New research from Cyble has revealed the emergence of a new Russian hacktivist group on the dark web in January, alongside a surge in data breaches and network access being sold by various threat actors. The data also revealed the emergence of a new group ‘Sector 16,’ which recently teamed up with Z-Pentest – a threat actor previously profiled by Cyble last month – to launch an attack on a Supervisory Control and Data Acquisition (SCADA) system managing oil pumps and storage tanks in Texas.
Cyble noted that Sector 16 also claimed responsibility for unauthorized access to the control systems of a U.S. oil and gas production facility, releasing a video purportedly demonstrating their access to the facility’s operational data and systems. “The video reveals control interfaces associated with the monitoring and management of critical infrastructure. Displayed systems include shutdown management, production monitoring, tank level readings, gas lift operations, and Lease Automatic Custody Transfer (LACT) data, all critical components in the facility’s operations.”
Additionally, they were also able to access valve control interfaces, pressure monitoring, and flow measurement data, highlighting the potential extent of access.
Both Sector 16 and Z-Pentest displayed their logos in the video, signaling a strong alliance or collaborative partnership between the two groups. This visual branding not only reinforces their joint involvement in the attack but also serves to amplify their credibility and influence within the hacktivist community.
Russian hacktivist groups have posted several videos of their members tampering with critical infrastructure control panels in recent months, perhaps more to establish credibility or threaten than to inflict actual damage, although in one case, Z-Pentest claimed to disrupt a U.S. oil well system.
Cyble reported observing 15 active ransomware groups in January, including CL0P, INC, Lynx, Akira, Rhysida, SafePay, RansomHub, Monti, Qilin, BianLian, Medusa, Cactus, FOG, LockBit, and BlackBasta. Among these, CL0P stood out, claiming responsibility for attacks on at least 115 victims by exploiting vulnerabilities in Cleo MFT (Managed File Transfer) systems, highlighting the group’s continued focus on leveraging software vulnerabilities to carry out large-scale ransomware campaigns.
The research mentioned that the victims targeted by the 15 ransomware groups span various industries, highlighting the widespread impact of these attacks. Among the affected entities are a major port, a leading chip equipment manufacturer, an automotive parts’ supplier, prominent universities and colleges, state and local police departments, defense contractors, a casino, a water utility, multiple government agencies, a food company, a plumbing equipment manufacturer, a telecom provider, and numerous healthcare organizations.
Notably, several of these victims had previously been targeted by other ransomware groups, underscoring the persistent and recurring nature of cyberattacks across vulnerable sectors. This broad targeting reflects the opportunistic and indiscriminate tactics employed by ransomware actors to maximize their reach and profitability.
Last month, Cyble dark web researchers analyzed over 250 claims made by threat actors, revealing that more than 25 percent of these claims targeted U.S.-based organizations. Among the threat actors (TAs) focusing on U.S. entities, 15 were identified as ransomware groups that either claimed responsibility for successful attacks or were actively selling data obtained from these breaches.
Ransomware-related claims made up approximately 40 percent of Cyble’s investigations, with the majority of cases involving threat actors attempting to sell stolen data or unauthorized access to organizational networks. Additionally, several investigations focused on cyberattacks orchestrated by hacktivist groups – including a new Russian threat group identified here for the first time.
Cyble wrote that among other hacktivist groups active in January, pro-Islamic hacktivists ‘Mr. Hamza’ – who united with Z-Pentest and other pro-Russian groups in European attacks in December – teamed with Velvet Team to claim responsibility for a series of Distributed Denial-of-Service (DDoS) attacks on the U.S. government and military platforms. Targeted systems include a U.S. Army development and communications network, an FBI portal for bank robbery information, and the U.S. Africa Command’s official platform.
In January, Cyble investigated a couple of U.S. data breach claims, including SIM-swapping service, where a hacker offered a SIM-swapping service targeting subscribers of a U.S.-based telecommunications provider. The move suggests that the TA may possess unauthorized access to an internal portal that facilitates such swap requests, or they could be leveraging insider access. In another instance, a threat actor advertised a web shell and unauthorized administrative access to an undisclosed U.S. government website, raising significant concerns about the security of sensitive government systems.
Another threat actor claimed to have gained root access to servers belonging to an undisclosed ISP, a router manufacturer, a real estate company, and a logistics and transportation organization, highlighting the actor’s ability to infiltrate diverse sectors. In another case, a threat actor advertised stolen data from a large IT company, including source code from private GitHub repositories, Docker builds, and certificates (both private and public keys), posing a severe risk to the company’s intellectual property and operational security.
Cyble also detailed that a threat actor offered unauthorized access to a subdomain of a major retail corporation for $16,000, claiming the access could be used to execute arbitrary commands on the compromised system, potentially enabling further exploitation or data exfiltration.
In conclusion, Cyber noted that dark web monitoring is an important tool for detecting leaks early before they escalate into much bigger cyberattacks and data breaches. “Along with cybersecurity best practices such as zero trust, risk-based vulnerability management, segmentation, tamper-proof backups, and network and endpoint monitoring, there are a number of ways organizations can reduce risk and limit any cyberattacks that do occur.”