Cyber Incident Victim: Russian Ministry of Construction, Housing and Utilities
Date:
Jun 2022
Location:
Russia
Summary
The Russian Ministry of Construction, Housing and Utilities website was compromised and defaced with a "Glory to Ukraine" message, accompanied by a ransom demand of 0.5 BTC to prevent the alleged leak of stolen user data. While the ministry asserted no data was breached, the hacking group DumpForums claimed possession of sensitive information including full names, login credentials, email addresses, password hashes, and registration details, sharing purported evidence of the breach. The incident forced the website offline and occurred amid a wave of cyberattacks targeting Russian entities following the invasion of Ukraine, with hacktivists previously disrupting media outlets and critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 3-5, 2022, the official website of the Russian Ministry of Construction, Housing and Utilities (minstroyrf.gov.ru) was compromised by hackers who defaced the homepage with a Ukrainian-language message stating "Glory to Ukraine." The attackers, operating under the alias DumpForums, demanded a ransom payment of 0.5 Bitcoin (BTC) to prevent the public release of stolen user data allegedly extracted from the ministry's systems. According to their claims communicated via Telegram channels, the hackers accessed sensitive personal information including full names, login credentials, email addresses, and password hashes using MD5 with salt encryption, along with user registration dates spanning from August 14, 2014, to May 8, 2022. The group published screenshots purportedly showing this stolen data as evidence of their breach. Technical analysis indicated the website operated on the Bitrix Content Management System (CMS), though specific vulnerabilities exploited were not disclosed.
The Russian Ministry acknowledged the cyberattack through state media outlet RIA, confirming the website had been taken offline but asserting that no user data had been compromised. This statement directly contradicted the hackers' claims of possessing sensitive information. The incident occurred within a broader pattern of cyber operations targeting Russian government entities following the February 2022 invasion of Ukraine, with hacktivist groups including Anonymous claiming responsibility for disruptions to state media outlets such as TASS, Fontanka, and Kommersant, as well as television channels Channel One and Rossiya-1. The ministry's website remained inaccessible for an unspecified duration after the attack, mirroring the three-day outage experienced by Russian video platform RuTube during the same period. No verifiable evidence emerged regarding whether the ransom was paid or if the allegedly stolen data was subsequently leaked beyond the sample screenshots shared by DumpForums.