024, following Dr.Web’s detection of a cyberattack that occurred on September 14. In a subsequent blog entry on September 17, Dr.Web maintained that it had thwarted the attack, claiming no user data had been compromised. However, the assertions made by the hacktivists present a stark contradiction to the company’s earlier statements.
According to DumpForums, the hacktivists meticulously planned their infiltration of Dr.Web’s local network, where they subsequently compromised multiple servers and resources within a few days. They allege that they accessed and extracted data from Dr.Web’s corporate GitLab server, which holds internal projects, and other systems including the email server, Confluence, Redmine, Jenkins, Mantis, and RocketChat. Furthermore, they claim to have accessed the full client database, which has reportedly been leaked on their forum.
Adding to the severity of the breach, the hacktivists assert they gained control of Dr.Web’s domain controller. This is a pivotal component of the company’s infrastructure, as it manages authentication and system access within the network. Control over the domain controller would give the attackers extensive access throughout Dr.Web’s systems, enabling them to covertly extract a substantial volume of sensitive data over an extended period. They suggest that their presence in the system went undetected for up to a month, raising concerns about Dr.Web’s security measures.
Hackread.com, the source of this information, has reached out to Dr.Web for comments regarding the claims made by DumpForums, and updates will follow as further information becomes available.
This incident reflects a continuing trend in cyber warfare between Ukraine and Russia, escalating since the conflict began on February 24, 2022. DumpForums has been involved in various cyberattacks targeting Russian infrastructure, reinforcing its commitment to cyber resistance. Reports indicate that Russian cyber operations against Ukraine have recently shifted from broad-spectrum attacks to a more focused approach, primarily targeting military and defense sectors.
Business leaders should examine this breach through the lens of the MITRE ATT&CK framework. Tactics likely employed in this attack may include initial access, where adversaries exploit vulnerabilities to infiltrate a system; persistence, allowing them to remain entrenched in the network; and credential dumping, whereby attackers gather authentication information to gain further system access. Understanding these tactics can help organizations fortify their defenses against similar threats.
As cyberattacks continue to evolve, the need for robust security measures becomes increasingly critical. The breach of Dr.Web highlights vulnerabilities that could affect not only the firm but also its clients and the broader cybersecurity landscape. Organizations must remain vigilant and proactive in assessing their security protocols in light of such incidents.