Russian Hacktivist group Phoenix targets India’s Health Ministry Website

CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor group claiming to have targeted an Indian government website.
Updated on
April 19, 2023
Published on
March 16, 2023
Subscribe to the latest industry news, threats and resources.
  • Category: Compromised Access
  • Region: India

Executive Summary


  • A Russian Threat actor group targeted the Indian Health ministry’s Health management system. 
  •  The group mentioned the attack as a consequence of India’s agreement over the Oil Price cap and sanctions of G-20 over the Russia-Ukraine war.


  • Access to HMIS Portal, Hospital, employee and Physicians data. 
  • Plausibility of further cyber attacks by such hacktivist groups under the pretext of India’s Geopolitical stances. 
  • Selling exfiltrated license documents and PII on cybercrime forums.
  • Conducting document fraud using PII and license documents.


  • Monitor for anomalies in user accounts, which could indicate possible account takeovers
  • Use load balancer and DDoS protection services.
  • Blocking unnecessary IP addresses and geolocations.
  • Regularly updating and patching vulnerabilities can reduce the chances of a website being attacked.

Analysis and Attribution

Information from the Post

  • On 15 March 2023, CloudSEK’s contextual AI digital risk platform XVigil  discovered a threat actor group claiming to have targeted an Indian government website. 
  • An analysis of the samples shared concluded that the affected entity is the Health Management Information system belonging to the Indian Ministry of Health.
  • The threat actor group mentioned in the post claiming to have access to 
  • All the Hospitals of India 
  • Employees and Chief Physicians 
Telegram Post from the Telegram Channel

Information from channel

  • The motive behind this target was the sanctions imposed against the Russian Federation where Indian authorities decided not to violate the sanctions as well as comply with the price ceiling for Russian oil approved by G7 countries..
  • This decision resulted in multiple polls on the telegram channel of the Russian Hacktivist Phoenix asking the followers for their votes. 
Telegram Polls regarding India’s stance over the war

Tactics, Techniques and Procedures [TTPs]

  • The Hacktivist group Phoenix was observed using social engineering techniques to lure the victims in a phishing scam thereafter stealing the passwords and  gaining access to its victims’ bank or e-payment accounts.
  • The Group has conducted a series of DDoS attacks against multiple entities in the past.
  • Phoenix has also engaged in hardware hacking, unlocking lost or stolen iPhones and reselling them in Kyiv and Kharkiv through a network of controlled outlets.

Threat Actor Activity and Rating

Threat Actor Profiling

  • Active since: January 2022
  • Reputation: Moderate
  • Current Status: Active
  • History: The Russian Hactivist group has shown a history of targeting the following entities:
  1. Hospitals based in Japan and the United Kingdom. 
  2. U.S. based healthcare organization serving the US military
  3. DDoS attacks against LGBTQ dating websites and community forums based in Russia
  4. The Ministry of Health, the Federal Public Procurement Regulatory Authority, the Ministry of Food Control, the Supreme Court, the Ministry of Home Affairs, and a number of other departments of Pakistan
  5. DDoS attack on the website of the Spanish Foreign Ministry
  • Rating: C3 [C: Fairly reliable; 3: Possibly true]



Image of the HMIS Portal shared by the group

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations