Chronicles of Cyberwar

On February 24, hackers broke into the website of the Space Research Institute of the Russian Academy of Sciences and released files that they claim were stolen from Roscosmos. The next day, the “top-level domain” .ru was subjected to a DDoS attack. In fact, the attackers by their actions tried to block access to all URLs ending in .ru. And these are just the latest hacktivist actions aimed at supporting Ukraine.

The beginning of the military conflict was marked by massive DDoS attacks on state institutions of Ukraine – a viper was launched on hundreds of computers. In response, Ukraine called on civilian hackers from all over the world to join the voluntary “IT army” in order to help the country in the fight against Russia together with the traditional military. As hostility in the region escalated into violence, and NATO countries imposed devastating economic sanctions against Russia, data leaks from hacktivists, website deface and cyberattacks have become some of the most visible (if not the most influential) digital battlefields.

According to experts, the combination of hacktivism and active hostilities creates a very unpleasant picture. On the one hand, hacktivism can lead to an unintended escalation of the conflict or endanger intelligence operations. On the other hand, during periods of active hostilities, even more so than in peacetime, hacktivism becomes ineffective and distracting from real events.

“There has been an armed conflict between the two states, accompanied by the use of powerful weapons, civilian casualties and physical destruction,” said Lukas Oleinik, an independent cybersecurity researcher and former adviser to the International Committee of the Red Cross on cyber warfare. “Let’s be honest, what can change hacktivism in this picture? After all, most reports of hacktivism are at best unverifiable. Of course, reports of hacktivist actions are widely covered in social networks and traditional electronic media. But what is the real effect?”

Nevertheless, it should be noted that the actions of hacktivists were very noticeable. During the start of the military operation, the hacker group Anonymous announced that it was “officially waging a cyber war against the Russian government.” The group claimed responsibility for the attacks, which briefly disabled access to a number of Russian government websites. The websites of the RT news agency, the Gazprom oil giant, the Kremlin website and other Russian government agencies were blocked. Hacktivists have changed the data in the tracking system of ships. As a result, the yacht, presumably owned by Putin, was renamed “FCKPTN”, and “HELL” is indicated as the destination. Soon after, two groups, “Anonymous Liberland” and “Pwn-Bär Hack”, posted online about 200 gigabytes of emails from the Belarusian arms manufacturer Tetraedr.

On Monday, February 28, Anonymous carried out a massive hacking of the websites of information publications and posted anti-war slogans on them. The attack also affected the websites of the largest Russian media – the newspaper Kommersant, TASS and RIA Novosti.

Hacktivist activity in cyberspace preceded the real sabotage war. The hacker group “Belarusian Cyber Partisans” staged a cyber attack on the railway system of Belarus at the end of January at the end of January. After the start of the military conflict, the hacktivists inflicted a new cyber strike on the Belarusian Railways. The purpose of the initial initiative was to slow down the build-up of troops along the border of Ukraine. This week, the hacktivists said they want to prevent the movement of the Russian military.

“We continue to help Ukrainians in their fight against Russian troops,” the group wrote on Twitter on Sunday. ” BELZHD is under attack . … The manual control mode is enabled, which will slow down the movement of trains, but will NOT create emergency situations. Our actions do not threaten ordinary citizens!”

The representative of the “Cyber Partisans” Juliana Shemetovets reported an increase in the number of the group in recent weeks. “Since the beginning of the war, five people have appeared in the group, all of them Belarusians,” she said. “Even more are on the list of candidates.”

Meanwhile , the ransomware groups Conti and CoomingProject last week announced their desire to support Russia ‘s positions . Soon after, Conti’s internal correspondence appeared online. The information allegedly received from Conti partners reveals the details of the organization and work of the grouping. As a result, on March 2, the Conti ransomware had to shut down its infrastructure. As we can see, the actions of hacktivists sometimes have clear consequences, regardless of whether such protests directly affect the course of the war.

The next day, security researchers from Trustwave SpiderLabs said that the pro-Russian organization JokerDNR was publishing blog posts aimed at discrediting Ukrainian officials. JokerDNR claims that some Ukrainian civil servants and military are under occupation, publishes alleged names, addresses and other contact information.

Pro-Russian hackers do not stand aside, on March 3, “The Russian hacker group RaHDit conducted a large-scale cyberattack, as a result of which 755 websites of Ukrainian authorities, mainly local authorities, were allegedly hacked.

A number of information security companies and other organizations have released free versions of digital security tools or expanded their free offers to help Ukrainians protect their networks. For example, Google reports that the DDoS protection service Project Shield, focused on the protection of human rights, is currently used on more than 150 Ukrainian websites.

It is worth noting that not only hacktivists publish “leaked” data. On March 1, the Ukrainian newspaper Pravda published a compilation of personal data allegedly identifying approximately 120,000 Russian soldiers stationed in Ukraine. The IT army of Ukraine has also adopted some hacktivist methods, trying to use them in a more organized and strategic way.

“DDoS is good, but it’s a blunt tool,” says a member of the IT army working under the pseudonym “November”. Our main task is to counteract disinformation about the conflict by any possible means and provide high-quality intelligence from open sources in order to save the lives of Ukrainians.”

In a situation like the military conflict in Ukraine, hacktivism can do more harm than good. Some researchers note that the worst-case scenario of hacktivism may be an incident or a series of attacks that inadvertently lead to an escalation of the conflict or are used as a pretext for escalation by one side or another.

In addition, by talking about vulnerabilities in highly sensitive networks and digital platforms, hacktivists can inadvertently expose friendly intelligence forces already hiding there.

“Hacktivism by its nature is always loud, while intelligence is usually quiet,” said incident response officer and former NSA hacker Jake Williams. “Hacktivists with the most noble motives, loudly declaring their actions, can unwittingly reveal an intelligence operation that could continue on a vulnerable network and remain unnoticed for a long time. Spies will be inadvertently exposed due to a high-profile hacktivist attack.”

Williams added that if access to important information needed during a combat situation is lost, spies are forced to try to restore this access by any means. In order to get the job done quickly, intelligence officers can take a big risk, expose themselves, or use hacking tools that can later be disclosed.

“In a situation where military boots are trampling the ground and bullets are whistling, it is impossible to consider hacktivism a positive phenomenon,” Williams said.