3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
RuskiNet Group

RuskiNet Group

ID: 9cd749301d8b2fcbd1efb402a05cd5d018322
Hacktivist Group Hacktivism
Threat types: Hacktivism, DDoS Attack, Intrusion
Russia DZA, CAN, FRA, DEU, IND, ISR, NGA, POL, GBR, USA
Updated: 2026-03-14
Created: 2026-02-19
Progress: 83% Completeness: 89% Freshness: 70%
Operation zone: Algeria, Canada, France, Germany, India, Israel, Nigeria, Poland, United Kingdom, United States
Aliases Limited alias preview
RuskiNet RuskiNetGroup
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

RuskiNet Group is a hacktivist brand first reported in early 2025, linked to pro-Russia-aligned narratives and event-driven campaigns featuring DDoS/defacement claims and opportunistic hack-and-leak messaging via social platforms and forums.


Technique Technique name Tactics Evidence
T1498 Network Denial of Service TA0040
  • 2025-09-18 — KELA places RuskiNet among hacktivist collectives rallying around ops and threatening disruption; consistent with denial-of-service posture. (INFERENCE, confidence: medium) · ref
T1491.001 Internal Defacement TA0040
  • 2025-06-17 — Group-IB states RuskiNet claims span DDoS attacks and website defacements; defacement maps to web content modification. (INFERENCE, confidence: medium) · ref
T1589 Gather Victim Identity Information TA0043
  • 2025-06-17 — Group-IB describes wide multi-country targeting; suggests OSINT-driven victim selection and profiling. (INFERENCE, confidence: medium) · ref
T1567 Exfiltration Over Web Service TA0010
  • 2025-06-14 — ZeroFox reports YK3 associated with RuskiNet claimed leaking 935,000 records; implies data collection and exfiltration though mechanism unverified. (INFERENCE, confidence: medium) · ref
T1654 Log Enumeration TA0007
  • 2025-06-17 — Group-IB documents recycled data presented as new leak; public leak narratives and propaganda-like claims align with information operations / disinformation aspects. (INFERENCE, confidence: medium) · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-20T03:08:13+00:00

RuskiNet Group — pro-Russian-aligned hacktivist brand associated with disruptive operations and opportunistic “hack-and-leak” claims

Classification: TLP:WHITE — Open Source Intelligence (OSINT)

Category: Hacktivism / Hybrid cyber influence (DDoS + breach/leak claims) — Origin: INFERENCE (confidence: medium) Eastern Europe / Russia-aligned online milieu

Author: iQBlack CTI Team.


Executive Summary

RuskiNet Group (“RuskiNet”) is an online hacktivist brand first observed in early 2025, linked in vendor reporting to a pro‑Russian / Russia‑aligned information environment and to opportunistic disruption campaigns. Reporting describes a pattern of publicly claimed DDoS activity, website defacements, and “hack‑and‑leak” / breach claims, frequently distributed via social media and underground forums, often around geopolitical flashpoints.

Multiple sources emphasize that many hacktivist breach claims across this ecosystem are difficult to verify and sometimes involve recycled data. Group‑IB assessed RuskiNet as “low reliability” and documented an example where a RuskiNet‑affiliated persona (“YK3”) posted a purported SAP Israel dataset that showed overlap with an older (2023) leak dataset, consistent with data recycling patterns observed in hacktivist leak narratives.

Operationally, RuskiNet should be treated as a volatility amplifier: it can generate short‑notice disruption attempts (commonly DDoS/defacement claims) and reputational pressure through leak narratives, even when technical depth is limited. Defensive focus should prioritize resilience to denial‑of‑service, rapid triage/verification of leak claims, and tight controls on exposed web services and identity.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — RuskiNet Group

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — RuskiNet Group

Purpose: Operational hunting ideas aligned to RuskiNet Group’s assessed hacktivist tradecraft (DDoS/defacement/hack-and-leak-style claims) plus adjacent pro-Russia/pro-ideology hacktivist patterns. Use as a starting point; tune thresholds to your baseline.

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-20T03:23:23+00:00

IOC Appendix (TLP:WHITE) — RuskiNet Group

This appendix lists OSINT-observed identifiers associated with the RuskiNet brand. Because the actor’s public narrative contains unverifiable claims and potential data recycling, treat these items as pivot points (tracking / collection) rather than confirmed intrusion infrastructure.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-20T03:24:09+00:00

OSINT Library — RuskiNet Group

Note: This is a curated starter set of open sources for tracking RuskiNet Group and adjacent hacktivist tradecraft. Validate low-fidelity “claim” sources before operational use.


Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/5
Address Verification SOCMINT
twitter.com/Rus***** Restricted Not integrated
Address Verification SOCMINT
t.me/rus********** Restricted Not integrated
t.me/rus*********** Restricted Not integrated
t.me/Rus********* Restricted Not integrated
t.me/rus***** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
Hacked website propaganda Free Preview
Hacked website propaganda