Russia and Belarus targeted by at least 14 nation-state hacker groups, researchers say

Researchers say that over the past year, at least 14 state-sponsored hacker groups from around the world have targeted Russia and some former Soviet Union members — Azerbaijan, Belarus, Kyrgyzstan, and Kazakhstan — with destructive or espionage campaigns.

Some of these groups were likely linked to Ukraine, which is in an ongoing war with Russia; others acted in the interests of their own countries, including North Korea and China, according to the report by the Russian company F.A.C.C.T., a spinoff of the cybersecurity firm Group-IB, which exited the Russian market last year.

F.A.C.C.T. referred to its report as "the most comprehensive source of strategic and tactical data on cyber threats" in Russia and certain former USSR states. Western security companies often have limited visibility in these regions due to their exit from the market when Russia invaded Ukraine.

In its espionage findings, the research illustrates how nations seen as partners or allies use cyberspace to spy on one another.

The company’s report was written in Russian and is only available for download in a predefined list of countries, which also includes Armenia, Georgia, and Ukraine.

Nation-state threats

According to the report, politically motivated attacks in Russia increased by 116% last year compared to the previous year. The researchers detected at least 28 major campaigns against Russian institutions carried out by hacker groups controlled by foreign states.

The most lucrative targets for those hackers were the Russian government and military agencies, industrial enterprises, energy companies and telecommunication providers. The goal of these attacks typically was espionage, F.A.C.C.T. said.

Some of the state-backed hacker groups, including those tracked as XDSpy and Cloud Atlas, regularly attacked Russia in the past, while others, such as the Russian-speaking group labeled Tomiris, only began to expand their capabilities in the region.

Major cyber campaigns against Russia over the past year include Operation Triangulation, which Russia attributes to U.S. intelligence; the attack by the North Korea-linked APT37 on a Russian defense enterprise, resulting in a data leak; and the espionage campaign by a new group labeled Hellhounds that targeted Russian space, logistics, energy and state enterprises.

Other Russian-speaking countries in the region also fell victim to nation-state hackers. The China-linked SugarGh0st Team, for example, targeted the Ministry of Foreign Affairs in Uzbekistan, while Cloud Atlas and another espionage group, Sticky Werewolf, launched attacks against government agencies in Belarus.

The attribution of state-controlled groups to specific countries is not easy. For example, one of the most active threat actors, XDSpy, has been operating since at least 2011, mostly targeting Russian critical infrastructure, yet researchers from around the world couldn't figure out whose interests it represents.

Hacktivist attacks

Another politically motivated threat to Russian enterprises are cyberattacks by volunteers, better known as hacktivists.

The IT Army of Ukraine remains the most active hacktivist group in the region by the number of distributed denial-of-service (DDoS) attacks, according to F.A.C.C.T. Researchers said that over the past year, the group introduced new tools and likely united with other local hacktivists.

Earlier last year, subgroups affiliated with the IT Army of Ukraine launched an online service called Activeness, which aims to promote certain narratives on social networks. Previously, similar operations had already been carried out by the Internet Troops of Ukraine group, but “they were probably not very effective,” researchers said.

Another hacktivist group, known as Belarusian Cyber Partisans, launched at least six attacks last year against Belarus and Russia. At least two of them were carried out with the use of an unknown encryption virus, while others were defacement campaigns designed to change the appearance of the website or involve confidential data breaches.

Researchers also discovered groups that pursue both financial and political interests. One of them is the criminal syndicate Comet Twelve, in which Comet demands a ransom for decryption and non-distribution of stolen data, while Twelve destroys the victim’s networks without making financial demands. Both groups use the same infrastructure, tactics, and attack tools.

F.A.C.C.T. linked Twelve to other hacker groups such as Muppets and BlackJack. Earlier in January, BlackJack claimed the attack on the Moscow internet provider, which it allegedly carried out in cooperation with Ukraine’s security forces (SBU).

“Amid the acute geopolitical conflict, the activity of hacktivists and pro-government hacker groups will not decrease in the near future,” researchers said. “Their priority goals will be espionage, theft of intellectual property, and gaining access to company databases."

In total, hackers and hacktivists posted 246 new databases of Russian companies on the darknet last year. According to the report, cybercriminals do not immediately publish leaked data but use it to launch new attacks on major players in the commercial and public sectors.

This year, Russia should expect continuous attacks from “enemy” states, as well as “neutral” countries from around the world, according to F.A.C.C.T. Attacks will also be carried out by insiders — former company employees who quit and left Russia, researchers said.