The war between Russia and Ukraine is still ongoing, and it has had a terrible impact not only on the battlefield but also in cyberspace.
Since the war started, we have seen a significant increase in hacking groups supporting Russia in the past year. We assess that Russian intelligence services are forcibly using cyber threat groups to support Russian interests. However, most groups based in Russia are very patriotic and support the efforts of Russia willingly.
Pro-Russian hacktivists pursue ideological and psychological goals and act in the Kremlin's best interests. All pro-Russian hacktivist groups have the same goals as the state of Russia.
The Russian government and its state-controlled media push anti-Ukrainian and anti-Western propaganda, increasing cyber activities in Ukraine and the West. Pro-Russian hackers are not only targeting government-affiliated organizations, but they also attack any private organization that publicly supports Ukraine.
Moscow Considers Legalizing Hacking
According to the recent news posted by TASS, the Russian government is working on changes to its criminal code that would legalize hacking in the Federation, but only if it’s being done in the service of Russian interests.
The exemption would be granted to hackers located in Russia and abroad. It’s commonly known among malicious actors that they can act with impunity if they don’t attack or disrupt Russian interests. Why could Russia publicly allow threat actors to launch criminal cyberattacks?
Russia, already giving threat actors a pass, could adopt such a law to distract the U.S. government from supporting Ukraine. Additionally, attacks on Western organizations only support Russian economic interests.
The exception would also give pro-Kremlin hacktivists legal freedom to launch cyberattacks. It would likely apply to pro-Russian hacktivist groups, such as KillNet, CyberArmyRussia, XakNet, NoName057(16), Anonymous Russia, etc.
Increase in Cybercriminal Activity
Pro-Russian hacktivists are targeting Ukraine and Western countries as a response to the sanctions imposed on Russia and other support provided by the U.S. and its allies, with most of the activity consisting of Distributed Denial-of-Service (DDoS) attacks.
Since 2022, pro-Russian hacktivists have become a constant threat to government institutions. The government sector was the most frequently targeted among all publicly known attacks. Other frequent victims are healthcare providers, aviation and transportation, media and telecommunications, energy and resources, and the financial sector.
Among the most targeted countries, Ukraine experienced the heaviest cyberattacks. Other countries frequently targeted included the U.S., Poland, Germany, Lithuania, Latvia, Estonia, the Czech Republic, the United Kingdom, Romania, France and Italy.
U.S. Companies Under Cyberattack
Although Ukrainian companies suffer the most from сyberattacks, American entities remain desirable targets for Russian hacktivists.
On March 9, Russian hacktivist groups called UserSec and mistNet claimed to attack the New York Police Department, Blood Center, and the official website of the City of New York.
In August 2022, pro-Russian hacktivist KillMilk claimed responsibility for a cyberattack launched on Lockheed Martin as a retaliation for the HIMARS, a light multiple rocket launcher provided to Ukraine.
In October 2022, KillNet announced coordinated DDoS attacks targeting U.S.-based companies, including civilian infrastructure. The group claimed large-scale DDoS attacks against the websites of major airports in the U.S. A month later, KillNet claimed to have targeted several FBI websites.
At the end of January and in February this year, KillNet claimed to take down multiple hospital and health system websites across the U.S. On February 12, 2023, KillNet, with the cooperation of Anonymous Russia, declared to launch attacks on NATO units.
KillNet has a structured organizational hierarchy and is believed to cooperate with other pro-Russian hacktivist groups, such as Anonymous Russia, XakNet Team, Zarya and possibly others.
What Does the Future Hold?
Pro-Russian hacktivists are very sensitive to current events on the frontline and the geopolitical climate and respond to them in real time. During the last year, we observed multiple attacks occurring as soon as the U.S. imposed sanctions on Russia or announced military support to Ukraine.
As the war is still ongoing, this escalation will likely continue. Pro-Russian hacktivists will likely continue to expand their attack methods. The impact of attacks can be high and can result in the loss of finances, time, and the reputation of a victimized company.
While DDoS has been the most common method used by these groups, U.S. and Western organizations should also prepare themselves for the possibility of new tactics, including more sophisticated and destructive attacks in the future.
A great example is the pro-Russian hacktivist group Zarya. According to Radware, Zarya is creating Mirai variants to expand its DDoS botnet for launching more sophisticated attacks.
The Mirai malware was first discovered in 2016. It was spread by compromised Linux-powered operating systems and self-propagating via open Telnet ports to compromise other computers. Since then, malicious actors have been using Mirai variations to expand their capabilities.
It appears that Zarya is cooperating with threat actors from the Akur Group, which hosts pro-Russian hacktivist gangs. Meanwhile, the most active hacktivist group KillNet, created an underground forum called INFINITY to discuss hacking techniques and different financial fraud topics.
The group also promotes its Telegram channel, which includes over 90,000 followers. Russian news outlets cover hacktivists’ activity and record interviews with the most active participants. It encourages more hackers driven by the same ideology to join hacktivist groups.
As the war drags on, we are likely to see many changes in the way these groups operate. Better organization and cooperation between the various hacktivist groups could lead to more powerful attacks. Technically proficient actors who join the ranks of these groups could significantly expand their capabilities.
Similarly, more involvement by Russian cybercriminal groups in hacktivist causes could substantially improve the caliber of these attacks and the organizations they are able to impact.
How Organizations Can Manage This Risk
It is important for organizations to take this threat seriously and have measures in place to deal with the full range of potential attacks.
Fortunately, many commercial solutions in the cybersecurity market deliver services for detecting and mitigating DDoS attacks. The service providers have the necessary resources and engineering expertise to protect companies against heavy DDoS attacks.
Businesses can address this problem by instituting an all-encompassing incident response plan to protect their critical public-facing infrastructure.
To reduce other security risks, we recommend following the best security practices provided by the Cybersecurity and Infrastructure Security Agency (CISA).
As the threat posed by pro-Russian hacktivism grows, organizations should act proactively to protect their networks, maintain their awareness of cyber threats, and invest in their cybersecurity.
