Cyber Threat Actor: LORDBR

Red Hell Sofyan andLORDBR are the primary aliases associated with a threat actor that has been linked to several cyber incidents reported in open sources. The actor’s location is noted as Brazil in the threat‑actor context, although one of the aliases, Red Hell Sofyan, is explicitly described in a 2016 article as an Algerian hacker. The actor first came to public attention through the defacement of multiple websites belonging to the Brazilian telecommunications company Oi, where the attacker left a pro‑Palestine message on the compromised pages. This early activity established a pattern of website defacement as a observable tactic. Later reporting connected the LORDBR moniker to a suspected ransomware operation against Spain’s public employment service (SEPE) in March 2021, which deployed the Ryuk ransomware family to encrypt files and disrupt agency operations. A separate, unverified claim from the same time frame alleged that LORDBR was responsible for a cyberattack on China’s Cosco Shipping, though the report was later removed and the intrusion details remain unsubstantiated.

The actor’s targeting appears to span the telecommunications, government/public‑service, and maritime‑logistics sectors, with observed activity in Brazil, Spain, and China. Strategic objectives inferred from the cited incidents include hacktivist messaging through website defacement and financial gain via ransomware encryption, as demonstrated by the Ryuk attack on SEPE that forced service suspensions while recovery efforts proceeded. The only malware family explicitly referenced in the sources is Ryuk, which was used in the SEPE incident; the Oi defacement relied on web‑site alteration techniques rather than malware, and no specific initial‑access vectors or tooling styles are disclosed in the available material.

Public attribution to Red Hell Sofyan or LORDBR remains tentative; the Cosco Shipping and SEPE incidents are described as alleged or unconfirmed links, and no state nexus or criminal‑consortium affiliation has been established in the reporting. Representative operations that illustrate the actor’s activity include the 2016 defacement of fifteen Oi telecom domains and subdomains, the March 2021 Ryuk ransomware attack on Spain’s SEPE that encrypted files and halted services, and the unverified 2021 claim concerning Cosco Shipping. These examples collectively illustrate the actor’s observed use of defacement and ransomware tactics across different industries and geographic regions, while highlighting the limits of confirmed attribution in the open‑source record.