Cyber Incident Victim: Forest
Date:
Feb 2022
Location:
Russia
Summary
Hackers leaked over 37,500 emails totaling 35.7 GB from Forest, a Russian logging company, as part of a broader operation targeting multiple Russian firms. The collective data breach involved approximately 437,500 emails exceeding 400 GB, including significant volumes from Petrovsky Fort and Aerogas. This incident was facilitated by Distributed Denial of Secrets and attributed to hacktivist groups such as Anonymous, who conducted these cyberattacks in response to Russia's military actions against Ukraine. The leaks represent a series of intrusions against Russian state-affiliated and private entities, contributing to widespread data exposures across various sectors amid ongoing geopolitical tensions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving the Russian logging company Forest occurred within the broader context of hacktivist operations targeting Russian entities following the invasion of Ukraine on February 24, 2022. Between late February and early April 2022, the hacktivist collective Anonymous exfiltrated and leaked internal corporate emails from Forest and two other Russian firms—Petrovsky Fort, a commercial real estate operator, and Aerogas, an oil and gas engineering company. Distributed Denial of Secrets (DDoSecrets), a transparency-focused organization, publicly released the data on April 8, 2022. Forest’s portion comprised 37,500 emails totaling 35.7 gigabytes, while the cumulative leak across all three companies reached 437,500 emails (424.7 GB). This operation aligned with a coordinated campaign by multiple hacktivist groups—including Ukraine’s IT Army and Hacker Forces—to breach Russian state-affiliated organizations as a form of digital protest against the war. The attackers employed “smash and grab” tactics, prioritizing rapid data exfiltration over prolonged network persistence.
The leak formed part of a sustained wave of cyber operations against Russian targets, with DDoSecrets alone publishing over 2 million emails from Russian entities between February and April 2022. Other compromised organizations included the Kremlin-controlled media outlet VGTRK (800 GB of data), investment firm Thozis Corp. (5,500 emails), state nuclear agency Rosatom, space agency Roscosmos, and energy giant Gazprom. While the Forest breach’s specific operational or financial consequences were not detailed in available reporting, the collective targeting of critical industries reflected hacktivists’ strategic focus on entities perceived as supporting Russia’s military or economic infrastructure. The United Nations documented severe humanitarian impacts from the invasion, including over 10 million displaced Ukrainians and evidence of human rights violations in occupied territories, which culminated in Russia’s suspension from the UN Human Rights Council during this period. No remediation efforts or forensic findings specific to Forest were disclosed in the sourced material.