Menu
Browse

Cyber Threat Actor: Umbro

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Activist
Turkey
1 incident
Profile

The threat actor is known by the aliases Umbro, OPJ, N13V and M3T4L and is believed to operate from Turkey. Public reporting links the actor to the Turkish hacker collective Turkic Hackers Rulez, which defaced a French government website for employment and social cohesion on April 7 2024. The defacement displayed the Grey Wolves logo and protested France’s designation of that ultranationalist group as a terrorist organization, while also demanding non‑assimilation of Turkic minorities and solidarity with Uyghurs in China. The incident followed a pattern of earlier cyber‑attacks by Turkish‑linked actors against French entities, including temporary disruptions to major financial institutions, and the defacement remained visible for several hours, echoing prior Grey Wolves‑related vandalism and political violence in France.

The alias N13V has been explicitly identified in open‑source reporting as the moniker used by the RedAlert ransomware group. RedAlert employs a double‑extortion model, encrypting victims’ files and threatening to leak stolen data unless a ransom is paid, and it maintains a Tor‑based leak site for publishing victim data. The group has been observed exploiting the zero‑day vulnerability in Progress Software’s MOVEit Transfer platform (tracked as CVE‑2023‑34362) to compromise government agencies in Latin America, notably Chile’s National Consumer Service (Sernac) and the Dominican Republic’s Agrarian Institute (IAD). In those incidents RedAlert encrypted files on Windows and VMware ESXi servers, appended the .crypt extension, and threatened to release exfiltrated data, demonstrating a focus on financial gain rather than political motives.

While the aliases Umbro, OPJ and M3T4L appear in the threat actor’s nomenclature, the source material does not directly tie them to specific malware families or campaigns beyond the Turkish defacement incident and the N13V/RedAlert association. Consequently, the actor’s known tactics include website defacement for political protest and the deployment of ransomware that combines data encryption with extortion via leak sites. The actor’s targeting spans governmental entities in Europe and Latin America, reflecting a mix of politically motivated disruption and financially driven operations. No further details about the actor’s size, hierarchy, sponsorship, or revenue are provided in the available material.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
205 sources