Menu
Browse

Cyber Threat Actor: sudo rm -RF

Actor Type Location Known Incidents
 Icon
Activist
Ukraine
1 incident
Profile

The threat actor known by the alias sudorm -RF operates from Ukraine and has been identified as a pro‑Ukrainian hacker group. The group’s name references a Unix command that recursively deletes files, hinting at a focus on destructive operations. Public reporting ties the actor to actions taken in support of Ukraine’s defensive posture during the ongoing conflict with Russia. Before the VGTRK incident, the actor had been mentioned in open‑source discussions as participating in cyber activities that aid Ukrainian interests. No further details about its size, funding, or internal structure have been disclosed in open sources.

The actor’s observed targeting has been limited to Russian state media infrastructure. In October 2024 the group attacked the Russian state television and broadcasting company VGTRK. The strike focused on the broadcaster’s servers, deleting critical data and associated backups. This resulted in the interruption of online streams for channels such as Rossiya 24 and Rossiya 1, as well as the failure of internal telephone and internet services. The Kremlin acknowledged the incident as unprecedented, confirming that VGTRK was operating in emergency mode while working to resolve the extensive damage. VGTRK is described as a state‑controlled entity under international sanctions that manages federal and regional broadcast networks across Russia.

The tactics demonstrated in the VGTRK incident involve the removal of data and backup files, effectively wiping systems to cause outage. By eliminating both primary data and its backups, the actor complicated any recovery efforts for the broadcaster. No specific malware families or exploit kits were mentioned in the public account of the operation. The actor’s tooling style appears to rely on commands or scripts that delete files en masse, consistent with the implied use of a wiper‑type approach. Initial access vectors were not disclosed, so the method by which the group gained entry to VGTRK’s network remains unknown. The VGTRK attack stands as the group’s most prominent publicly reported operation to date. It was described by Russian officials as unprecedented in scale and prompted the broadcaster to activate emergency procedures. While the actor expresses a pro‑Ukrainian stance, no direct linkage to the Ukrainian government or any state‑sponsored program has been established in open sources. Consequently, the profile of sudo rm -RF is limited to a hacker collective aligned with Ukrainian interests, whose known activity centers on data deletion attacks against Russian media targets. No additional campaigns have been credited to the actor in publicly available reporting as of the latest information.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources