Menu
Browse

Cyber Threat Actor: Sanggiero

Aliases: 4 aliases
Actor Type Location Known Incidents
 Icon
Sensationalist
Indonesia
2 incidents
Profile

The threat actor known by thealiases Sanggiero, Sanggire, Senggero and Sengire has been linked to incidents originating from Indonesia. These aliases appear in public reports describing the actor's activity. The actor’s geographic base is noted as Indonesia, although no further detail about operational headquarters is provided. No public attribution to a state sponsor or criminal consortium has been made for this actor. The actor first came to wider attention following a data breach reported in early 2024. That breach involved the exposure of nearly one million personal records from an online retailer.

The actor’s known targets include retail companies and technology service providers. In the retail case, the actor exploited an unfixed API vulnerability on the company’s website to obtain customer data. The compromised information consisted of names, phone numbers, addresses and geographic details. After acquiring the data, the actor released it on a hacking forum and a Telegram channel, explicitly stating that the low resale value of the information motivated the public disclosure. This action raises the risk of smishing and fraudulent activities leveraging the exposed personal data. No malware families or specific tooling suites are mentioned in the reporting, with the initial access vector limited to the API exploitation.

Beyond the location note, no definitive links to state actors, hacking groups or criminal alliances have been established in open sources. The actor’s activity is therefore described based on the two publicly reported incidents. One incident is the Halara data breach affecting roughly 950,000 individuals. The other involves unauthorized access to a limited number of files on Fortinet’s third‑party cloud‑based shared file drive, impacting data tied to fewer than 0.3 % of the vendor’s customers. In the Fortinet case the actor’s access was terminated upon discovery, prompting an internal and external investigation and notification to law‑enforcement agencies. These episodes illustrate the actor’s reliance on exploiting exposed interfaces rather than deploying custom malware. No further campaigns or tools have been attributed to the actor in the available material.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
0 sources