Menu
Browse

Cyber Threat Actor: Pravyy Sector

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Criminal
Ukraine
2 incidents
Profile

Pravyy Sector, also known as Pravy Sektor or Right Sector, is a threat actor that has operated under multiple name variations and is associated with Ukraine based on available information. The actor has targeted government, telecommunications, and healthcare sectors in Poland and the United States, demonstrating a pattern of intrusions that seek to obtain and expose sensitive data. In the 2016 attack on Poland’s Defence Ministry, the group exfiltrated military personnel records, internal documents and intranet logs and then demanded a $50,000 ransom to prevent public release, indicating a financially motivated extortion objective. During the same period, the actor claimed to have uncovered evidence linking Poland to the US PRISM surveillance program, although security analysts assessed that data as likely fabricated, showing that the actor also attempts to generate publicity through alleged espionage revelations. The actor’s communications have included public posts on Twitter and direct demands for payment to a Ukrainian bank account or a Bitcoin address, underscoring the use of social media for pressure and the preference for trace‑less financial mechanisms.

The actor’s observed tactics, techniques and procedures focus on gaining access through web‑based interfaces, extracting structured data and leaking it openly. In the breach of Poland’s second‑largest telecom provider Netia, the actor exploited two types of web forms used by visitors to contact the company or sign contracts, thereby obtaining initial entry to the internal network. Once inside, the actor exported multiple SQL database files, a 9 GB log file containing session IDs, IP addresses, browser and operating system details, and large collections of email addresses, which were subsequently posted on underground forums. The exposure of session identifiers allowed unauthorized authentication without credentials, a technique highlighted by independent researchers. In the Ohio urology clinic incident, the actor posted a link to over 150 GB of patient records, financial spreadsheets and human‑resource documents on Twitter, again relying on data dumps rather than deploying specific malware families. No particular malware, exploit kits or custom tooling is mentioned in the source material, so the actor’s tooling style is best described as data‑centric extraction and public leakage.

Attribution remains uncertain; while the actor uses the name Right Sector, which is also associated with an extremist Ukrainian nationalist organization currently outlawed in Russia, the source material explicitly states there is no evidence to support the hackers’ claims of affiliation with that group or to confirm their Ukrainian or Russian nationality. Consequently, no state sponsorship or criminal consortium linkage can be derived from the available reports. Representative operations that illustrate the actor’s activity include the 2016‑07‑15 Defence Ministry breach with ransom demand, the 2016‑07‑07 Netia telecom compromise that leaked customer data and session IDs, and the 2016‑08‑02 dump of sensitive patient data from Ohio urology clinics. These incidents collectively show a pattern of financially motivated extortion, data leakage for notoriety, and the exploitation of web‑form vulnerabilities across multiple sectors and regions.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
3 sources