Menu
Browse

Cyber Threat Actor: Harak1r1

Actor Type Location Known Incidents
 Icon
Criminal
United States of America
1 incident
Profile

Harak1r1 is a threat actor known by that alias and has been publicly linked to activity originating from the United States of America. The actor came to attention in late 2016 when a misconfigured MongoDB database belonging to the Emory Brain Health Center was compromised. The compromise involved the actor locking the database and issuing a ransom demand payable in Bitcoin for the restoration of the exposed patient records. No public evidence ties Harak1r1 to any state sponsor, criminal syndicate, or larger hacking group, and the actor’s affiliations remain unspecified in open sources.

The incident shows that Harak1r1’s targeting includes the healthcare sector, specifically a medical research institution located in the United States. The actor’s objective in this case was financial, as evidenced by the explicit request for Bitcoin payment to regain access to the data. The method used to gain initial access was the exploitation of an unsecured MongoDB instance, a technique that does not rely on custom malware but rather on scanning for and leveraging improperly configured databases. After gaining access, the actor deleted or encrypted the data and left a ransom note, with no indication that data was exfiltrated beyond the deletion or encryption action.

The Emory Brain Health Center breach initially was believed to affect about two hundred thousand patients, but later assessment reduced the number to roughly ninety thousand unique individuals whose names, medical record numbers, addresses, birth dates, email addresses, and cellphone numbers were exposed. Emory reported that the database was managed by a third‑party service provider and that restoration from backups allowed the organization to recover without paying the ransom. This event occurred amid a broader wave of similar attacks that targeted unsecured MongoDB installations across various industries, although no public reporting has connected Harak1r1 to any other specific campaigns beyond the Emory incident. Consequently, the publicly known profile of Harak1r1 is limited to this single, financially motivated ransomware‑style operation against a U.S. healthcare entity.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources