Cyber Threat Actor: Chrichir
| Actor Type | Location | Known Incidents |
Activist
|
Australia
|
3 incidents |
|---|
Profile
Chrichir, also known as ChrichirTheGod, is a threat actor identified in open sources as operating from Australia. The actor uses the aliases Chrichir and ChrichirTheGod on social media platforms such as Twitter and has been linked to multiple intrusions against educational institutions. Publicly reported activity shows a focus on the education sector, with targets including a personal‑training college in Australia, a technical and further education institute in Australia, and a university in the United States. The actor’s initial access method, as described in the sources, relies on SQL injection techniques to gain entry to web‑facing applications and databases. No malware families or custom tooling are mentioned in the available material; the actor’s approach appears limited to exploiting injection vulnerabilities and then using public channels such as Twitter and Pastebin to announce the compromise. The actor claims to have acted alone in these incidents, with no indication of affiliation to a state sponsor, criminal consortium, or larger hacking group.
In the March 2015 breach of FIT College in Australia, Chrichir stated that together with another individual using the handle @injekt_ they accessed over five thousand student records and more than six thousand payment records, which included names, email and postal addresses, site passwords, bank account details with branch codes, and credit card numbers with expiration dates and CVV codes, although they asserted that the full datasets were not downloaded. A similar pattern emerged in the compromise of South West Institute of TAFE, where the actor posted a tweet confirming access to the institution’s servers and claimed that no student records were exfiltrated, emphasizing the ease of re‑exploiting the SQL injection flaw. The University of Oklahoma incident, also dated March 2015, involved the actor notifying the university via Twitter of a successful SQL injection intrusion, posting details from private communications, and again stating that no personal information was downloaded while highlighting the institution’s lack of response to the notifications. Across these cases the actor repeatedly cited inadequate security measures as enabling the access and used public disclosure to draw attention to the vulnerabilities, without claiming financial gain, espionage objectives, or disruptive intent.
