Cyber Incident Victim: Unisoftware
Date:
Oct 2022
Location:
Russia
Summary
A Russian hacking group known as the National Republican Army breached a domestic software developer with government clients, stealing sensitive data including banking credentials, employee information, contracts, and proprietary source code. The attackers, motivated by opposition to the war in Ukraine, claimed prolonged unauthorized access and intent to continue targeting entities supporting the regime. Stolen materials were partially verified by external analysis. Separately, a major Russian IT retailer disclosed a breach involving compromised personal data of customers and employees, potentially linked to the same threat actors, who exploited external servers to infiltrate the organization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The National Republican Army (NRA), a Russian hacking group opposing the Putin regime, infiltrated Unisoftware, a Russian software developer with government clients, in an operation occurring on or around October 2, 2022. The attackers maintained unauthorized access to Unisoftware's systems for months prior to executing the data theft. They exfiltrated the company's entire data repository, including banking credentials, personal account information, employee records (phone numbers and addresses), client contracts, and proprietary source code for client software solutions. The NRA publicly claimed responsibility, framing the attack as retaliation against entities supporting Russia's war in Ukraine and explicitly stating their intent to "terrorize" Unisoftware for its alleged role in maintaining the government. The Kyiv Post verified the breach's authenticity after reviewing stolen materials provided by the hackers, which included data from multiple Russian clients. Attackers taunted Unisoftware's response efforts, noting attempts to evict them from systems had failed. The NRA also asserted compromises of other clients, though only one—Russian IT retailer DNS—was independently confirmed in contemporaneous reports.
DNS acknowledged a separate breach during the same timeframe, attributing it to foreign-based servers and confirming theft of customer and employee personal data while asserting financial data remained secure. Unisoftware's breach exposed sensitive government-linked contracts and proprietary software, directly impacting its clients' operational security and intellectual property. The company attempted remediation by expelling attackers and repairing compromised systems, but the NRA emphasized their persistent access. This incident occurred amid heightened cyber hostilities between Russian and Ukrainian-aligned actors, including Ukraine's calls for an international "IT army" to disrupt Russian infrastructure and Russia's own offensive cyber campaigns. The operational consequences included disruption to Unisoftware's business operations, reputational damage from inadequate security controls, and potential legal liabilities from compromised client data. DNS implemented post-breach security enhancements by identifying and patching vulnerabilities in its information infrastructure.