Сайтэк a national Russian defense contractor has been hacked according several sources. The @0v1ruS seems to be the threat actor behind that.
The announcement say there's more than 7,5 Terabytes of stolen information. This leak includes several Russian state projects.
1/9

Screenshots from the threat actor indicates an attack against sytech[.]ru infrastructures and the access of their internal Jira.
It's showing the account used to compromise the company network : "tarasov" was used against an Active Directory under Windows Server 2008 (R2?).
2/9

A file is uploaded "DuSYKLBE[.]exe.
After that they gained the NT AUTHORITY / SYSTEM Acces on the machine named "AD2008"
3/9

They gained an access to the email server too where they showed the emails addresses in use in the sytech[.]ru domain.
4/9

They gained an Administrator access to the Jira (jira[.]stretch[.]ru and screenshot the projects page.
5/9

We can see they were connected to TITAN Windows server too.
Not confirmed but I would say it's a 2008 Windows server 2008 too.
They've showed first the disks as it and second the hard drive empties, cleaned probably after copying the content.
6/9

These screenshots are from Active Directory Users sytech[.]ru OU before and after the cleaning operation.
7/9

And the last one is an deface of the www[.]sytech[.]ru website. With a YOBA (Youth Oriented, Bydlo-Approved) Face , also known as ПеКа-фейс which is frequently used by russian trolls on different forums.
8/9

From screenshots, tools used:
- proxychains (proxychains.sourceforge.net)
- PSExec (docs.microsoft.com/en-us/sysinter…)
- ticketer[.]py (impacket script - based on the work of @gentilkiwi - by @agsolino github.com/SecureAuthCorp…)

FYI
↘️

https://twitter.com/vxsh4d0w/status/1152645308565860352?s=19

Good work from @secfarmer
↘️

https://twitter.com/secfarmer/status/1152989759695986690?s=19