Profiling YDIO, the Blackhat Group Behind #OpBRICS

Summary

XVigil discovered a new operation named #OpBRICS launched by the threat actor group Your Data is Ours (YDIO) against the following five major emerging economies:
 
Category: Adversary Intelligence Industry: Multiple Motivation: Public Relations Region: Global Source*: B2

Executive Summary

THREAT IMPACT MITIGATION
  • Blackhat group YDIO targeting organizations in five major emerging economies, under operation BRICS (#OpBRICS).
  • Leaked data contains router configurations, credentials, and PII.
  • Leaked router data can be used to conduct further attacks.
  • PII can be abused for malicious purposes including social engineering, identity theft, and phishing.
  • Monitor for anomalies in user accounts indicating possible account takeovers.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

Analysis and Attribution

Threat Actor Profiling

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a new operation named #OpBRICS launched by the threat actor group Your Data is Ours (YDIO) against the following five major emerging economies:
    • The Federative Republic of Brazil
    • The Russian Federation
    • The Republic of India
    • The People's Republic of China
    • The Republic of South Africa under the name operation BRICS [#OpBRICS].
Twitter Account of YDIO
Twitter Account of YDIO
 

About YDIO

  • YDIO group is a team of blackhats that specializes in data retrieval from corporates and governments across the world.
  • Previously operating under the name of “Dark Lulz”, the group rebranded itself as Your Data is Ours (YDIO) on 1 July 2022.
YDIO Group Description
YDIO Group Description
 
  • The group runs its own forum which was registered on 30 June 2022.
  • Initially, newly formed threat groups having limited members joined their forum.
  • Later, prominent threat actors and groups joined the forum.
  • Prominent members of the YDIO group are:
  • The group has a Twitter account registered in December 2015 and a telegram channel with a large following.
  • Target selection is done by creating polls and asking subscribers/followers to participate.
  • The table below contains the list of entities breached by the group.
Nour Communications - Saudi diRoma Acqua Park - Brazil
Bharti Airtel - India Supreme Court of Brazil
DK Wireless - South Africa Russian Space Science Institute
iBee aka Honeylink Technology CountryOnline - Russian ISP
Multiple Chinese medical facilities Airtel - India
QTEC - Russia Jiangsu Real Estate Investment - China
National Space Research Institution - Brazil Russia Nuclear Research Institute
Belarus Telecom AIIMS Metro Station - India
ISA CTEEP - Brazil Power Grid Corporation of India
4th of July, Firework Show Nettlinx Limited, India

YDIO’s Official Communication Channels

Forum : https://ydio.net/
Telegram : https://t.me/yourdataisours
Twitter : https://twitter.com/OurDatas
YouTube : https://www.youtube.com/channel/UCQXMcfdNKD2grRQptI19aIw

Techniques, Tactics, & Procedures (TTPs)

  • The group’s TTPs include compromising the products of Cambium Networks, especially the “Cambium Networks’ ePMP™ Force 300-25” wireless radio.
  • Cambium Networks is a leading global provider of wireless fabric infrastructure for business and residential broadband and Wi-Fi.
  • Entities compromised using Cambium products include the following:
  • Power Grid Corporation of India.
  • The AIIMS Metro Station.
  • Nettlinx India Limited.
  • DK Wireless, South Africa. (references to cambium in leaked router config)

Threat Actor Activity and Rating

Threat Actor Profiling
Active since July 2022
Reputation High (Popular on Telegram channels, Twitter, and forums)
TTPs Targeting vulnerable Cambium products
History Previously involved in breaching prominent organizations of BRICS (Brazil, Russia, India, China, South Africa)
Rating B2 (B: Usually reliable 2: Probably true)

Impact & Mitigation

Impact Mitigation
  • Escalation of such campaigns on a global level can lead to atrocious consequences for the governments and entities of BRICS region.
  • Exposed data would equip malicious actors with details required to launch sophisticated attacks.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts and internet-exposed web applications, indicating possible account takeovers.
  • Monitor for anomalies in database and server
  • Monitor cybercrime forums for the latest tactics employed by threat actors.

References

Appendix

YDIO’s Logo  

Table of Contents

Request an easy and customized demo for free