Cyber Threat Actor: BROMINE
| Actor Type | Location | Known Incidents |
Nation State
|
Russia
|
3 incidents |
|---|
Profile
BROMINE is a threat actor tracked under the alias BROMINE and is assessed to operate from Russia. Public reporting links the actor to Russian state‑aligned advanced persistent threat groups that conduct cyber activities in support of broader geopolitical objectives. The actor’s known targeting focuses on Ukrainian government agencies, critical infrastructure, energy providers, information technology firms, media outlets, and military personnel, reflecting a pattern of striking sectors essential to national functioning and public trust. Strategic objectives observed in attributed operations include disruption of services, destruction of data, and the conduct of influence operations aimed at spreading disinformation and sowing panic among civilian and military populations. These objectives are consistently tied to kinetic military actions and information warfare campaigns rather than financial gain.
The actor’s typical tactics involve the creation and dissemination of deepfake video content designed to impersonate senior officials and manipulate public perception, as well as the deployment of wiper malware families such as WhisperGate, FoxBlade, HermeticWiper, and Industroyer2 to render systems inoperable. Initial access is frequently achieved through spear‑phishing messages targeting military and government staff, as well as through the compromise of news websites and social media platforms to amplify malicious narratives. Additional tooling includes destructive malware disguised as ransomware, supply‑chain compromises of IT providers, and the exploitation of trusted infrastructure networks to facilitate lateral movement and further destructive payloads. The actor’s tooling style emphasizes destructive impact over stealth, prioritizing rapid data destruction and operational disruption.
Representative operations attributed to BROMINE include the March 2022 deepfake video impersonating Ukraine’s president that was spread via compromised news sites and social media to falsely urge surrender, coinciding with widespread wiper malware attacks on government, energy, IT, and media sectors. Another notable example is the January 2022 destructive malware campaign targeting Ukrainian government agencies and an IT firm managing public‑sector websites, where the malware masqueraded as ransomware but was designed to disable critical executive and emergency response functions. These incidents illustrate the actor’s recurring use of influence operations paired with destructive malware to achieve disruption and information warfare goals during periods of heightened conflict.
