Dr.Web reports cyber attack and security breach, disconnects all servers

Russian anti-malware company Doctor Web (Dr.Web) disclosed a security breach after detecting signs of unauthorized interference with its IT infrastructure.

The cyberattack began on Saturday, September 14, 2024, prompting the company to disconnect all servers from its internal network to prevent further damage. This action temporarily halted virus database updates to customers on Monday, as Dr.Web focused on investigating and mitigating the breach.

In a public statement, Dr.Web emphasized that no customer systems protected by its software were impacted, and the threat was successfully neutralized. Following their security policies, they initiated a comprehensive security diagnostic process. Updates to virus databases resumed on Tuesday, September 17, after the company implemented security measures, including using their Dr.Web FixIt! for Linux tool to isolate the threat.

Dr.Web has not provided further details on the nature of the attack.

Update - as of 8th of October 2024, the pro-Ukrainian hacktivist group DumpForums has claimed responsibility for the cyberattack on Dr.Web. The attackers assert that they infiltrated Dr.Web's internal systems, stealing over 10 terabytes of sensitive data. DumpForums provided detailed information about the breach, including evidence of their access to critical parts of Dr.Web's infrastructure

• GitLab server containing internal projects and developments.
• Corporate email server.
• Tools such as Confluence, Redmine, Jenkins, Mantis, and RocketChat.
• Client and User Data: The attackers claimed to have accessed and leaked Dr.Web’s entire client and user database.

Dr.Web has not provided further updates since the initial announcement of the attack on September 17, and the veracity of DumpForums’ claims remains unconfirmed.