Menu
Browse

Cyber Threat Actor: Light

Actor Type Location Known Incidents
 Icon
Criminal
Russia
1 incident
Profile

Light is a ransomware group that has been publicly identified by the alias Light and is associated with operations originating from Russia. The actor came to attention in April 2020 when it breached the network of Zaha Hadid Architects, a high‑profile architecture firm, and subsequently deployed ransomware to encrypt the victim’s systems. After compromising the network, the group exfiltrated a broad range of sensitive data, including payroll records, bank documents, employee contracts, email inbox dumps, SSL certificates, and Active Directory credentials, which it used to threaten public release on the dark web unless a ransom payment was made. This pattern of combining encryption with data theft and extortion aligns with a financially motivated objective, as the actors explicitly demanded payment to prevent the leak of the stolen information.

The tactics observed in the Zaha Hadid incident involve the use of ransomware to render systems inaccessible, coupled with the collection and exfiltration of valuable corporate assets to increase pressure on the target. While the specific malware family employed by Light was not disclosed in the reporting, the actors demonstrated capability to obtain and leverage high‑privilege credentials such as SSL certificates and Active Directory details, suggesting a focus on credential harvesting and lateral movement within the victim’s environment. No public details are available regarding the group’s initial access vectors, preferred tooling beyond ransomware and data theft, or any affiliations with larger criminal consortia or state sponsors.

To date, the Zaha Hadid Architects breach remains the sole publicly documented operation attributed to Light, serving as a representative example of the group’s approach to targeting prominent organizations for monetary gain through ransomware and data leak extortion. The incident highlights the actor’s willingness to engage with media outlets to validate its claims and to set firm deadlines for data publication, reinforcing the extortion component of its strategy. No further information about additional campaigns, geographic focus beyond the Russian origin, or sectoral preferences beyond the architecture industry is available in the open sources referenced.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source