How do ‘smash and grab’ cyberattacks help Ukraine in waging war?


Many leaks that hacktivists share to deter the Kremlin from further aggression in Ukraine might be useless. However, Russia promised to seek liability for hackers attacking the country's infrastructure, hinting that the borderless Ukraine IT army is harming the Kremlin.

Anonymous, Ukraine's IT Army, Hacker Forces, and many other hacktivist groups have been stealing headlines from the very beginning of the Russian invasion. Cyber retaliation has caused a headache to many Russian organizations, as well as foreign companies stalling to leave the country.

Patriotic hacks have been rehashing previous data leaks and taking the credit for breaching Russian entities. For example, this Yandex leak seems more like a collection of Yandex emails and passwords from the previous leaks, such as COMB or RockYou2021. We saw only 5,7Mb of the alleged 10GB leak with the Nestle leak.

ADVERTISEMENT

However, a couple of recent leaks, including more than 57 thousand emails from the Russian Orthodox Church’s charity that are being shared only with some journalists and researchers, seem to carry more weight.

A closer look at the VGTRK leak

Recently, I’ve looked into the leaks of the All-Russian State and Radio Company (VGTRK), the Kremlin’s propaganda branch, shared by the hacker group NB65, associated with the Anonymous hacker collective. The leak now contains close to 800 GB, 20-year worth of data.

The first batch of emails (approximately 12GB) shared over a week ago wasn’t too promising. The leaked inboxed were not personal, such as [email protected] and [email protected]. It hardly contained any sensitive information that could be further used to harm the subject.

At first, it looked like VGTRK was spammed either by bots designed to fight Russian propaganda or local and foreign citizens opposing the war. Some emails show clear support for the Russian government and its war in Ukraine, even advising on how to take Kyij and Lviv.

On Monday, Distributed Email of Secrets shared the rest of the data, and the leak now contains close to 800 GB. The bulk of leaked inboxes still seems to be not personal, such as [email protected] and [email protected], suggesting that these shared inboxes probably do not carry sensitive information. The leak also contains personal inboxes, but even a quick glimpse into them hints that they might hold much unimportant information and spam. So anyone looking to use this as a cyber weapon against Russia will either have to know what they are looking for or prepare themselves to spend some quality time with this massive leak.

Pulp and paper industry secrets

ADVERTISEMENT

Another recent leak, published by DDoSecrets, contains 5,500 emails from Thozis Corp., a Russian investment firm owned by a Russian businessman Zakhar Smushkin, who is involved in the project to build a satellite city in Saint Petersburg.

Many of the emails are correspondence between Thozis Corp management and Illim, a Russian pulp and paper firm owned by Smushkin employees.

According to Panama papers, Thozis Corp is registered in the Virgin Islands, while Illim is headquartered in Saint Petersburg. Ingoing and outgoing messages contain interesting business information, board decisions, and financial and loan agreements. The leak also contains correspondence between Thozis management and other offshore companies registered in Cyprus and the Virgin Islands.

‘Smash and grab’ cyberattacks

While some leaks might be sensitive, many can be seen simply as white noise. But even if they’re mostly insignificant, just like DDoS attacks and other cyber tools aimed at propaganda, these leaks prove to be helpful, too.

Jeff Carr, internationally-known cybersecurity advisor and author of Inside Cyber Warfare: Mapping the Cyber Underworld, is in close collaboration with the Cyber Operations Unit of Ukraine's Defense Intelligence Service (GURMO), agreed that the bulk of the content is useless information.

These Anon operations are like smash and grab robberies. Instead of picking the lock, quietly entering, and carefully exploring the department store until you find "the good stuff" to steal, you smash out the window, grab everything that's within reach, and run away before the cops show up. The latter requires a lot of skill, the former - not so much,

Carr said.

However, they seem to be having an effect. Carr referred to a recent statement by the Russian Foreign Ministry.

"No one should have any doubts that the cyber aggression unleashed against Russia will lead to grave consequences for its instigators and perpetrators. The sources of the attacks will be detected, the attackers will inevitably bear responsibility for their deeds, in accordance with the requirements of the law," it said.

ADVERTISEMENT

Carr has spoken to former Anonymous members who, he said, don't have much regard for the skills of today's Anonymous hackers.

"They'd get more respect and have a much greater impact if they took their time, found the material worth leaking that would hurt Russia somehow and then give it to a journalist to publish."

Russia, facing a massive scope of cyberattacks, needs to allocate its resources and investigate what was taken from them and how far the hackers got in.

"So these "smash and grabs" tie up resources at the very least. They may also distract attention from other, more stealthy operations like the ones conducted by GURMO," Carr said.

Any help appreciated

“Russia has strong cyber capabilities, and many experts expected to see more cyberattacks during this conflict. To combat those attacks, Ukraine asked an army of cybersecurity professionals to volunteer to attack targets in Russia. As far as we know, Ukraine does not have a cyber military force, so any efforts by hacktivists that disrupt Russian efforts are likely to be appreciated,” Ariel Parnes, Co-Founder, and COO of Israeli cybersecurity startup Mitiga, said.

US Cyber Command has assisted Ukraine long before the Russian invasion, the country has also been accepted as contributing participant to the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), and, as mentioned above, GURMO engages in offensive cyber activities.

As for hacktivists, Parnes believes that unless backed by or linked to the nation-states, they have somewhat limited cyber capabilities.

“We should see their activities as opportunity-driven and not necessarily goals-driven (other than the generic goal of harming Russian targets). They are attacking where they are able, not where it may make the biggest impact on Russian operations,” Parnes said.

“Since their capabilities are limited, the effect of their attacks is limited. Not necessarily because this is what they WANT to do, but because this is what they CAN do.”

ADVERTISEMENT

Besides limited skills and tools, they might also steer clear of sensitive information because of concerns about protecting their anonymity and lack confidence that Russian authorities will not identify them.

“That could also have an influence on how aggressive they are as they carry out attacks. Unlike countries with significant cyber power, such as the United States, China, and the United Kingdom, the hacktivists supporting Ukraine probably have fewer skills, greater fears about legal consequences if they are caught, and are just trying to do their part to disrupt Russian operations,” Parnes said.