Cyber Threat Actor: rootkitsecurity
| Actor Type | Location | Known Incidents |
Activist
|
Ukraine
|
0 incidents |
|---|
Profile
rootkitsecurity is a pro‑Ukraine hacktivist who operates under the alias rootkitsecurity and is known to be based in Ukraine. The actor presents itself as part of a broader community of Ukrainian cyber activists that respond to geopolitical events with disruptive online actions. Their stated motivation, as expressed in public statements, is to pressure Iran to cease supplying drones to Russia by targeting Iranian online services. This positioning frames their activity as a form of protest rather than financially driven crime or espionage. The actor’s public communications emphasize cooperation with the international community and claim knowledge of Iranian infrastructure weaknesses, indicating a focus on symbolic and disruptive impact rather than covert intelligence gathering.
The primary tactic observed for rootkitsecurity is the execution of distributed denial‑of‑service (DDoS) attacks aimed at making targeted websites temporarily unreachable. In late December 2022 the actor claimed responsibility for an attack that disrupted Iran Airlines’ online services, sharing a screenshot and a tweet that linked the action to the hashtags #TangoDown, #OpIran and #MashaAmini. Earlier the same period, rootkitsecurity participated in broader pro‑Ukraine claims of DDoS against the website of Iran’s supreme leader Ali Khamenei and the National Iranian Oil Company (NIOC), although those claims were not independently verified by the targeted entities. The actor also referenced ongoing efforts to target Iranian financial institutions and communications platforms such as the central bank, Rubika and Bale, describing these as part of a sustained campaign that would continue until Iran altered its support for Russia. No specific malware families, initial‑access vectors or specialized tooling are mentioned in the available sources, and no public attribution links the actor to a state sponsor or criminal consortium. The profile therefore remains limited to the observed disruptive activity, the stated geopolitical objective and the actor’s self‑identified Ukrainian, pro‑Ukraine hacktivist context.
