Menu
Browse

Cyber Threat Actor: Kapustkiy

Actor Type Location Known Incidents
 Icon
Activist
Russia
24 incidents
Profile

Kapustkiy is the primary alias used by a threat actor known to operate from Russia. The actor has been associated with the hacking collective New World Hackers as a researcher and penetration tester, and previously claimed affiliation with the Powerful Greek Army. These affiliations are referenced in multiple incident reports where Kapustkiy coordinates with group members or acknowledges prior group membership.

The actor’s observed targeting focuses on government and diplomatic entities across a wide range of regions, including ministries of defense, foreign affairs, industry, visa bureaus, chambers of commerce, embassies, and human rights organizations. Incidents have been documented in Venezuela, Russia, the Netherlands, Hong Kong, Slovakia, Argentina, Ecuador, Costa Rica, China, India, Italy, Paraguay, Switzerland, Mali, Romania, Malawi, Libya, and Hungary. Strategic objectives described by the actor include exposing security vulnerabilities to prompt remediation, raising awareness among administrators about the consequences of poor security, and conducting politically motivated protests against specific regimes, such as the leadership of Nicolás Maduro in Venezuela.

Typical tactics involve initial access through SQL injection vulnerabilities, local file inclusion flaws, and exploitation of weakly protected administrator accounts, as seen in the breach of the Argentinian Ministry of Industry where an easily guessable password was used. The actor routinely notifies victims and relevant computer emergency response teams after intrusions, shares limited data on Pastebin as proof of compromise, and communicates via Twitter direct messages. While the actor has not been linked to specific malware families, associated collaborators have employed distributed denial of service attacks against Italian government and Russian federal sites.

Representative operations include the January 2017 compromise of the Venezuelan Ministry of Defense website via an unpatched vulnerability, the December 2016 breach of the Russian Visa Center in the United States where approximately three thousand records were accessed but not publicly leaked, and the December 2016 intrusion into the Slovak Chamber of Commerce that exposed over four thousand user records. Additional notable actions involve the December 2016 breach of the Russian Consular Department in the Netherlands, the December 2016 attack on the Argentinian Ministry of Industry using administrator credentials, and the November 2016 compromise of the Hungarian Human Rights Foundation website alongside a collaborator. These incidents illustrate a pattern of targeting governmental and diplomatic infrastructure to highlight security deficiencies and, in certain cases, to voice political dissent.

Incidents
Attributed incidents available to members
24 incidents
Sources
Sources available to members
16 sources