Technical data

In Ukraine, hacktivists retaliate with data leaks

The video opens in typical Anonymous style, with 3D text and grainy Guy Fawkes masks shimmering over footage of street protests.

“Greetings, world! We are anonymous,” a distorted voice said. “We see the clouds of war…and it makes us angry.”

Uploaded to YouTube and shared with @YourAnonNews’ 7.8 million Twitter followers, this video has been cited as the moment Anonymous “declared war on Russia”. This is a misleading claim because Anonymous is less a standing army than a versatile hacktivist War name, but the movement was still significant. Many passers-by on the internet were preparing to cause trouble for Russia – and they were going to use the mantle of Anonymous to do it.

Many expected a more organized cyber offensive from Russia, but it did not materialize for reasons that are hard to pin down. The reality has been more chaotic, with little oversight or coordination. These small incidents are more favorable to Ukraine, but they are also qualitatively different from military operations like Stuxnet or Sandworm. And while conventional warfare continues to devastate Ukraine, the Anonymous campaign is playing out more quietly in the background, with consequences that are hard to predict.

On February 26, Ukrainian Deputy Prime Minister Mykhailo Fedorov – who is also Minister of Digital Transformation – announced the creation of a volunteer-led cyber army, seeking the help of all skilled workers in the IT sphere to participate in a range of digital activities. actions against Russia.

The cybervolunteers were already venturing into uncharted territory. Coordinated through a Telegram channel currently with over 300,000 users, membership of the so-called “IT Army” was both globally distributed and centrally directed, drawing a new line between digital activism decentralized and state-sponsored piracy. But as the IT Army embarked on a new kind of cyber warfare, Anonymous’ #OpRussia represented a different, far more chaotic trend.

A message published in the telegram “IT ARMY of Ukraine” identifying DDoS targets

The IT army has relied heavily on DDoS attacks – carried out on targets such as gas, oil and infrastructure companies, the Moscow Stock Exchange and even the Kremlin website using an application called disBalancer – but the most impactful actions came from stealing data and releasing it to the public. In one case, groups operating under the names Anonymous Liberland and Pwn-Bär Hack Team obtained more than 200 GB of emails from Belarusian defense arms manufacturer Tetraedr, which were made available via the Distributed website. Denial of Secrets.

In another incident, a hacking group hacked into a website belonging to the Russian Space Research Institute and leaked files online that appeared to include descriptions of lunar missions. A few days earlier, another group called Against The West (ATW) – which was previously known for leaking data obtained from the Chinese Communist Party – released a trove of files allegedly obtained from the energy company PromEngineeringincluding plans and diagrams of the power plant.

The last major leak occurred on March 10, when Distributed Denial of Secrets released over 800 GB of leaked data from Roskomnadzor: the Federal Service for Surveillance of Communications, Information Technology and Mass Media, or Russia’s main censorship agency. Although the actor who obtained the data is not yet unknown, the nature of the leaks is at least very embarrassing for Roskomnadzor and potentially more damaging depending on the exact information released.

In attempting to strike blows against Russia, Ukraine-aligned hacktivist groups effectively leaked whatever sensitive information they could find against Russian targets. But once this information is released, it is difficult to contain – and there may be unintended consequences. DarkOwl, a dark web intelligence firm, is an organization that tracked data leaks related to the invasion of Ukraine in a blog post. A DarkOwl analyst said The edge that the information contained in company leaks could be valuable for spear phishing or surveillance campaigns, especially for the most sophisticated actors.

“You have sensitive company information here. You know, you have shipping addresses and account numbers and things like that,” the analyst said. “There are also photographs and screenshots that were taken. As we have seen, this can be used in more strategic espionage activity by a nation-state actor in the future.

But many of the leaks also contain large volumes of information about the companies’ customers, most of whom are ordinary Russians with little connection to the elite interests that waged the war. This information could put them at risk at a later date.

“This flurry of actions we’re seeing right now is basically just vandalizing and creating as much chaos as possible,” says Jeremiah Fowler, an American cybersecurity researcher based in Ukraine. “But having names, user details, credit information, all of that long term, you know we have no idea what they’re going to do with that. Unfortunately, there is so much anger about all of this that many innocent Russians could be targeted by default. »

The loosely coordinated, sometimes amateurish nature of hacktivist support for Ukraine also means that it is harder to ascertain exactly what is going on at any given time. Some high-profile anonymous actions have been blatantly false: in one example, an anonymous news channel claimed that an affiliated group had close the main control system of Russian satellites; in another, debunked by cybersecurity firm Check Point, a group that claimed to have hacked into CCTV cameras inside a nuclear power plant turned out to be reusing years-old footage from YouTube.

Other plausible hacks have been difficult to confirm. On February 26, some social media users shared footage that allegedly showed Russian TV channels hacked to broadcast pro-Ukrainian messages and tell viewers the truth about the invasion of Ukraine. (News media in Russia are heavily censored, even more so after Putin signed a “fake news” law that threatened up to 15 years in prison for people who spread unapproved information about Russian war casualties. .)

Fowler says his research partner had directly observed a hijacked Russian TV broadcast and it’s possible it happened multiple times. Fowler said he encountered insecure file systems while researching Russian media outlets and that someone with the technical skills to find them could easily alter the footage:

“Let’s say you had administrative access,” Fowler said. “You take a video of some of these horrible [war] images that we see, and you name that the same as the source material. So the next time the software pulls from that source, instead of getting the information it provides, the audience will see something else. And the system doesn’t know anything different because the file has the same name.

Fowler said he’s also seen evidence of numerous Russian corporate databases accessed by outsiders, with data deleted or files mass rewritten to say ‘Putin stop this war’ – insofar as in a sample of 100 publicly exposed databases, 92 appeared to have been tampered with. Many of these databases contained names, account details and other personally identifying information, Fowler said; and there’s no way of knowing exactly who might have had access to it.

Some people who are now acting as “cyberpatriots” supporting Ukraine may also be involved in criminal activity, said Jon Clay, vice president of threat intelligence at Trend Micro – and the computer systems that are compromised now in as a protest could later be exploited for financial gain.

“A lot of these cyber patriots can be part of a cybercriminal group,” Clay said. “So they’re covered by the nation state to target these other groups or agencies in a different country. And that’s where it’s going to be hard to draw the line because, you know, very quickly they can switch to simply activate the cybercrime component of their business.

Groups involved in pro-Ukrainian hacks could implant backdoors into computer systems that they could reactivate for future exploits, Clay said, with stealthier actors able to go undetected for months or even years. Later, these groups could sell user data for profit or deploy ransomware, he said.

As long as the battlefield is still shrouded in what has been called “the fog of cyber warfare”, it is also possible that some of the more sophisticated cyber threat actors are operating under the guise of hacktivism.

During a webinar on Thursday, Kaspersky’s Director of Global Research and Analytics, Costin Raiu, said some cyber activity in Ukraine was marked with Advanced Persistent Threat (APT) groups – the highest level of group of cyber threats, and usually one that is led by a military agency or supported by a nation-state – and might have been concealed under cybercrime or “false flag” hacktivism operations.

Yet the random nature of hacktivist actions can cause real damage – often to people or infrastructure unrelated to the invading forces. “It’s very dangerous for people not to see three steps ahead to conduct offensive activities,” said Sophos principal researcher Chester Wisniewski. “A feature of what we would consider acceptable offensive hacking by the British, Israelis, Americans, even Russians and Chinese, is understanding what the possible impacts of your actions will be and minimizing collateral damage by be very precise and targeted in these actions.

“Civilians are not prepared to do this effectively,” adds Wisniewski. “And I’m very worried about that.”