Menu
Browse

Cyber Threat Actor: @security_511

Actor Type Location Known Incidents
 Icon
Sensationalist
North Korea
4 incidents
Profile

The threat actor identified bythe alias @security_511 appears in open‑source reports that tie the handle to a series of cyber incidents observed during 2014. While the source material lists North Korea as the actor’s possible location, it qualifies this as “if known” and does not provide further corroboration. The alias is linked to intrusions against both religious organizations and an online retail business, indicating a breadth of targets. Observations note that the actor resumed activity after a period of dormancy, suggesting an intermittent operational pattern.

In February 2014 the Church of Scotland’s website was compromised, yielding a database of 1,570 user accounts that included usernames, email addresses and passwords stored using encryption. The same intrusion exposed nine administrator credentials associated with a separate domain, with those passwords kept in plaintext and featuring weak choices such as “qwer56123.” The actor posted the harvested data to Pastebin and distributed the links through social‑media channels, making the information publicly accessible. A month later, in March 2014, the Church of Cyprus was named alongside the Church of Scotland and the Lutheran Church of Australia as part of a wider wave of attacks, although the published article does not detail the specific techniques or consequences for that particular victim. Earlier, in October 2014, an Israeli online gift store experienced a credit‑card data breach that was attributed to the same actor, resulting in the exposure of customer payment details and subsequent fraudulent use of the stolen information.

The actor’s methodology, as described in the available sources, consists of gaining unauthorized access to web‑site databases, extracting account information, and then publishing the results on paste sites and social networks. No public reporting connects the actor to particular malware families, exploit frameworks, or defined initial‑access vectors such as spear‑phishing or supply‑chain compromise. The storage of administrator passwords in plaintext points to an exploitation of poor credential‑protection practices rather than the deployment of advanced payloads. Consequently, the observed tooling style appears to rely on straightforward data‑collection and disclosure tactics without evidence of custom malware or sophisticated obfuscation.

Attribution to a state sponsor or criminal alliance is not explicitly made in the referenced material; the sole geographic hint is the possible North Korea origin mentioned with uncertainty. Because the sources do not state a motive, any assertion about financial gain, espionage, or disruption would go beyond the documented facts. The actor’s known public activity is confined to the 2014 period, with the cited incidents representing the primary operations that have been reported. Taken together, these episodes demonstrate a repeated focus on harvesting weakly protected credentials and releasing them publicly, which can enable secondary abuse and highlight deficient security controls at the victim organizations.

Incidents
Attributed incidents available to members
4 incidents
Sources
Sources available to members
3 sources