Cyber Threat Actor: Team Hans
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
1 incident |
|---|
Profile
TeamHans is a threat actor known by that alias and has been linked to operations originating from Russia. The group’s known activity focuses on the telecommunications sector, with the only publicly reported target being a Canadian telecommunications company. Their observed strategic objective appears to be financial gain, as they attempted to extort a bitcoin ransom before releasing stolen data when the demand was not met. No public information connects Team Hans to state sponsorship or a larger criminal consortium.
The actor’s tactics rely heavily on social engineering, specifically impersonating employees to trick support staff into revealing credentials and security answers for a mid‑level employee. After obtaining the employee’s identifier and security responses, they posed as that individual to acquire the corporate Outlook password, thereby gaining legitimate access to the VPN and internal network. Once inside, they moved laterally to reach email servers and file stores, exfiltrating contracts, business emails, employee identification documents, and VPN credentials. The exfiltrated data amounted to over 400 MB, which the group threatened to keep private in exchange for 70 bitcoins, and subsequently leaked publicly after the ransom was not paid. No malware families or custom tooling are mentioned in the available sources.
The most notable operation attributed to Team Hans is the February 20 2015 breach of Rogers Communications, during which they used the described social engineering chain to access corporate information and attempt a monetary extortion. This incident remains the sole publicly documented campaign that illustrates the actor’s typical approach of credential harvesting via deception followed by data theft and a financial extortion attempt. The outcome—public release of the stolen data after the ransom refusal—has been cited in the company’s statement and subsequent reporting.
