Three hacking groups attacking Ukraine likely tied to Kremlin

Three hacking groups involved in the cyber war with Ukraine – XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn – are likely tied to Russia’s GRU, according to Mandiant.

Mandiant has been tracking several Telegram channels of hacking groups claiming to be associated with cyber aggression against Ukraine. New evidence of the connection between hacking gangs XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn and Russia’s military intelligence administration GRU has since emerged.

This conclusion is based on the groups’ deployment of wipers used by GRU-sponsored APT28 on the networks of multiple Ukrainian organizations. Later, data likely originating from those organizations appeared on the groups’ Telegram channels.

“The Russian intelligence services have an extensive history of using false hacktivist personas to support information operations and disruptive and destructive cyber activity,” the report suggests.

Despite a relative degree of confidence that XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn are associated with the GRU, the exact details of this association remain unclear. Mandiant suggests two likely scenarios:

1. They work as a direct front of the GRU operations, which oversees their infrastructure and regulates activities.
2. The moderators of the Telegram channels publishing data leaks – who are not Russian intelligence officers – may directly coordinate with the GRU, which supports the creation of such channels.

XakNet Team, which is a Russian-language Telegram channel of a hacktivist group composed of “Russian patriotic volunteers,” seems to be directly supported by APT28, suggesting direct ties with the Kremlin. It also seems to be connected to a pro-Russian hacker group Killnet, which previously launched distributed denial-of-service (DDoS) attacks against Lithuania and Norway, as well as targeted several Italian institutions and ministries.

“We assess with moderate confidence that XakNet and KillNet have directly coordinated some of their activity,” Mandiant states.

However, XakNet Team and Killnet are involved in “aligned yet separate” missions, seemingly pursuing a similar goal via different means. All of this hints that XakNet Team is either comprised of GRU intelligence officers or works directly with the GRU APT28 operators.

CyberArmyofRussia_Reborn is another Telegram channel believed to be at least coordinating with APT28. The group is connected to XakNet Team, and in one-third of their Ukrainian data leaks, Mandiant observed APT28 intrusion operations on the same networks within 24 hours preceding the leaks.

Lastly, a Telegram channel Infoccentr also seems tied to XakNet Team. It’s involved in the information war with anti-Russian social media channels and outlets. The timing of their leaks is in line with this assumption.

Mandiant says that there might be other self-professed hacktivist groups that the GRU is coordinating with.

More from Cybernews:

US streaming platform leaks admin credentials and source code

The curious case of cyber warriors: backing nation states in cyberwarfare

“What is an NFT?” is the most googled NFT-related question – research

Small US firms suffer the brunt of ransomware attacks

Subscribe to our newsletter