Cyber Threat Actor: NLB
| Actor Type | Location | Known Incidents |
Activist
|
Ukraine
|
2 incidents |
|---|
Profile
The threat actor known as NLBTeam, also referred to as NLB, is a pro‑Ukrainian hacking group that has been identified in open sources as operating from Ukraine. The group uses the aliases NLB Team and NLB in public communications and in the leak messages associated with its operations. Public reporting links the group to a series of data‑exposure incidents targeting Russian organizations.
In December 2022 the group breached the Moscow Electronic School platform, exfiltrating a database that contained login credentials, full names, birth dates, government identification numbers, email addresses and phone numbers for over three million users. The leaked data was said to affect a large portion of the Moscow population, including schoolchildren, and independent checks confirmed the authenticity of the records despite official denials. The Moscow Electronic School leak was first reported by data‑industry Telegram channels and the Meduza outlet, which noted that the database contained 3.3 million unique phone numbers. No evidence was presented that the attackers altered or destroyed the data; the primary action was the public disclosure of the extracted information. In September 2022 the same group was alleged to have compromised the Russian retail chain Digital Network System (DNS), obtaining personal information such as full names, usernames, email addresses and phone numbers for approximately sixteen million customers and employees. DNS confirmed that passwords and payment card data were not stored on its systems and therefore were not taken in the incident. The DNS leak appeared on a hacking forum hours before the company’s public acknowledgment, with the actor claiming responsibility for the theft. As with the education platform breach, the DNS incident involved the copying and release of personal data without any reported encryption or ransom demand. Both incidents were described as resulting from the exploitation of a security gap or vulnerability in the target’s IT infrastructure, allowing the actors to access and copy the stored data. No specific malware families, custom tools or particular initial‑access techniques such as phishing or credential‑stuffing are mentioned in the available sources. The group’s affiliation is characterized as pro‑Ukrainian, with sources noting that the actors reside outside the Russian Federation, but no direct state sponsorship or criminal‑consortium ties have been publicly established. Consequently, the known activity of NLB Team consists of these two large‑scale data‑leak operations aimed at exposing personal data of Russian citizens.
