Menu
Browse

Cyber Threat Actor: Targetware Team

Actor Type Location Known Incidents
 Icon
Criminal
Russia
1 incident
Profile

The threat actor identified as Targetware Team is known to operate from the Russian Federation, a detail that appears in the limited public reporting on the group. The alias Targetware Team is the sole name used in open‑source accounts of their activities. No alternative monikers or affiliated handles have been attributed to the actor in the sources examined. The actor first entered public awareness through a cyber incident disclosed in December 2021. Apart from the location, no further demographic or organizational specifics about Targetware Team have been made available.

The group’s observed targeting has been confined to the healthcare industry, as illustrated by the breach of a Chicago‑area medical facility. Initial access was achieved by exploiting weak security controls present in the victim’s network infrastructure. No particular malware families, custom tooling, or exploit kits have been described in the available reports concerning this intrusion. The actors’ actions after gaining access focused on the large‑scale extraction of sensitive data rather than disruption or espionage. The subsequent attempt to obtain a ransom and the later sale of the stolen information indicate a financially motivated objective.

During the December 2021 compromise, Targetware Team exfiltrated more than 580 gigabytes of data, encompassing protected health information such as Social Security numbers, government‑issued identification, laboratory test results, COVID‑19 outcomes, and insurance details taken from systems including Yosi System, Docman, and Tempus. Following unsuccessful ransom negotiations with the victim organization, the actors shifted to offering the stolen dataset for sale on underground markets. The compromised healthcare provider did not issue a public acknowledgment of the breach nor respond to inquiries despite the threat actors providing evidence of the intrusion. This healthcare‑sector incident remains the sole publicly documented operation linked to Targetware Team. No additional campaigns or associated threat‑intelligence reports have been attributed to the group at this time.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources