Hacktivists enjoy free rein as Ukraine war rages on


Since Russia invaded Ukraine, hacktivists have enjoyed an increasingly permissive environment, with governments on both sides licensing their actions.

Furthermore, the lines between Anonymous-style collectives of hackers, nation-state groups, and cybercriminal outfits have blurred as they mimic each other to cover their tracks, and formerly distinct entities overlap in their goals and strategies, research by security analyst ReliaQuest suggests.

ADVERTISEMENT

“The revival of hacktivism has largely been facilitated by one event: Vladimir Putin’s ‘special military operation,’ or Russia’s invasion of Ukraine,” said ReliaQuest, with the outbreak of war prompting nation-states to endorse hactivism through “encouraging activity that can harm adversaries.”

“This has dramatically changed the perception of hacktivism, moving away from the notion of being solely a harmful act and instead toward defiance and self-defense,” it added.

Hard to tell who’s who

ReliaQuest cites major partisan units such as the IT Army of Ukraine and its Russian counterpart Killnet as chief beneficiaries of government sanctions that allow them to operate legally from within their respective territories.

But outliers such as MalasLocker, which forces victims to donate money to charity rather than extorting them directly, are also mentioned as emerging threats taking advantage of the fertile grounds that the war has provided.

“It’s becoming increasingly difficult for security researchers and defenders to distinguish between cybercriminal, nation-state, and hacktivist activity, with many of these groups using similar techniques or deliberately obfuscating their identities,” said ReliaQuest.

“In May 2023, the MalasLocker ransomware group, which practices double extortion, demanded donations to a charity rather than a ransom payment to the group,” it added. “Nation-state threat actors have also been exploiting hacktivism trends to hide their motives, with varying levels of success.”

Cyber partisans gather in force

ADVERTISEMENT

Moreover, hacktivists and interlinked entities are crowdsourcing their activities, disseminating denial of service (DoS) tools that can be readily picked up and wielded by cyber partisans with little or no training.

“Simple DoS tools are distributed online, enabling threat actors with minimal technical knowledge to conduct cyber attacks,” it said. “The IT Army of Ukraine, Killnet, and other hacktivist collectives have directed tens of thousands of online followers to conduct attacks via their Telegram channels.”

ReliaQuest adds that, between February and July this year, it tracked links from Telegram to some 650 websites targeted by Killnet and Anonymous Sudan — the latter group is suspected by cybersecurity analysts of also originating from Russia and not the African state.

“Despite its name, it is realistically possible that Anonymous Sudan is composed of pro-Russia hackers who are operating under the guise of Sudanese geopolitical issues to mask their true agenda,” it said.

ReliaQuest says that some of the domain names it observed cropped up more than once during its investigation, “sometimes on consecutive days, suggesting that the groups launched protracted and disparate campaigns against individual targets.”

Telegram indicators of activity for both groups peaked in April, with 234 claimed hits between them, which ReliaQuest puts down to Anonymous Sudan claiming responsibility for DDoS attacks against Israeli targets, including the secret intelligence service Mossad.

“Anonymous Sudan claimed to be showing support for the people of Palestine, in the context of the Israeli-Palestinian conflict,” it added.

Dark Parliament Killnet post
A typical Telegram post purporting to be from Killnet, Anonymous Sudan, and one other Russian affiliate, as some claim REvil reformed after a Kremlin crackdown

Digital smoke and mirrors

In June, Killnet, Anonymous Sudan, and REvil — which may or may not have reformed after being shut down last year by the Kremlin, depending on which reports you believe — allegedly joined forces to attack European banks.

ADVERTISEMENT

ReliaQuest cites a video posted online in which the three threatened to conduct the “most powerful cyber attacks [much more serious than DdoS] in the recent history of the world.”

“Killnet claimed that the goal was to prevent funds from reaching Ukraine,” added ReliaQuest, but then pointed to other data that would appear to contradict such claims.

ReliaQuest’s argument seems to rest on figures indicating that the lion’s share of targets picked by the threat actors that same month were organizations working in the healthcare and science and technology sectors. By contrast, only a few financial targets were named on Telegram by Killnet et al during the same period.

“However, it is realistically possible that these attacks were conducted but not announced on Telegram,” it added. “Exactly why this would occur is unclear. We can also deem it realistically possible that other companies targeted by Killnet were similarly not posted on Telegram, so the group’s overall activity level is likely to be greater than represented in the graph above.”

DDoS still the weapon of choice

The chosen tactics, techniques, and procedures of Anonymous-inspired hacktivist groups have remained largely unchanged since that collective’s peak in 2012-2017, with DDoS being the favored means of attack. ReliaQuest believes this could change over the long term.

“While hacktivism is absolutely a threat right now, the introduction of ransomware or destructive malware would significantly increase the risk associated with hacktivist actors,” it said.

Targeted data breaches, website defacement, and doxxing, a form of online ‘outing’ that publicizes a victim’s true identity, also continue to be weapons in the hacktivist arsenal.

“It is also likely that nation-state groups will similarly obfuscate their activity by masquerading as hacktivists, either from the outset or by leaving hacktivist-aligned artifacts to throw off defenders’ attempts at attribution,” said ReliaQuest.

The cybersecurity analyst urges all entities at risk of being targeted to adopt key cybersecurity measures including blocking internet protocol addresses from where attacks originate and beefing up access control lists to exclude unauthorized entities from their system networks.

ADVERTISEMENT