Cyber Incident Victim: Uri Reiss' Administration
Date:
Jun 2022
Location:
Russia
Summary
A Russian government ministry's website was compromised and defaced to display a pro-Ukraine message, accompanied by a ransom demand of 0.5 BTC to prevent the alleged leak of stolen user data. The attackers, operating under the name DumpForums, claimed access to sensitive information including full names, login credentials, email addresses, and hashed passwords, publishing screenshots as evidence. The targeted entity denied any data compromise but took the website offline following the breach. The incident occurred amid a broader wave of cyberattacks against Russian infrastructure following geopolitical tensions, with hackers exploiting vulnerabilities in the site's content management system to execute the intrusion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 3, 2022, the website of the Russian Ministry of Construction, Housing, and Utilities (minstroyrf.gov.ru) was compromised by hackers identifying themselves as DumpForums. The attackers replaced the site's content with a Ukrainian-language message stating "Glory to Ukraine," rendering the official portal inaccessible to legitimate users. Concurrently, the group issued a ransom demand of 0.5 Bitcoin (BTC), threatening to leak stolen user data unless payment was made. The ministry confirmed the website's outage through state media outlet RIA but asserted no user data had been compromised. DumpForums countered this claim by publishing screenshots on Telegram allegedly showing stolen datasets containing full names, login credentials, email addresses, MD5 hashed passwords with salt, and user registration dates spanning from August 14, 2014, to May 8, 2022. Technical analysis revealed the website operated on the Bitrix Content Management System (CMS), though the specific vulnerability exploited wasn't disclosed.
The incident occurred amid a broader wave of cyberattacks targeting Russian government and media entities following the February 2022 invasion of Ukraine. While the ministry maintained its denial of data compromise, the website remained offline for an extended period, disrupting public access to housing and utilities services. DumpForums continued to assert control over the stolen data through Telegram channels, though no evidence emerged of widespread data distribution beyond the initial screenshot samples. This attack mirrored patterns observed in compromises of other Russian institutions, including state news agency TASS, outlets Fontanka and Kommersant, television networks Channel One and Rossiya-1, and video platform RuTube, which had suffered three days of downtime from prior attacks. The ministry implemented containment measures by taking the website offline, but restoration timelines and final verification of data integrity weren't publicly confirmed by the article's publication date of June 7, 2022.