Cyber Threat Actor: Phoenix

Phoenix is a threat actor known by that alias and has been identified as operating from Ukraine. The group describes itself as pro‑Russian and claims affiliation with the hacker collective Killnet. In public statements Phoenix has linked its actions to opposition against Western sanctions on Russia, citing India’s compliance with the G7‑approved oil price ceiling as a motivating factor. This alignment with a pro‑Russian stance has been repeatedly referenced in its communications regarding the Indian health‑sector incident.

The actor has targeted both the healthcare sector in India and the financial/insurance sector in the United States, focusing on organizations that store sensitive personal data or manage large insurance portfolios. Their observed objectives include the exfiltration of hospital, staff and patient information and the deployment of ransomware to generate financial gain through extortion. In March 2023 Phoenix asserted that it had compromised the Indian Health Ministry’s Health Management Information System, saying it possessed data on hospitals, chief physicians and patients across the country. The March 2021 attack on CNA Financial involved a ransomware variant dubbed Phoenix CryptoLocker, which appended the .phoenix extension to encrypted files and left ransom notes on more than fifteen thousand devices, including remote systems accessed via VPN connections. These two operations illustrate the actor’s blend of data‑theft and financially motivated campaigns.

The ransomware operation relied on initial access through compromised virtual private network links, a vector that allowed the malware to spread across the victim’s network. Public reporting notes that Phoenix’s tactics are consistent with using ransomware as a primary tool, while also claiming to harvest data from breached health‑care systems. Although some analysts have speculated a connection to the sanctioned Evil Corp group, no definitive evidence has been presented to confirm such a relationship, and the only clearly established affiliation is with the Killnet collective. The actor’s public posture remains tied to its pro‑Russian messaging and its use of the Phoenix CryptoLocker payload in extortion attempts.