Cyber Threat Actor: DeleteSec
| Actor Type | Location | Known Incidents |
Sensationalist
|
China
|
3 incidents |
|---|
Profile
DeleteSec is a hacker collective known by the alias DeleteSec and has been linked to operations originating from China. The group first came to public attention in early 2014 when it claimed responsibility for a series of data breaches that were announced on its Twitter account and shared through platforms such as defuse.ca and MediaFire. Their activity is characterized by the public release of stolen credentials and personal data after gaining unauthorized access to target websites.
The observed targets span several sectors and geographic regions without a clear pattern of restriction. DeleteSec breached a United States and European manufacturer and distributor of industrial components, compromising customer email addresses, passwords and corporate contact information. They also attacked a United Nations‑affiliated internet governance forum, exposing account details of participants from numerous government entities and a wide range of email providers. In another incident they compromised a national literacy initiative based in the United States, leaking personal information including names, addresses and plaintext passwords from over five thousand accounts. These incidents show that the group focuses on web‑based services that store user data, regardless of the industry or the perceived sensitivity of the information.
The primary initial access vector referenced in the reports is SQL injection, specifically targeting the news section of a corporate site and exploiting a MySQL injection vulnerability in the literacy initiative’s platform. No malware families or custom tooling are mentioned in the available sources; instead the group relies on publicly available web application flaws to extract data. After exfiltration, DeleteSec distributes the stolen material via file‑sharing services and announces the leaks on social media, indicating a tooling style that emphasizes simplicity and the use of existing leak‑distribution channels.
Public attribution does not extend beyond the alias and the inferred geographic origin; no definitive connection to a state sponsor, criminal consortium or other organized group has been established in the cited material. Consequently, any claim about state nexus or affiliation with a larger criminal network would be speculative and is omitted here.
Representative operations that illustrate DeleteSec’s methodology include the SPIROL International breach where approximately seventy thousand customer records were leaked, the United Nations Internet Governance Forum compromise that exposed over three thousand accounts with encrypted passwords, and the Reading Rockets incident that resulted in the release of more than five thousand user credentials in plaintext. These examples demonstrate the group’s repeated reliance on web‑application injection techniques to obtain and subsequently disclose sensitive data.
No further details about internal structure, funding, or long‑term objectives are available from the provided sources.
