Menu
Browse

Cyber Threat Actor: GHNA

Actor Type Location Known Incidents
 Icon
Criminal
2 incidents
Profile

GHNAis the alias used by a threat actor that has been linked to the theft of customer support records from a German electronics manufacturer’s ticketing system. The actor first came to public attention in a 2021 incident in which approximately 270,000 records containing names, postal addresses, email addresses, order details and internal communications were taken from a system managed by the third‑party provider Spectos GmbH. A similar breach was reported in November 2025, when the same volume of data was extracted from Samsung Germany’s support platform and subsequently offered for sale on a darknet forum. In both cases the intrusion began with the compromise of an administrative credential belonging to an employee of Spectos GmbH, a credential that had been harvested by infostealer malware and left unchanged for an extended period. The actor’s use of stolen credentials to gain persistent access to a partner‑managed environment indicates a focus on exploiting weak identity‑management practices rather than developing custom exploits. The primary observable motive in the disclosed incidents is financial gain, as the exfiltrated datasets were advertised for purchase by other cybercriminals seeking to conduct phishing, fraud or identity‑theft schemes.

No public attribution has tied GHNA to a state sponsor, hacktivist collective or known criminal alliance, and the actor remains unlinked to any specific geopolitical agenda. The malware employed in the credential‑theft phase has not been named in the available reporting, but its classification as an infostealer suggests capabilities aimed at harvesting passwords, session tokens and other authentication material from infected endpoints. After obtaining the valid admin login, GHNA appears to have moved laterally only as far as necessary to reach the ticketing database, copying the relevant tables before exiting the network. The actor’s operational style therefore reflects a low‑complexity, credential‑based approach that relies on the persistence of poorly rotated passwords and the availability of underground markets for the stolen data. The Samsung Germany breach stands as the most recent publicly documented operation attributed to GHNA, illustrating how a single compromised third‑party credential can lead to a large‑scale data leak when combined with lax credential‑rotation policies. While the actor’s broader toolkit, affiliations and long‑term objectives remain unknown, the repeated pattern of credential theft followed by data monetization provides a clear picture of its current tactics.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
0 sources