Cyber Incident Victim: Polish Ministry of National Defense
Date:
Jul 2016
Location:
Poland
Summary
Hackers identifying as "Pravyy Sector" breached Poland's Defence Ministry, exfiltrating sensitive data including military personnel records, internal documents, and intranet logs, then demanded a $50,000 ransom to prevent public release. The stolen information contained personal details of service members, verified by an affected individual who confirmed leaked forms pertained to overseas deployment applications. Attackers additionally claimed to expose evidence of the ministry's involvement in the US PRISM surveillance program, though security analysts assessed this data as likely fabricated. The incident followed prior cyber intrusions targeting the ministry and mirrored tactics used in an earlier hack against a Polish telecommunications provider, where the group leaked data before the victim acknowledged the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 15, 2016, a hacker group identifying as "Pravyy Sector" (Right Sector) publicly extorted Poland's Defence Ministry through Twitter, demanding a $50,000 ransom payment to either a Ukrainian bank account or Bitcoin address. The group threatened to release stolen data unless paid. Initial leaks included official document scans, screenshots of a Defence Ministry computer desktop, and an Excel file containing 1,368 entries of internal Intranet logs with LDAP paths, login timestamps, failed login attempts, and related system metadata. Polish security firm Niebezpiecznik verified portions of the breach by contacting an individual whose personal information appeared in the leaked documents. This military servicemember confirmed the authenticity of his service records but noted his passport and ID card numbers were outdated. He disclosed that the compromised forms related to overseas deployment applications, corroborating his own service history in Afghanistan and Iraq.
Later that day, Pravyy Sector claimed to leak additional files purportedly exposing Poland's participation in the U.S. PRISM surveillance program, though Niebezpiecznik assessed these documents as likely fabricated due to inconsistencies. The Defence Ministry issued no formal confirmation or denial of the incident, with Polish newspaper Wyborcza characterizing their response as evasive. This attack followed prior cyber intrusions against Polish government systems, including a 2013 breach by hacker "Alladyn2" that compromised the Defence Ministry network and a presidential computer. Pravyy Sector had also previously targeted Polish telecommunications provider Netia, leaking its data days before the Defence Ministry incident, which Netia later acknowledged. The hackers' use of a name associated with a banned Ukrainian nationalist group created ambiguity about their true affiliations, with no evidence substantiating claims of Ukrainian or Russian origins. Impacts included exposure of military personnel records, operational system details, and reputational risks from unverified intelligence collaboration allegations.