Pierluigi Paganini March 07, 2025

Qilin Ransomware group claims to have breached the Ministry of Foreign Affairs of Ukraine, marking a significant cybersecurity attack.

The Russian-speaking Qilin Ransomware group claims responsibility for an attack on the Ministry of Foreign Affairs of Ukraine.

The group stated that it stole sensitive data such as private correspondence, personal information, and official decrees. The ransomware group declared that they had already sold some of the alleged stolen information to third parties.

“The data of the Ministry of foreign affairs of Ukraine ended up in our hands. The part of it was sold succesfully. Among the rest data: private correspondence, personal information, decrees etc.” reads the announcement published by the group on its Tor leak site.

The ransomware group published a collection of images of the stolen documents as proof of the attack.

The Ministry of Foreign Affairs of Ukraine has yet to confirm the data breach.

This attack can be considered part of the escalating hybrid warfare in the ongoing conflict between Russia and Ukraine, which can rely on the activity conducted by hacktivists and cybercrime groups aligned with the Kremlin’s strategy.

The Qilin ransomware group has been active since at least 2022 but gained attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group typically employs “double extortion,” stealing and encrypting victims’ data, then threatening to expose it unless a ransom is paid. In July 2024, Sophos’ Incident Response team observed Qilin’s activity on a domain controller within an organization’s Active Directory domain, with other domain controllers also infected but impacted differently.

The attackers breached the organization via compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). The threat actors conducted post-exploitation activities eighteen days after initial access.

This week Qilin ransomware group also claimed responsibility for the recent cyberattack on Lee Enterprises, which impacted dozens of local newspapers.

Lee Enterprises, Inc. is a publicly traded American media company. It publishes 79 newspapers in 25 states, and more than 350 weekly, classified, and specialty publications.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)