17 July 2022

Russian ‘Hacktivists’ Are Causing Trouble Far Beyond Ukraine


THE ATTACKS AGAINST Lithuania started on June 20. For the next 10 days, websites belonging to the government and businesses were bombarded by DDoS attacks, overloading them with traffic and forcing them offline. “Usually the DDoS attacks are concentrated on one or two targets and generate huge traffic,” says Jonas Skardinskas, acting director of Lithuania’s national cybersecurity center. But this was different.

Days before the attacks started, Lithuania blocked coal and metal from being moved through its country to the Russian territory of Kaliningrad, further bolstering its support for Ukraine in its conflict with Russia. Pro-Russian hacker group Killnet posted “Lithuania are you crazy? 🤔” on its Telegram channel to 88,000 followers. The group then called on hacktivists—naming a number of other pro-Russian hacking groups—to attack Lithuanian websites. A list of targets was shared.

The attacks, Skardinskas explains, were continuous and spread across all areas of daily life in Lithuania. In total more than 130 websites in both the public and private sectors were “hindered” or made inaccessible, according to Lithuania’s government. Skardinskas says the attacks, which were linked to Killnet, have mostly dropped off since the start of July, and the government has opened a criminal investigation.

The attacks are just the latest wave of pro-Russian “hacktivist” activity since the start of Vladimir Putin’s war in February. In recent months Killnet has targeted a growing list of countries that have supported Ukraine but are not directly involved in the war. Attacks against websites in Germany, Italy, Romania, Norway, Lithuania, and the United States have all been linked to Killnet. The group has declared “war” on 10 nations. The targeting often happens after a country offers support for Ukraine. Meanwhile XakNet, another pro-Russian hacktivist group, has claimed to have targeted Ukraine’s biggest private energy company and the Ukrainian government.

While security experts have frequently warned that attacks from Russia could target Western countries, the efforts of volunteer hacktivist groups can have an impact without being officially backed or conducted by the state. “They definitely have malicious intent when they conduct these attacks,” says Ivan Righi, a senior cyberthreat intelligence analyst at security firm Digital Shadows who has studied Killnet. “They're not working together with Russia but in support of Russia.”

Killnet started as a DDoS tool and was first spotted in January this year, Righi says. “They were advertising this app or this website, where you could hire a botnet and then use it to launch DDoS attacks.” But when Russia invaded Ukraine at the end of February, the group pivoted. The vast majority of Killnet’s efforts and those of its “legion” group—members of the public who are asked to join and launch attacks—have been DDoS attacks, Righi says, but he has also seen the group linked to some website defacements, and the group itself has made unverified claims that it has stolen data.

Its Telegram channel, where it makes political statements and talks about targets, was created at the end of February and has grown in popularity, with the number of members doubling since May. “They began to gain a lot of popularity from the public in Russia,” Righi says. Righi says it produces slick promotional videos and sells its own merchandise.

While DDoS attacks aren’t sophisticated, they “will still be able to create uncertainty in the population and give the impression that we are a piece in the current political situation in Europe,” said Sofie Nystrøm, the head of Norway’s NSM cybersecurity agency, in a statement after businesses in the country were targeted by DDoS attacks at the end of June.

Russia has long been home to cybercriminals such as ransomware groups, which the country has largely ignored as long as they don’t target companies in Russia. Simultaneously, Russian military hackers have stirred global chaos for years—causing electricity blackouts in Ukraine, hacking the Olympics, and conducting the worst cyberattack in history. Evidence against state-backed Russian hackers has been piling up since the start of the war, though Russia has consistently denied launching cyberattacks around the world. The Russian embassy in the United States did not immediately respond to a request for comment.

In April, cybersecurity officials in the US, Australia, Canada, New Zealand, and the UK warned against the potential damage that pro-Russian groups, including XakNet and Killnet, could cause. While it is not clear who is behind Killnet or whether the group is backed by the Russian state, one other notorious Russian hacktivist group has been linked to the Kremlin. At the end of June, US cybersecurity company Mandiant, as first reported by Bloomberg, said Russian intelligence operatives had passed stolen information to XakNet. Ukrainian officials have also pinned attacks on DTEK, the country’s largest private energy firm, on XakNet. (The group has posted about DTEK multiple times in its 36,000-subscriber Telegram channel.)

“We've seen a number of groups emerge in the context of the Russian invasion of Ukraine,” says Alden Wahlstrom, a senior analyst at Mandiant. “XakNet and Killnet both have questionable provenance.” Wahlstrom says any claims of hacktivism should be approached with “a healthy dose of skepticism” and that Russian intelligence agencies have an “established history of using cutout groups” for cyberactivities. Last week the Trickbot cybercriminal group—which is made up of multiple smaller groups like the Conti ransomware group, and has links to the Russian statewas spotted by IBM targeting Ukraine for the first time. IBM describes the move as a “huge shift” in the group’s behavior.

XakNet has claimed it is not being directed by the Russian government. In one Telegram post responding to Mandiant’s findings, it said it “fully” supports the Kremlin’s position and acknowledges its activities aren’t legal. It said it does not cooperate with Russia’s FSB security service “at the moment” but is “happy to provide data to those who ask.”

It is possible there are some connections among Russian hacker groups themselves. In multiple instances, Wahlstrom says, they have cross-posted about other groups’ work on their Telegram channels. For instance, when Killnet called for Lithuania to be targeted it posted a message asking for help from XakNet, Russian ransomware groups, and other pro-Russian hacking groups.

“XakNet and Killnet have given a decent amount of media interviews in the Russian media space, which is a reason to at least consider that there is a potential dual component to some of this activity,” Wahlstrom says. “They are helping to advance Russian interests abroad, either in Ukraine or further afield, but on the flip side they're being heavily promoted in the Russian media as groups that are displays of these patriotic volunteers that embody support for Russian government decisions.”

Killnet responded to a request for comment by saying it was “no longer friends” with XakNet. “Our enemy is your government bro,” the group says. “But we are not dangerous to ordinary people.”

DDoS attacks have been prominent in Ukraine, too. Officials there created a volunteer IT army, where people from around the world can help launch attacks against Russian targets. The IT army has claimed to take down, at least temporarily, the websites of Russian government departments, food delivery services, and banks—one of Putin’s speeches last month was delayed by an hour after the IT army attacks. Attacks against Russia have also come from hacktivist groups outside of Ukraine, such as Anonymous.

Ultimately, as Russia’s war against Ukraine continues, the activity of pro-Russian cyber groups continues to be in line with Russian aims. “Moscow has kept its relationship with Russia-based hacktivist groups deliberately ambiguous,” says Emily Harding, deputy director of the international security program at the Center for Strategic and International Studies, a US-based think tank. “Moscow’s security services know who these operators are and will use some form of leverage to force them to cooperate when needed.”

Harding says analysts have continuously predicted that Russia would use “deniable tools” and groups to react against countries that support Ukraine. While DDoS attacks may not be sophisticated, they contribute to this effort. And if attacks by so-called hacktivist groups become more advanced, there’s a greater chance they could cause more damage or risk escalation of the conflict. “The risk of miscalculation is real,” Harding says. “No one has yet really tested the limits of cyber operations without causing escalation.”

No comments: