Recent Dr.Web cyberattack claimed by pro-Ukrainian hacktivists

A group of pro-Ukrainian hacktivists has claimed responsibility for the September breach of Russian security company Doctor Web (Dr.Web).

Dr.Web confirmed last month that its network was breached on September 14, which forced it to disconnect all internal servers and stop pushing virus database updates to customers while investigating the incident.

In a Tuesday Telegram post, DumpForums pro-Ukrainian hacktivists said they were behind the hack and gained access to Dr.Web’s development systems.

They allegedly had access to Dr.Web’s network for roughly one month, which allowed them to steal around ten terabytes of data, including client databases, from the company’s GitLab, email, Confluence, and other compromised servers.

“We managed to hack into and offload the corporate GitLab server where internal development and projects were stored, the corporate mail server, Confluence, Redmine, Jenkins, Mantis, RocketChat – systems where development was conducted and tasks were discussed,” DumpForums said.

ReliaQuest’s Threat Research Team says that DumpForums has been an online “hub for hacktivists and patriotic cyber threat actors” since at least late May 2022.

Their efforts are focused on supporting “the Ukrainian war effort against Russia” through DDoS attacks and leaking information stolen from the Russian government and private entities.

Dr.Web denies data theft claims

Today, Dr.Web published a statement in response to their claims, confirming again the September breach but saying that the attack was “promptly stopped.”

The Russian anti-malware company added that it won’t pay a ransom demand, which the attackers had since requested, and denied that customer information was stolen in the attack.

“The main goal was to demand a ransom from our company, but we are not negotiating with the attackers. At the moment, law enforcement agencies are conducting an investigation, and therefore we cannot give detailed comments so as not to interfere with the investigation,” Dr.Web said in a Wednesday Telegram post.

“The information published in Telegram is mostly untrue, user data was not affected. Neither virus database updates nor software module updates pose any security threat to our users.”

Dr.Web has yet to reply to multiple emails sent by BleepingComputer to request more information regarding the breach and DumpForums’ claims.

Dr.Web is the most recent Russian cybersecurity company that was targeted and breached in a cyberattack. In June, pro-Ukrainian hackers Cyber Anarchy Squad breached the Russian information security firm Avanpost, claiming to have leaked 390GB of stolen data before encrypting over 400 virtual machines.

One year earlier, in June 2023, Kaspersky also disclosed that attackers infected iPhones on its network with spyware via iMessage zero-click exploits, which targeted iOS zero-day bugs as part of a campaign now known as “Operation Triangulation.”