Sunass Data Breach

Sunass, a Peruvian organization, was listed as a victim by the Nova ransomware group on June 16, 2026. The listing was identified through SOCRadar’s Dark Web Monitoring. While the specific industry is not recorded, its .gob.pe domain indicates a public-sector entity. This expansion into Peru’s government sector is noted within Nova’s broader geographic reach. Nova ransomware group has been actively listing victims, with Sunass being among them. The group’s recent activity targets technology and education sectors, but also demonstrates a willingness to engage with government and public institutions, as seen with other recent targets like the NSW Government and Universitas Nasional.

SOCRadar’s stealer-log telemetry revealed explicit corporate email credentials for the sunass.gob.pe domain, along with consumer and masked account handles on internal Sunass services. Critical endpoints identified include the corporate mail server and an internal document-management portal. The captured credentials, dated between June 12 and June 15, 2026, are consistent with typical initial access vectors for ransomware attacks, where compromised credentials are used to gain access to corporate networks. The compromised credentials may have been used by Nova, following a common kill chain for this type of incident: sourcing infostealer logs, validating corporate credentials, and then accessing systems such as Microsoft 365, VPNs, or remote-access portals to deploy ransomware. CTI teams are advised to prioritize forced password resets for identified mail accounts, review authentication logs for the mail server and document management portal, and reconcile masked handles against the internal directory.