Russian hacktivism is crowdfunded cyber terrorism. The hacktivist groups finance their activities by soliciting donations on their social media channels. Their campaigns mainly consist of simple DDoS attacks, but amplified news of them can blow the effects of these attacks out of proportion and are inadvertently aiding the criminals as more headlines can mean more donations to the criminals.
What Is Russian Hacktivism?
Since the Russian invasion of Ukraine, there has been a significant increase in Russian hacktivism. Groups like “KillNet,” “XakNet,” and “NoName057(16)” have conducted DDoS campaigns against organizations in Ukraine and the West. Recently the government of Finland was targeted by a DDoS attack from NoName057(16). These groups present themselves as quasi-military organizations to gain internet fame and appeal to patriotic hackers by targeting Russia's perceived enemies.
Since these types of attacks on networks are likely to continue as long as the conflict in Ukraine continues and may potentially escalate further, Truesec Threat Intelligence has decided to share some of our findings regarding these groups.
Russian hacktivism is essentially a form of crowdfunded cyber terrorism. The hacktivist groups finance their activities by soliciting donations in cryptocurrency on their social media channels, usually Telegram. One of these groups is estimated to have received tens of thousands of dollars in donations per month from online fans. Since the core of the hacktivist groups is often former small-time cybercriminals, the true purpose of the activities is likely to raise money and gain online fame rather than actually affect the outcome of the conflict in Ukraine.
The core of these groups are the administrators, a team of cybercriminals that run the botnet used for the attacks. Some botnets were initially created for criminal purposes; others may have been created expressly for the purpose of hacktivism. The administrators also supply volunteer members with a toolset to access their botnet.
The groups then recruit volunteers on their forum to perform the actual DDoS attacks by bragging about their accomplishments. The administrators divide the volunteers into “squads” and assign them targets. The administrators also give tips and support on what scripts and tools to use to maximize the impact of the attacks. The largest of these groups, “KillNet,” is estimated to have over a hundred volunteer members.
The most common tool is a variant of the Mirai bot, a popular malware that infects internet of things (IoT) devices; its source code is freely available on the internet. The administrators sometimes also instruct their volunteer members to use other commercially available tools for DDoS attacks to amplify their attacks.
The victims appear to be chosen based on a superficial understanding of who Russia’s enemies are. There is no real thought behind the choice of services to disrupt, just high-profile organizations’ regular web pages. A typical attack often lasts half an hour or less, just enough to be able to screenshot that the page is down. Momentarily taking down the web page of a government, for example, usually doesn’t affect their activities in the slightest, but it can be boasted about as a significant “kill.”
Truesec has no evidence that the Russian government directs these groups, but it's possible that the Russian government has channels to influence targeting. As the conflict has progressed, the Russian hacktivist groups have consolidated their activities. They are now better organized than in the early stages, and many groups actively cooperate to increase the effectiveness of their attacks.
Some groups have also begun to recruit hackers capable of cyber breaches. So far, those hackers are few and have only conducted low-effort attacks, like hacked web pages and web defacement. In one known case, hackers from a Russian hacktivist group were also ready to conduct pure cybercrime for profit. This is not a real danger now, but if the lines between hacktivism and cybercrime continue to blur in Russia, this could become a real problem in the future.
What Can You Do?
It's important not to overstate the effects of these groups’ activities. Temporarily blocked access to a website is seldom more than a minor inconvenience. The real damage occurs when the hacktivists' messages get amplified, and their efforts are blown out of proportion, creating fear and anxiety in the general public. This, in turn, aids the attackers as the media coverage increases the donations they rake in from their fans.
While it's important to provide business-critical services and government websites with critical emergency information with proper DDoS protection, it’s hard to protect everything. The perpetrators are mostly after the headlines, not to identify weaknesses where attacks can cause real damage.
The best way to handle these attacks is to get ahead of the information. Explain in your communication that your organization is under a DDoS attack, that the effects are minor and temporary, and that no lasting damage has occurred. Silence leaves the information space to the attackers who will attempt to present the attacks as critical to boost their impact in media.
Since we have observed that some Russian hacktivists are trying to recruit hackers capable of breaching networks, this is likely a good time for potentially affected organizations to improve their overall cybersecurity posture, as hacktivism may pose a more serious threat in the future.
How To Protect Your Organization Against DDoS Attacks
For further information on how to protect your organization from DDoS attacks, please refer to our previous blog post "Increased Risks of DDos attacks" on our Knowledge Hub.