Cyber Threat Actor: Locata

The threat actoris publicly referenced by the aliases Locata and Kilanas. The actor’s location is identified as Russia in the available reporting. The name Locata is also used by a housing software provider, though the sources do not state any operational link between the actor and that company. References to the actor appear in archived sources from July 2022, but those pages are no longer accessible. On July 1 2024 a security incident was reported in which the actor gained unauthorized access to the systems of the housing software provider Locata. The breach allowed the attacker to compromise public‑facing housing websites used by several local councils across Greater Manchester. As a result of the website compromise, limited personal data belonging to residents whose information was stored on those platforms was exposed. The actor then used the accessed infrastructure to send phishing emails that directed recipients to fraudulent pages requesting them to activate tenancy options and disclose sensitive personal information. Affected councils confirmed that the phishing campaign originated from the breached Locata service and advised individuals to monitor their financial accounts, change any potentially compromised passwords, and report any losses to the appropriate authorities. The software company acknowledged the breach, engaged third‑party experts to conduct an investigation, and collaborated with local authorities to restore the affected websites and mitigate further risk.

Public accounts of the July 2024 event do not describe any specific malware families, exploit kits, or custom tools, indicating that the actor relied on legitimate access obtained through the software provider rather than deploying distinctive malicious code. The observed tactic therefore consists of compromising a trusted third‑party service and leveraging that access to conduct credential‑harvesting phishing. Apart from this incident, the only other mentions of the actor are defunct URLs from July 2022 that referenced a “Locata ransomware gang data leak”; those pages return errors and provide no verifiable details. Consequently, the documented profile of Locata/Kilanas is based on the single confirmed campaign against a UK housing software provider and its downstream impact on local government services, with attribution to Russia noted only as a geographic hint in the source material.