Cyber Threat Actor: Daixin Team
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
7 incidents |
|---|
Profile
Daixin Team, also tracked as Daixin, is a ransomware‑associated threat actor that has been linked to incidents in Russia and has claimed responsibility for attacks across multiple sectors and regions. The group has targeted healthcare providers such as Columbus Regional Healthcare System and OakBend Medical Center, critical infrastructure including the North Texas Municipal Water District, food manufacturing firms like B&G Foods, aviation companies exemplified by AirAsia, and multinational IT service providers exemplified by ista International. Their activity has been observed in the United States, Malaysia, and Germany, indicating a transnational operational scope. Public statements and ransom notes consistently show a financial motive, with demands for payment ranging from hundreds of thousands to millions of dollars, accompanied by threats to leak or sell exfiltrated data if the ransom is not paid. In addition to monetary extortion, the group’s actions cause operational disruption by encrypting systems, disabling security controls, blocking administrator accounts, and taking networks offline, which forces victims to rely on alternative communication methods and impairs normal business functions.
The actor’s tactics, techniques, and procedures include gaining initial access through compromised unprivileged user accounts, as described in the ista International intrusion, and exploiting weakly protected remote services such as VPN, SSH, and RDP, as noted in the AirAsia case. They also leave ransom notes on local networks and send direct messages to victims, a method observed during the B&G Foods incident. Once inside, Daixin Team reportedly elevates privileges to full administrative control, disables security features, blocks administrator accounts, and proceeds to encrypt both production servers and backup systems, a pattern repeated across the ista, OakBend, and Columbus Regional Healthcare System attacks. Data exfiltration precedes or accompanies encryption, with the group stealing personal, employee, and operational information and later publishing portions of the stolen data on dark web leak sites to pressure victims into payment. Their tooling style emphasizes large‑scale encryption of servers and petabytes of data, as claimed in the ista compromise, and they avoid encrypting systems that could cause life‑threatening disruption, as illustrated by their decision to spare AirAsia’s flight‑control platforms.
Representative operations illustrate the group’s impact and methodology. In the AirAsia incident, Daixin Team asserted access to the personal data of five million passengers and all employees, deliberately refraining from encrypting critical flight‑control systems to avoid endangering lives while still leaking sample data after the airline refused to pay a ransom. The ista International attack saw the actors claim encryption of thousands of servers and petabytes of data, including backups, after moving from a single unprivileged account to full domain control, disabling defenses, and blocking admin accounts before initiating a public data leak when negotiations failed. Columbus Regional Healthcare System experienced network encryption, backup deletion, a $2 million ransom demand, and a threat to release over 250 000 files containing patient tax forms, employee records, and billing data when the initial demand was not met. B&G Foods suffered encryption of roughly one thousand hosts, exfiltration of internal documents including employee medical assessments and incident reports, and subsequent leakage of those files on a dark web site after the company did not engage in negotiation talks. These examples demonstrate the actor’s consistent use of ransomware, data theft, extortion, and disruption tactics across varied industries and geographic locations.
