Menu
Browse

Cyber Threat Actor: Sawfish

Actor Type Location Known Incidents
 Icon
Criminal
Russia
1 incident
Profile

Sawfish is a threatactor known by the alias Sawfish, with publicly available information indicating a possible connection to Russia. The actor has been observed targeting users of GitHub, including employees of companies that rely on the platform for source code management, such as the static code analysis provider DeepSource and its clients Intel, NASA, Slack, and Uber. The primary objective demonstrated in the observed activity is the unauthorized acquisition of GitHub credentials to gain access to private repositories, download their contents, and establish persistent access through the creation of personal access tokens or the authorization of OAuth applications. This focus on credential theft and subsequent repository access suggests an interest in obtaining proprietary code and related intellectual property, although the actor’s explicit motivational framing is not detailed in the source material.

The actor’s tactics, techniques, and procedures center on credential phishing as the initial access vector. Sawfish operators have deployed spearphishing campaigns that employ fraudulent login pages designed to mimic GitHub’s authentic sign‑in interface, thereby harvesting usernames, passwords, and, when applicable, time‑based one‑time password codes from users who do not employ hardware‑based security keys. After obtaining valid credentials, the actor quickly exploits them to log into victim accounts, create personal access tokens, or authorize malicious OAuth applications to maintain access even if the victim later changes their password. Additionally, Sawfish has abused GitHub’s own infrastructure by using free repositories to host phishing kits that are served via github.io pages, facilitating further credential harvesting campaigns. No specific malware families or custom tooling are referenced in the available reports.

Notable publicly reported operations include the April 2020 phishing incident that led to the DeepSource breach, in which an employee’s compromised GitHub credentials enabled the actor to access private repositories and generate persistent tokens, prompting a full credential rotation and user notification by the company. A broader alert issued by GitHub’s Security Incident Response Team described an ongoing Sawfish campaign actively collecting GitHub credentials and 2FA codes from targets across multiple organizations. The actor’s use of GitHub repositories to distribute phishing kits represents a distinct operational pattern that has been observed in separate incidents, illustrating a recurring theme of leveraging the trusted platform itself to support credential‑theft efforts. These examples collectively illustrate Sawfish’s reliance on phishing, credential abuse, and platform manipulation to achieve unauthorized access to source code repositories.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source