Cyber Incident Victim: Embassy of India in Russia
Date:
Dec 2013
Location:
India
Summary
A Russian hacktivist group operating as Rucyborg compromised the Embassy of India in Moscow through an infected email sent to the CEO of Russian defense exporter ROSOBORONEXPORT, as part of a broader campaign targeting entities linked to the Russian government. The attackers exfiltrated over 500MB of sensitive data, including military procurement documents involving Hindustan Aeronautics Limited, flight cost records, and passport details of Russian delegates. The breach was motivated by opposition to government policies, with the group claiming additional compromises of major Russian defense and infrastructure organizations while aligning their actions with anti-government sentiments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 6, 2014, the hacktivist group operating under the alias @Rucyborg and identifying as "Russian Cyber Command" publicly announced a cyberattack targeting Russian state-affiliated defense and industrial entities, including ROSOBORONEXPORT, the country’s primary arms export organization. The group claimed the attack was motivated by opposition to the Russian government’s geopolitical actions under Vladimir Putin, explicitly stating they sought to expose government activities and prevent military escalation. Attackers disclosed compromising ROSOBORONEXPORT’s department handling sales to India, a BRICS nation, by first breaching the Embassy of India in Moscow and using that access to send a malicious email to CEO Mr. Saprykin, whose passport data was subsequently leaked. The initial data dump, distributed via BayFiles and Cyberguerrilla, contained over 500MB of compressed files, including military procurement documents, quotations for the Russian Air Force, correspondence with India’s Hindustan Aeronautics Limited (HAL), and flight cost records from Cosmoo Travels Ltd. Sensitive personal information of Russian delegates—passport copies, images, and identifying details—was exposed alongside operational defense records.
The attackers asserted additional compromises of major Russian corporations, including aircraft manufacturer Sukhoi, industrial conglomerate Oboronprom, shipping firm Gazflot, aluminum producer Rusal, and investment bank Veles Capital, with promises of future leaks targeting telecommunications providers and FSB-linked electronic surveillance firms. Forensic analysis of the leaked archive revealed malware signatures previously detected by antivirus software in late 2013, though the operational impact of this malware within victim networks remained unconfirmed. No statements from ROSOBORONEXPORT, the Indian Embassy, or affected corporations were documented in the disclosure. The leak demonstrated direct targeting of military-industrial supply chains and diplomatic entities, with compromised data spanning technical, financial, and identity records. @Rucyborg framed the operation as part of a broader "domestic cyberwar" against infrastructure supporting the Russian government, expressing solidarity with Anonymous and LulzSec while taunting cybersecurity firm Kaspersky.