Profiling YDIO, the Blackhat Group Behind #OpBRICS

XVigil discovered a new operation named #OpBRICS launched by the threat actor group Your Data is Ours (YDIO) against the following five major emerging economies:
Updated on
April 19, 2023
Published on
July 21, 2022
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Multiple Motivation: Public Relations Region: Global Source*: B2

Executive Summary

  • Blackhat group YDIO targeting organizations in five major emerging economies, under operation BRICS (#OpBRICS).
  • Leaked data contains router configurations, credentials, and PII.
  • Leaked router data can be used to conduct further attacks.
  • PII can be abused for malicious purposes including social engineering, identity theft, and phishing.
  • Monitor for anomalies in user accounts indicating possible account takeovers.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

Analysis and Attribution

Threat Actor Profiling

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a new operation named #OpBRICS launched by the threat actor group Your Data is Ours (YDIO) against the following five major emerging economies:
    • The Federative Republic of Brazil
    • The Russian Federation
    • The Republic of India
    • The People's Republic of China
    • The Republic of South Africa under the name operation BRICS [#OpBRICS].
[caption id="attachment_20052" align="aligncenter" width="810"]Twitter Account of YDIO Twitter Account of YDIO[/caption]  

About YDIO

  • YDIO group is a team of blackhats that specializes in data retrieval from corporates and governments across the world.
  • Previously operating under the name of “Dark Lulz”, the group rebranded itself as Your Data is Ours (YDIO) on 1 July 2022.
[caption id="attachment_20053" align="aligncenter" width="764"]YDIO Group Description YDIO Group Description[/caption]  
  • The group runs its own forum which was registered on 30 June 2022.
  • Initially, newly formed threat groups having limited members joined their forum.
  • Later, prominent threat actors and groups joined the forum.
  • Prominent members of the YDIO group are:
  • The group has a Twitter account registered in December 2015 and a telegram channel with a large following.
  • Target selection is done by creating polls and asking subscribers/followers to participate.
  • The table below contains the list of entities breached by the group.
Nour Communications - Saudi diRoma Acqua Park - Brazil
Bharti Airtel - India Supreme Court of Brazil
DK Wireless - South Africa Russian Space Science Institute
iBee aka Honeylink Technology CountryOnline - Russian ISP
Multiple Chinese medical facilities Airtel - India
QTEC - Russia Jiangsu Real Estate Investment - China
National Space Research Institution - Brazil Russia Nuclear Research Institute
Belarus Telecom AIIMS Metro Station - India
ISA CTEEP - Brazil Power Grid Corporation of India
4th of July, Firework Show Nettlinx Limited, India

YDIO’s Official Communication Channels

Forum :
Telegram :
Twitter :
YouTube :

Techniques, Tactics, & Procedures (TTPs)

  • The group’s TTPs include compromising the products of Cambium Networks, especially the “Cambium Networks’ ePMP™ Force 300-25” wireless radio.
  • Cambium Networks is a leading global provider of wireless fabric infrastructure for business and residential broadband and Wi-Fi.
  • Entities compromised using Cambium products include the following:
  • Power Grid Corporation of India.
  • The AIIMS Metro Station.
  • Nettlinx India Limited.
  • DK Wireless, South Africa. (references to cambium in leaked router config)

Threat Actor Activity and Rating

Threat Actor Profiling
Active since July 2022
Reputation High (Popular on Telegram channels, Twitter, and forums)
TTPs Targeting vulnerable Cambium products
History Previously involved in breaching prominent organizations of BRICS (Brazil, Russia, India, China, South Africa)
Rating B2 (B: Usually reliable 2: Probably true)

Impact & Mitigation

Impact Mitigation
  • Escalation of such campaigns on a global level can lead to atrocious consequences for the governments and entities of BRICS region.
  • Exposed data would equip malicious actors with details required to launch sophisticated attacks.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts and internet-exposed web applications, indicating possible account takeovers.
  • Monitor for anomalies in database and server
  • Monitor cybercrime forums for the latest tactics employed by threat actors.



YDIO’s Logo  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations