Cyber Threat Actor: Mr.Stark

Mr.Stark isthe alias used by a threat actor whose known location is India. The actor came to public attention through attribution to a breach of Hawking Technology that occurred on February 7, 2016.

In that incident, the actor accessed the company’s systems and exfiltrated a database containing over 25,000 user records. The exposed data included usernames, email addresses, and MD5‑hashed passwords that were subsequently decrypted, revealing plaintext credentials. Additionally, a separate table with approximately twenty plaintext credentials was also taken, among which administrative credentials were found. The organization did not respond to multiple notifications about the compromise, allowing the data to remain accessible. This breach highlighted a recurring pattern of security failures at Hawking Technology, as the company had previously experienced multiple incidents involving SQL injection vulnerabilities.

External groups had repeatedly dumped data from the company’s systems over several years, indicating a history of successful intrusions. Historical evidence suggests that prior compromises and data leaks had occurred before the 2016 event, underscoring persistent weaknesses in the company’s defenses. The actor’s use of SQL injection as an initial access vector aligns with the described vulnerability exploited in the Hawking Technology breach. No other publicly reported operations or campaigns have been definitively linked to the Mr.Stark alias based on the information currently available. Consequently, the profile of this threat actor remains limited to the single confirmed incident and the associated technical details. Because the available sources do not mention any specific malware families, toolkits, or additional tactics employed by Mr.Stark, those aspects of the actor’s behavior remain undocumented. Likewise, no public information connects the alias to a state sponsor, criminal consortium, or any particular geographic focus beyond the noted location in India. Further attribution or activity would require additional evidence beyond what is presently documented.