Menu
Browse

Cyber Threat Actor: Network Battalion 65

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Activist
Russia
11 incidents
Profile

Network Battalion 65, also known as NB65, is an Anonymous‑affiliated hacktivist group that has been identified as operating from Russia. The collective uses the NB65 moniker in its public communications and has claimed responsibility for a series of cyber operations targeting Russian entities since early 2022. The group presents itself as part of the broader OpRussia campaign, framing its actions as a response to the invasion of Ukraine and to perceived Russian sanctions resilience.

NB65’s targeting has focused on Russian organizations across several sectors, including financial services, energy and customs logistics, transportation, state media, military personnel data, and satellite infrastructure. In May 2022 the group claimed to have encrypted the networks of the Russian payment processor Qiwi and exfiltrated 10.5 TB of data, including millions of payment card records, while threatening to release additional information unless contacted within three days. In April 2022 NB65 participated in the #OpRussia effort against the Russian customs broker ALET, exfiltrating and leaking approximately 1.1 TB of email data that exposed customs declarations for oil, coal and petroleum products handled for over 400 clients. The group also compromised a Russian travel agency, leaking 399 GB of internal files, and breached Gazprom Linde Engineering and Technotec, stealing hundreds of gigabytes of email correspondence tied to the oil and gas sector. Additional operations targeted Russian state broadcasters such as VGTRK, the Federal Penitentiary Service website, and surveillance camera systems, with the aim of disseminating anti‑war messages and exposing propaganda efforts. NB65 has also claimed to disrupt Russia’s vehicle monitoring system used by Roscosmos, asserting deletion of the WS02 software tool, credential rotation and server shutdowns, and has participated in distributed denial of service actions against Russian state‑controlled media outlets.

The group’s reported tactics, techniques and procedures include the deployment of ransomware to encrypt victim networks, large‑scale data exfiltration followed by public leakage via platforms such as DDoSecrets, website defacement with political messages, hijacking of surveillance cameras to broadcast anti‑war content, credential rotation, deletion of administrative tools, and the use of or promotion of DDoS tools to disrupt online services. No specific malware families are named in the source material, and no explicit state sponsorship or criminal consortium affiliation is described; the group’s public alignment is solely with the Anonymous hacktivist collective and its OpRussia initiative. These activities collectively illustrate a pattern of disruption, information exposure and propaganda counter‑operations directed at Russian institutions in the context of the geopolitical conflict.

Incidents
Attributed incidents available to members
8 incidents
Sources
Sources available to members
6 sources