Cyber Threat Actor: Popopret
| Actor Type | Location | Known Incidents |
Hacker
|
United States of America
|
1 incident |
|---|
Profile
The threat actor known as Popopret operates under that alias and has been linked to activity originating from the United States of America. Public reporting identifies the actor by the moniker Popopret, with no other aliases disclosed in the available sources. The actor’s geographic base is noted as the United States, though no further detail about specific city or state is provided. This establishes the basic identification of the actor for the purpose of the profile. The only publicly attributed incident involving Popopret occurred in April 2017 when a Californian Internet service provider suffered a widespread outage affecting both internet and telephone connectivity. The outage resulted from a malicious hacking event that targeted specific modem models, namely the Zyxel HN-51 devices deployed by the provider. The disruption affected a substantial number of customers, prompting the provider to undertake large‑scale hardware replacement and repair efforts. The nature of the impact—rendering modems unable to connect to the network—points to a disruptive objective rather than financial gain or espionage. Consequently, the actor’s observed activity aligns with a focus on causing service interruption within the telecommunications sector, specifically within the United States.
Analysis of the incident suggests the involvement of IoT‑oriented malware families, with evidence indicating that BrickerBot, which disables devices by overwriting their storage, played a role in the disruption. The malware’s capability to brick devices aligns with the observed loss of connectivity experienced by the ISP’s customers. Additionally, investigators noted the possible contribution of Mirai‑like malware, although the exact relationship between the two families in this event remains unclear. The attack vector appears to have exploited vulnerabilities in the modem control interfaces, a technique previously observed in similar attacks on consumer networking equipment. No public attribution ties Popopret to a state sponsor, criminal consortium, or any other organized group, and thus any affiliation remains undetermined based on current information. The April 2017 ISP outage stands as the sole representative campaign publicly associated with the actor to date.
