A little-known hacking group has emerged as a major threat to Russian state institutions and critical industries, carrying out attacks aimed at causing maximum disruption and extracting financial gain, according to a new report.
BO Team, also known as Black Owl, has been active since early 2024 and appears to operate independently, with its own arsenal of tools and tactics, researchers at Russian cybersecurity firm Kaspersky said.
Among the group’s most disruptive operations was a cyberattack last month that reportedly wiped out about a third of Russia’s national electronic court filing system. Ukrainian military intelligence (HUR) previously said it cooperated with BO Team on several operations, including breaches of Russia’s federal digital signature authority and a scientific research center.
The group typically gains initial access to victims’ systems through phishing emails containing convincing malicious attachments. Once inside, BO Team may wait weeks or even months before taking action — an unusual delay for hacktivists, who typically aim to destroy or steal data quickly. The group’s evolving toolkit includes the backdoors DarkGate, BrockenDoor and Remcos.
After compromising a network, BO Team deletes backups and virtual infrastructure using tools like Microsoft’s SDelete, and in some cases deploys Babuk ransomware to encrypt data and demand payment, the researchers said. The hackers are known to disguise their malware as legitimate Windows software.
BO Team has exclusively targeted organizations in Russia, including state-run companies and entities in the technology, telecom and manufacturing sectors. The hackers often post about their attacks on Telegram — both to intimidate victims and draw media attention.
“BO Team is a serious threat to Russian organizations because of its unusual approach to cyberattacks,” Kaspersky said. Unlike other pro-Ukraine hacktivist groups, it shows little sign of coordination, collaboration, or tool-sharing with others — setting it apart in Russia’s current hacktivist landscape, researchers added.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
