How the war in Ukraine has strengthened the Kremlin's ties with cybercriminals
Before Russia invaded Ukraine in February 2022, its law enforcement agencies carried out a series of arrests targeting prominent hacking groups and darknet forums including REvil, SkyFraud, Ferum Shop and Trump’s Dumps.
The crackdowns were touted as a demonstration of Russia’s willingness to fight cybercrime and cooperate with foreign states in their investigations against Russia-linked hackers. But according to new research, Russian intelligence, military, and law enforcement services have tapped into “established and systematic relationships” with hacking groups since its full-scale invasion of Ukraine, using them to coordinate and amplify their cyber and information operations.
Pro-Kremlin hackers have changed their tactics and techniques since the invasion began, and have become more polarized, researchers at Recorded Future said in a report published Tuesday. Even financially-motivated hackers are aiding the interests of the Russian state — both intentionally and coincidentally.
For example, hackers who leak Ukrainians’ data on darknet forums can sell the databases to Russian state-sponsored threat actors. These groups use the compromised information to conduct long-term information operations or espionage campaigns targeting Ukrainian citizens and government officials, the researchers said. The Record is an editorially independent unit of Recorded Future.
The vast majority of leaked content consists of misinformation, trolling, and benign political chatter, according to the report, but some of the compromised data could affect the administration and operations of the Ukrainian government and its allies.
The anonymity granted by darknet forums also allows Russian state-affiliated hackers to operate in disguise, as in the case of a user called FreeCivilian, who sold the data of millions of Ukrainians on the now-defunct RaidForums and who may be part of the Russian nation-state hacker group Ember Bear, researchers said. Additionally, many of these hackers are using commodity malware available on Russian-language forums instead of custom malware used in previous operations, which makes it harder for investigators to attribute the attacks.
One of the most noticeable shifts that the war has brought out in cyberspace is the emergence of hacktivist groups that have pledged allegiance to one side or the other.
According to the research, many of these groups — which are ostensibly independent — have ties to the Russian government and serve its interests.
Since the start of the war, at least two pro-Russian hacktivist groups, Killnet and Xaknet, have dedicated themselves to cyberattacks against perceived enemies of Russia. Both groups began to actively attack Ukraine and its allies at the beginning of 2022, but not all of their declared attacks were actually confirmed.
Based on the timing of some of the cyberattacks and the release of specific data, researchers identified links between Xaknet and several other pro-Russian hacktivists groups with Russia’s Main Intelligence Directorate, or GRU.
The use of fake hacktivist fronts and proxies is not a new strategy for the GRU, and they are expected to continue to play a role in cyber operations against NATO and the West, according to the report.
“This provides a veneer of plausible deniability for Russia in these operations, enabling the Russian government to subvert claims of state-sponsored attacks against Western entities,” the researchers said.
Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.