11 July 2022

Weaponizing Hacktivists Seems a Logical Progression for Russia

Emilio Iasiello

The Ukraine conflict has garnered substantial cyber activity drawing in not only the state cyber assets of both Russia and Ukraine, but sympathizers, volunteers, and non-state hacktivist actors supporting both sides. While much focus has scrutinized what Moscow could and could not do with respect to conducting brutal cyber offensives during the conflict, Russian hacktivists have coalesced and been launching campaigns that have caused temporary impacts against their targets. Admittedly, most of these attacks have had limited value; whether via web page defacement or DDoS, victims have been able to quickly recover without suffering longstanding damage. Still, a hacktivist force potentially poses a viable threat depending on the skills and capabilities of the actors involved and is one that can be utilized as another tool in a state’s arsenal if organized and deployed effectively. Moscow has two such groups at its disposal that if harnessed correctly, could be a thorn in the side of pro-Ukraine defenders, causing them to direct resources to mitigate their threat.

In late June 2022, the large pro-Russian hacktivist collective “Killnet” targeted several Lithuanian public and private entities as well as targets in Norway via distributed denial-of-service (DDoS) attacks. The former was in direct response to Lithuania’s decision to block the transit of goods sanctioned by the European Union within the Russian exclave of Kalingrad, a move Moscow deemed aggressive. Killnet is a fairly recent incarnation, formed in January 2022 and consisting of primarily pro-Russian hackers. The group has since gained notoriety for its support of Moscow since the onset of the Ukrainian conflict. Per a Killnet spokesperson, the group had “demolished” 1,652 adversarial Web resources, and with respect to Lithuania, pledged to continue until Lithuania lifted the blockade. The DDoS attacks successfully temporarily impacted transportation agencies and financial institutions, and notably disrupted access to servers of users of the secure data network, according to Lithuania’s National Cyber Security Center (NKSC).

The DDoS attack came quickly after another pro-Russian hacktivist collective known as “Cyber Spetsnaz” posted a message on Telegram declaring cyberwar against Lithuanian organizations and providing a list of possible targets, many of them critical infrastructures. The purpose of this target list is to develop a coordinated plan of attack to maximize the impact of a DDoS attack against them, by distributing the targets among the various sub-operational units within the larger group. These units consist of an array of individuals with various capabilities and specialties. In April 2022, Cyber Spetsnaz created its first division it called “Zarya” whose ranks included an array of penetration testers, OSINT specialists, and hackers. Cyber Spetsnaz has since created more divisions under its umbrella. Then in May, the group announced a new campaign called “Panopticon,” an effort to recruit an additional 3,000 volunteer hackers willing to engage in disruptive cyber attacks against the European Union and Ukrainian public and private sector targets.

No longer to just be content launching disruptive attacks against mostly government targets to register their political discontent, Killnet and Cyber Spetsnaz are becoming more organized in how they are structured and operate. Recently, Killnet and Cyber Spetsnaz announced a more formal affiliation, which suggests that sub-groups and members may collaborate, coordinate, or even conduct joint operations in order to be a force multiplier against targeted organizations.. Indeed, one cybersecurity company that has been tracking these hacktivist events observed online discussions between members of both Killnet and Cyber Spetsnaz trying to make plans for a coordinated attack, an acknowledgement that these large groups may be stronger working together than apart.

Also notable is how these groups are looking to diversify their activities, incorporating other tactics in addition to standard web page defacement and DDoS. A new division of Cyber Spetsnaz dubbed “Sparta” has been formed to conduct cyber espionage attacks to steal Internet resources, financial intelligence, and other sensitive data from NATO, its members, and its allies. The theft of sensitive information can be weaponized depending on the type of data and the intent of the attackers for stealing it. Historically, such information has been used to support influence and disinformation campaigns, expose weaknesses in a high-profile target, conduct follow-on targeting or other types of offensive activity, or in the event of mapping out a network, identify vulnerabilities to be exploited for more disruptive/destructive attacks. It is too early to ascertain the reasoning behind this particular cyber espionage but the fact that these activities support a wide range of attacks will undoubtedly encourage additional espionage, increasing the Russian hacktivist threat. Notably, diversifying operations is not just the goal of Cyber Spetsnaz. In an interview with Killnet’s leader, the group is in the process of “expanding its arsenal” from just DDoS.

By pushing the boundaries of their operations, these two groups are improving their knowledge and capabilities of how to conduct an array of offensive operations. A June 26 posting from Killnet viewed its attacks against Lithuania as “a testing ground for our new skills.” Traditionally, most hacktivist attacks have been mostly nuisance activities executed to garner attention to the social/political behind their campaigns. They have rarely caused any lasting effects, and genuinely fade out as they move to other, more current causes and targets. But the longer the conflict goes on, the more opportunities Killnet and Cyber Spetsnaz will have to refine what they’re doing and to better effect. What’s more, there is preliminary information that suggests (but is not conclusive) that at least some Russian hacktivist groups may be working with, on behalf of, or even under the tutelage of Russian intelligence. Recently, one cybersecurity company’s research intimated that Russian intelligence operatives were involved in a breach where the information stolen ended up in the hands of another pro-Russian hacktivist group dubbed “XakNet.” The extent of this relationship remains unknown, but it certainly demonstrates how intelligence services can collaborate with nonstate nationalist groups to achieve certain objectives.

Clearly, the strong ties between Russia’s cyber criminals and its government have long been suspected, even if they have more to do with financial interests than larger strategic ones. Still, it is difficult not to recognize how advantageous it would be for Moscow to leverage this hacktivist asset, especially the longer this or any other geopolitical crisis in which it is involved endures. An organized, capable hacktivist capability instantly provides Moscow a semi-nonstate actor that can be readily deployed to conduct offensive attacks under the auspices of patriotic nationalism. It also provides the Kremlin with another organized albeit “unofficial” tool that can be used in future hybrid attacks against its adversaries. A more mature and capable hacktivist “cyber irregular” force would require defenders to take the threat seriously, and therefore dedicate resources to account for it in addition to defending against the more robust and sophisticated Russia’s state cyber actors.

The current capabilities of Killnet, Cyber Septsnaz, and XakNet for that matter might not be of that caliber, but that can quickly change. Their experience during this time has imparted them invaluable experience in organizing attacks, executing them, and studying how entities defend and respond to them. Even if they are not that capable now to deliver substantial attacks, the more they operate in these climates, the more knowledgeable they become in being able to do so in the future. When the Ukraine conflict concludes, there will be ample enough time for Russia to identify where it went wrong with respect to its cyber operations. No doubt, seeing how the global community came to help Ukraine with its cyber defense, Moscow may seek to identify those capable hacktivist and criminal groups that it can resource and train for the next geopolitical flashpoint that surfaces. As Russia has demonstrated an ability to apply lessons-learned from its previous forays in conducting cyber attacks during periods of geopolitical conflict, Moscow will likely do the same here, and look to bolster these groups to be a more formidable presence in service of its country.

No comments: