DumpForums Claim 10TB Data Breach at Russian Cybersecurity Firm Dr.Web

Pro-Ukrainian hacktivists from DumpForums claim to have breached Russian cybersecurity giant Dr.Web, stealing over 10 TB of sensitive data, including internal projects, client databases, and critical infrastructure access.

DumpForums, a pro-Ukrainian hacktivist forum, claims to have breached Dr.Web, a Russian cybersecurity company and antivirus solutions provider. As a result, hackers have announced stealing over 10 TB of internal, customer/client data, Hackread.com can exclusively confirm.

The attack dates back to Saturday, September 14th, when Dr.Web (also known as Doctor Web, Doctor Web Ltd., and Company Doctor Web) identified that it had suffered a cyberattack. After investigating, the Russian cybersecurity giant published a brief blog post on September 17, 2024, revealing that the company was targeted in a cyberattack aimed at its “resources.” At that time, Doctor Web claimed that it had “prevented the attack in a timely manner” and that no user data was accessed or stolen.

However, as Hackread.com’s research team discovered, on the morning of October 8th, 2024, DumpForums hacktivists used their Telegram account to announce and claim responsibility for the September attack. The hacktivists’ Telegram post contradicted what Doctor Web had stated about the hack in September.

The screenshot shows Dr.Web’s Telegram post (left) and DumpForums’ post on the right. The original Russian-language screenshots have been translated into English using Yandex AI Image Translator (Credit: Hackread.com).

****DumpForums Hacktivists Claim Dr.Web’s Infrastructure Hack****

According to the post, the hacktivists stated they had hacked the infrastructure of Dr.Web, adding that they infiltrated the company’s local network after planning everything in advance. After that, they systematically hacked more servers and resources “within just a few days.”

Additionally, the hackers claimed to have hacked and extracted data from Dr.Web’s corporate GitLab server, where internal developments and projects were stored, including the corporate email server, Confluence, Redmine, Jenkins, Mantis, and RocketChat.

The hackers also claimed to have accessed and downloaded the entire client/user database, which they had already leaked on their official forum.

To further authenticate their claims, the hackers provided several dumps of databases from internal resources such as ldap.dev.drweb.com, vxcube.drweb.com, bugs.drweb.com, antitheft.drweb.com, and rt.drweb.com, among others.

****Accessing Dr.Web’s domain controller?****

What’s even more concerning are the claims from the hacktivists that they gained control of Dr.Web’s domain controller, a critical part of the company’s infrastructure. The domain controller manages authentication and access to all systems within a network. By compromising it, the attackers would have had unlimited access to the entire network, allowing them to continuously extract massive amounts of sensitive data.

This level of control reportedly enabled them to remain undetected for a month while siphoning off around 10 terabytes of data. The group also pointed out Dr.Web’s alleged poor security, stating that they spent an “entire month” in the system while the company continued selling products to secure others.

It is important to note that Hackread.com has reached out to Dr.Web regarding the claims made by DumpForums hacktivists, and this article will be updated accordingly.

****Ukraine and Russia Cyberwarfare****

It is also worth noting that DumpForums is known for attacking critical Russian infrastructure. In June 2022, the same group was behind the hack and defacement of the Russian Ministry of Construction, Housing, and Utilities. The hackers also stole the ministry’s entire database and demanded 0.5 BTC as ransom to prevent the data from being leaked online.

Nevertheless, the cyber warfare between Russia and Ukraine is gaining new momentum. Hackers from both countries have been targeting each other’s critical infrastructure since the conflict began on February 24, 2022.

According to Ukraine’s State Service of Special Communications and Information Protection (SSSCIP), there has been a significant shift in Russian cyber operations against Ukraine in the first half of 2024. The new strategy marks a departure from previous broad-spectrum attacks to a more targeted approach focusing on Ukraine’s military and defence sectors.

On the other hand, Ukrainian hackers have been quite active over the past few months. Some of their claimed cyberattacks include targeting banks and shutting down ATMs in Russia, targeting the government sector and damaging petabytes of data, crippling the country’s tax system, and other actions.

1. Ukrainian Hacktivists Trick Russian Military Wives for Personal Info
2. Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine
3. Ukraine Hacks Russia’s Aviation Agency, Claims “Aviation Cannibalism”
4. 57,000 Kaspersky Fan Club Forum User Data Leaked in Hosting Breach
5. Ukrainian Hackers Breach Email of APT28 Leader, Who’s Wanted by FBI