Cyber Incident Victim: DESORDEN Cyber Attack Victim
Date:
Jul 2022
Location:
Thailand
Summary
A cybercriminal group breached multiple Thai entities, exfiltrating extensive sensitive data including customer records, HR and financial information, and scanned identification documents. The attackers publicly leaked samples of the stolen data on hacking forums, offering the remainder for sale, while claiming impacts such as over 3 million customer records from one victim and 1.75 TB of loan documents from another. The group also distributed ransomware builds but asserted these were ineffective against systems with basic antivirus protection, having preemptively submitted samples to VirusTotal to increase detection rates. Additionally, they infiltrated Pruksa Clinic to disprove a third-party forum listing exaggerating the scale of a breach, revealing only a few thousand compromised records.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late July 2022, the DESORDEN threat actor group executed a series of cyberattacks against multiple Thai organizations, continuing a pattern of targeting entities in ASEAN countries. Between July 28-31, DESORDEN publicly claimed breaches of four Thai companies on hacking forums. The first victim, Frasers Property Thailand Public Company Limited, reportedly had 312,834 customer records compromised alongside HR, financial, and corporate data. DESORDEN provided DataBreaches.net with breach samples and a video demonstrating the data scope. The second victim, Union Auction Public Company Limited, allegedly lost over 30,000 member records. DESORDEN listed both breaches with free samples while offering full datasets for purchase. Neither company had issued public notifications at the time of reporting, and attempts to contact them yielded no response—Frasers didn't reply immediately, while Union Auction's email bounced.
The third confirmed breach targeted Srikrung Broker Co., Ltd., an insurance broker, with DESORDEN claiming theft of 369 GB of data containing approximately 3.28 million customer records and 462,980 agent records. Srikrung acknowledged the incident publicly. Three days later, DESORDEN breached 724.co.th, an insurance marketplace under Srikrung, exfiltrating 1.75 TB of scanned ID copies and loan documents. Concurrently, DESORDEN distributed free ransomware builds (CHAOS and Yashma) on forums but preemptively submitted Yashma to VirusTotal to ensure antivirus detection, claiming this would prevent misuse by inexperienced attackers. They admitted reverse-engineering Yashma from a credible source and emphasized ransomware deployment required advanced skills. Separately, DESORDEN investigated an unrelated forum listing claiming 48 million Pruksa Clinic records, hacking the clinic to disprove the claim—finding only a few thousand patient records—while humorously asserting their intent to maintain dominance over large-scale Thai data breaches. DataBreaches.net documented these incidents but could not independently verify most claims, noting limited victim transparency and ongoing regulatory concerns in Thailand.