Full Report
A Russian court sentenced a former hospital programmer to 14 years in a high-security penal colony for allegedly leaking personal data of Russian soldiers to Ukraine, authorities said.
Analysis Summary
# Incident Report: Insider Threat Leak of Russian Soldier Medical Records
## Executive Summary
A hospital programmer in Bratsk, Russia, was sentenced to 14 years in prison for treason after leaking the electronic medical records of Russian military personnel to Ukrainian intelligence services in April 2022. The incident involved internal data exfiltration via the employee's workplace computer, leading to data dissemination on a pro-Ukrainian Telegram channel and financial transfers to Ukrainian forces. The response culminated in the arrest of the individual in July 2023 and a subsequent conviction.
## Incident Details
- Discovery Date: Not explicitly stated when the *leak* was discovered, but the perpetrator was arrested in July 2023.
- Incident Date: April 2022 (when data was copied).
- Affected Organization: Hospital in Bratsk, Russia (employed the programmer).
- Sector: Healthcare / Military Support (State operations).
- Geography: Bratsk, Irkutsk Region, Russia.
## Timeline of Events
### Initial Access
- Date/Time: April 2022
- Vector: Insider Malfeasance (Authorized access to internal systems).
- Details: Alexander Levchishin, a 37-year-old programmer, copied electronic medical records of Russian military personnel from his workplace computer.
### Lateral Movement
- Not applicable. This was a localized exfiltration event utilizing existing authorized access.
### Data Exfiltration/Impact
- Data relating to Russian military personnel (electronic medical records and phone numbers).
- Financial transfer of an unspecified amount to a bank account allegedly used by the Ukrainian armed forces to purchase a vehicle.
### Detection & Response
- Detection: Implied detection occurred sometime between April 2022 and the arrest in July 2023 by Russian security services (FSB).
- Response actions taken: The individual was arrested in July 2023. A treason trial ensued, concluding with a conviction and sentencing in May 2025.
## Attack Methodology
- Initial Access: Insider Access (Programmer for the hospital).
- Persistence: Not applicable/Not detailed.
- Privilege Escalation: Not applicable. The access was based on employment role.
- Defense Evasion: Not detailed regarding technical evasion, but the act was clandestine.
- Credential Access: Not applicable; used existing authorized credentials/access.
- Discovery: Internal reconnaissance/access to sensitive personnel files.
- Lateral Movement: Not applicable.
- Collection: Electronic copying of medical records from the workplace computer.
- Exfiltration: Sending data to Ukrainian intelligence services for posting on a Telegram channel.
- Impact: Disclosure of sensitive military personnel data and financial support to an adversarial entity.
## Impact Assessment
- Financial: Fine of 50,000 rubles (approx. $550) levied against the individual. An unspecified amount was transferred externally.
- Data Breach: Personal data of Russian soldiers, including electronic medical records and phone numbers.
- Operational: Potential operational risk due to the exposure of troop health status and contact information.
- Reputational: Internal security implications for the military and state institutions regarding insider threat mitigation.
## Indicators of Compromise
- Network indicators: Exfiltration channel targeted; transmission to an external, potentially adversarial entity (Telegram channel).
- File indicators: Copying of electronic medical records database files.
- Behavioral indicators: Evidence suggests the subject was questioned about prior Ukrainian language study, potentially indicating premeditated intent or prior ideological alignment sought out by FSB operations.
## Response Actions
- Containment measures: Unknown, but implied successful containment/cessation of data leakage upon arrest.
- Eradication steps: The perpetrator was detained and prosecuted.
- Recovery actions: No specific IT recovery actions (like network-wide resets) are detailed, but the individual was banned from certain fields for four years post-sentence.
## Lessons Learned
- The primary vulnerability was an authorized insider with privileged access to sensitive military-related medical data.
- Russian activists note that FSB agents sometimes provoke suspects through social media posing as sympathizers to build cases, suggesting the information gathering phase prior to the official investigation may have involved deception.
## Recommendations
- Implement stronger access controls and data loss prevention (DLP) tailored specifically for sensitive data, even for IT staff.
- Enhance insider threat monitoring, particularly around data access by personnel dealing with information related to military staff.
- Review vetting and monitoring procedures for employees handling data critical to national security, as suggested by the prosecution questioning the suspect's language studies.