Russia’s war in Ukraine is currently widely mirrored in cyberspace, engaging many different parties in an ever-increasing dispute. In this blog post, we will focus on developments in the world of cybercrime (which supposedly do not involve nation-state threat actors) in the current war context.
For the past week, hackers and cybercriminal gangs have unceasingly joined the anti-Russian rhetoric, the pro-Ukrainian one or else the counter-propaganda course. Also, some have remained silent or neutral (“we are not state-sponsored and we are not in politics at all”, as stated by LockBit on February 27), and others declared they would only adopt defensive measures if their country or their peers were threatened.
The majority of these groups are newly created or were not prominent prior to 2022. Until now, their attacks are not very advanced technically (DDoS, defacement, data breach, data leak, account compromise, and some ransomware distribution, but still not confirmed).
Some of the motivations of the perpetrators of cyber attacks in the context of the war in Ukraine might relate to the following:
- to gain visibility, in view of the high coverage and scrutiny of current events;
- to breach and sell data, remote access or other sensitive information in order to generate more revenue (some targets are currently worth more than others). Note that the ultimate goal of cybercriminals remains the financial gain;
- to breach and leak sensitive data in order to weaken and discredit the target and show it in a bad light;
- to dig up and resell old databases or any other information that would be of interest to other threat actors at the present time;
- to stand well with their respective national authorities, to align with the rhetoric of their government;
- a sense of revenge when attacking the critical infrastructure of an adversary state or organization, given the possible damages;
- to “unmask” the agenda or the intentions of the authorities (including in the eyes of their own citizens);
- operating with a certain sense of impunity – their actions will most likely be popular and will probably be tolerated – if not appreciated – by authorities in their respective countries, as long as the attacks they carry out are closely aligned with state interests;
- to prove they can run cyber attacks with greater resonance and greater impact than rival groups;
- to identify themselves as being on the “right” side of the conflict, partly for ideological considerations.
We also see some pro-Ukrainian or pro-Russian threat groups who are now attacking each other. The Russian hacker group Killnet would have attacked the official website of Anonymous; and now there is information about the group`s organization and pictures from their online meetings circulating on several Russian-language Deep Web sources. The AgainstTheWest (ATW) group claims it “fully doxed and Social Engineered the team at CoomingProject”, which is another cybercrime gang.
Mars, a red-hot information stealer
However, what makes it more difficult for threat actors is the disparities within many different groups, such as ransomware clusters. As a result, some of these groups stay silent and continue to operate without apparent political motivation. In other cases, these results in genuine in-house collapses, as happened to the Conti ransomware group.
Initial and edited versions of the Conti statement
On February 25, a message was posted on Conti’s extortion site announcing its “full support for the Russian government.” Shortly afterwards, the message was modified, with the group stating they “do not ally with any government” and threatening to use its full capabilities ”to strike back” only. Soon after, a source with close links to the group leaked the source code of the ransomware, tens of thousands of messages exchanged by Conti members, email addresses, C&C server details and many more. “Glory to Ukraine” the author of the leak said in his message.
The SEKOIA.IO team is closely monitoring the evolution of the group and analyses the leaked information to produce further intelligence. Meanwhile, the group continues to post new victims on its extortion site.
Targeted campaigns as well as opportunistic ones have been observed recently, as any gateway is to be walked through for cybercriminals. Apart from victims of opportunistic attacks and collateral victims, there are some other potential targets of cybercriminals:
- businesses based in / Government bodies of countries imposing sanctions on Russia;
- international organizations implementing measures against Russia;
- member states of the North Atlantic Treaty Organization (NATO);
- foreign companies with significant capital in Russia and Ukraine;
- critical infrastructure, defence, financial, media and telecommunications industries.
Should we expect new guidelines regarding the “allowed to attack” countries list?
By the end of February, a member of a Russian-speaking underground forum was asking the forum’s administration: “A practical question – in which countries our work is not allowed on the forum, is it possible to see an up to date list, admin ?”. This question is much more insightful than it might seem, as it refers to the guidelines that the majority of Russian-speaking cybercriminal forums have adopted, which stipulates that malicious activities targeting the Commonwealth of Independent States are forbidden, and Ukraine was implicitly included.
Although not all cybercriminals are present on such platforms (which by the way decline any political affiliation, as the XSS forum has done on several occasions), these forums do reflect the general trends in the world of cybercrime and play an important role in structuring the activities of the underground communities of all kinds.
So one might expect to see an increase in interest from cybercriminals in compromising companies in CIS countries or former CIS members. This also concerns any foreign company established there or having close ties with local companies.
Therefore, we should anticipate a growing interest in the sensitive data of NATO member countries, as we have seen in a number of publications on several cybercrime forums since the end of February.
To give just one example, below is a threat actor looking for compromised remote access for companies based in Ukraine or in one of the NATO countries with revenues exceeding $3 million. On March 1, the same actor was “looking for a botnet to target and attack corporate networks”. On the same day, he contacted a custom ransomware developer to affiliate with him or else to acquire his ransomware.
A threat actor looking for remote access and botnets to use in campaigns
against Ukraine or NATO member countries
The IT Army of Ukraine as a resistance and counter-resistance tool
On 26 February, two days after Russia invaded Ukraine, the Ukraine’s Minister for Digital Transformation Mykhaylo Fedorov announced the creation of an Ukrainian “IT army”. Volunteer hackers were invited to “fight on the cyber front” by conducting cyber attacks against multiple Russian-based targets. Soon after, a Telegram channel was created to organize the IT Army’s operations and recruit various cyber security specialists, developers, designers, copywriters, marketers and others.
Lists of targets are continuously being released and updated on this platform, attack guidelines are also available and they are actively communicating about their successful operations.
As the proclaimed mandate of the Ukrainian “IT army” is to get Russian disinformation down, the number one target is the media industry. Numerous government agencies, government storage devices and mail servers, financial institutions, large corporations supporting critical infrastructure, electronic signature apps are also in the target of the “cyber-troops”. Russia and Belarus-based entities have been targeted so far.
Ukraine’s IT Army messages posted on its official Telegram channel
So for the moment, “all possible vectors of attacks” are encouraged to “counter Russian propaganda”, rather than to gain a strategic military advantage.
There is no clear picture of the actual number of volunteers who answered the ministry’s call since several other actors are now engaged in offensive cyber operations targeting Russia and some claims are difficult to assess.
They declared “Cyber War” on Russia
Of the first to oppose Russia’s invasion of Ukraine was the activist- and hacktivist international movement Anonymous. The group is targeting mainly Russian sites and services in response to Putin’s invasion of Ukraine.
The numerous Anonymous community members are very actively sharing their “achievements” through social networks. So did the AgainstTheWest (ATW) group – in affiliation with BlueHornet (BH) group – who seemed to use the current circumstances to return to the hacktivist scene, as they had been inactive for some time.
In contrast to what its name might suggest, AgainstTheWest (ATW) is a threat group targeting government and corporate networks in China, Russia and, more recently, North Korea, Belarus and Iran. ATW has breached and leaked many high-profile victims in Russia and Belarus.
AgainstTheWest’s announcements on the group’s Telegram account
What comes up most often for those gang’s campaigns are DoS (denial-of-service) and defacement attacks. The AgainstTheWest (ATW) group also declares deploying ransomware and wipers.
Some of the attacks claimed by these groups have been confirmed by the victims themselves via press conferences.
Walking on APT31 infrastructure footprints
China and Belarus are not immune to offensive campaigns
A group of Belarusian politically motivated “ethical” hackers known as the Belarusian Cyber Partisans claimed they attacked the Belarusian Railways which, they say, “managed to slow down Russian echelons in Belarus”. The information was later confirmed by a posting on a Telegram channel run by Belarusian rail workers. On March 1, they stated: “As of today, Belarusian Railways is unable to ensure the safety of its infrastructure. Military trains from the Russian side do not move during the night. Train drivers are afraid to go out for shifts”.
Also, the Chinese government institutions would have been targeted by Anonymous in an attempt to condemn any country making alliances with Russia.
Russian hackers are striking back
For now, most Russian threat groups have been mostly defensive with statements such as “we’re not going to stop defending our country (…) but we will not attack first” (TheRedBanditsRU).
Nevertheless, the situation seems to escalate very quickly with the recent attack on Anonymous’ website by Killnet and the breakdown of international relations following the war and the sanctions against Russia imposed by the international community.
Digital Cobra and TheRedBanditsRU announcements on their Twitter accounts
TheRedBanditsRU is going after Government targets and is actively recruiting affiliates right now. The Stormous ransomware group seems to focus on the U.S. networks, while DIGITAL COBRA is threatening the NATO countries. Also, the DIGITAL COBRA is using the #HiddenCobra hashtag in its publications. We are not currently able to qualify any link between this actor and the Lazarus Group.
Stormous Ransomware announcements on the group’s Telegram account
The cybercrime landscape is complex and partially unpredictable, particularly in the light of the current geopolitical context.
Ongoing awareness of cybercrime threat and continued vigilance with regard to the threat actors mentioned in this report is vital during this time.
• [SEKOIA.IO] Dark Web investigations
• [Ukraine’s Minister for Digital Transformation on Twitter] Announcement of the creation of an Ukrainian “IT army”
• [Belarusian rail workers on Telegram] Summary of the situation on the Belarusian Railways (RU)
Chat with our team!
Would you like to know more about our solutions? Do you want to discover our XDR and CTI products? Do you have a cybersecurity project in your organization? Make an appointment and meet us!