The ongoing conflict between Russia and Ukraine has been the main highlight of March 2022, generating a significant increase in online activity. As a majority of the world united against Russian aggression, multiple hacktivist groups have targeted Belarusian and Russian institutions. This resulted in major data breaches from government and commercial organizations in between ongoing Distributed Denial of Service attacks and relentless information operations from both sides. Chinese threat actors also took part in the Ukrainian conflict with multiple cyber operations.
Given the Russian invasion of Ukraine, a significant increase in data breaches of Russian and Belarusian corporations. The following data breaches were published in February and March 2022:
Given the atmosphere of propaganda and misinformation surrounding the conflict, some actors are using the situation to publish fake data and leaks for unclear reasons. The group AgainstTheWest A.K.A. ATW has claimed to have leaked the source code of multiple Russian government entities like the Russian Space Forces and the Ministry of Transport of Russia. Upon further inspection, it is clear that the generated data has nothing to do with the real targets. A second group – named NB65 – claimed to have leaked data from supposedly Russian satellite and telecom systems. However, the data contained in the archive appeared randomly generated. While the end goal of such a release is unclear, it is assessed that gaining clout in order to sell “private accesses” to forums or channels may be the goal: a tactic employed by ATW in the past. The current environment is conducive to large-scale attacks on Russian and Belarusian entities, producing a much higher rate of data breaches against such organizations.
In the wake of the Russian invasion of Ukraine, Telegram rose up as the communication platform of choice by actors involved in the conflict. The confirmed accounts of Ukrainian officials have seen a drastic increase in subscribers: Ukrainian president Zelensky’s official account had around 65,000 subscribers on February 23rd and jumped to more than 1 million by the 26th. Many Telegram groups have also been created to share information of all kinds like military assets location, soldier “trophy” pictures, information operations and cyber operations.
In the immediate follow-up to the invasion, officials sought to recruit foreigners to conduct or assist in cyber operations. Multiple groups were created to recruit a volunteer “cyber army”, with one particular group reaching over 305,000 subscribers after being promoted by the Ukrainian Vice Prime Minister. The owner of the group regularly rotates a set of key targets for volunteers to join Distributed-Denial-of-Service (DDoS) attacks. The group also shares a Github repository containing links to various tools, instructions and references for volunteers with no technical backgrounds. The targets provided are mostly critical infrastructures like telecoms, utilities, banks, military and government servers hosting websites or web-based APIs. The owner appears to monitor the status of these targets via third-party connectivity validation services (Figure 1). The channel also shares pro-Ukraine propaganda material for militants to spread on social media and in news outlets around the world. Also, they provide instructions to disrupt Russian social media accounts like YouTube, Facebook, Twitter and others. Based on the results, the owner provides new targets and/or encourages volunteers to redirect their attacks on targets likely to fail.
Figure 1. The owner of the “IT ARMY of Ukraine” channel on Telegram regularly posts target details and their current effectiveness. |
Another group with more than 60,000 subscribers planned and executed a railway disruption campaign in the Belarusian cities of Minsk and Orsha, as well as in the town of Osipovichi. The attack was made by compromising the Belarusian Railway system’s routing and switching devices and rendering them inoperable by encrypting data stored on them. Physical sabotage operations were also performed with instructions that were provided on their channel. Back in January 2022, the same group unleashed a ransomware attack that locked files on employees’ workstations and servers. The group asked for the release of 50 political prisoners and the removal of all Russian troops from Belarus in exchange for the decryption keys (Figure 2).
Figure 2. A post by the Belarusian Cyber-Partisans requesting the release of political prisoners for encryption keys to unlock the Belarusian railway network. |
As per Russian Tactics, Techniques and Procedures (TTPs), social media is leveraged for propaganda and disinformation. Pro-Putin social media bots, fabricated news about humanitarian aid, fake capitulation news and doctored videos of Ukrainian president Zelensky are some examples of how invested the Russian government is in his disinformation campaign. In an attempt to counter anti-propaganda efforts from Ukrainian and Western governments, the Russian government has blocked or severely limited access to foreign social media platforms and may slowly be generating a “Russian Internet”, somewhat similar to what the Chinese government accomplished domestically with its “Great Firewall”. In any case, Russian authorities are likely to continue their crackdown on the free flow and manipulation of information in and out of the country.
On February 27, 2022, Meta reported taking down a pro-Russia network for violating their policy against coordinated inauthentic behaviour. The network ran websites posing as independent news entities and created fake personas across social media platforms including Facebook, Instagram, Twitter, YouTube, Telegram, Odnoklassniki and VK. This network created fake accounts, fictitious personas and brands to appear more authentic in an apparent attempt to prevent detection and removal from the platform. These sigil accounts used profile pictures likely generated using artificial intelligence techniques like generative adversarial networks (GAN). This network had fewer than 4000 Facebook accounts following one or more of its Facebook pages and fewer than 500 accounts following one or more of its Instagram accounts. According to Meta, this operation has links to a previous one conducted in 2020 by individuals in Russia, the Donbas region in Ukraine and two media organizations in Crimea.
While some pro-Ukraine groups have formed with the purpose of conducting offensive operations, others are specializing in information operations. Other Telegram channels have recruited influencers, graphic designers, video editors and other multimedia specialists to generate pro-Ukrainian content and publish it via social media. The same organizers also have mobilized a group of volunteers to browse various social media and report/flag pro-Russian content to have it removed from the platform. They also actively encourage these users to share content generated by other users on their accounts and share it across their networks.
Leading to its invasion, Ukraine has suffered multiple cyber-attacks which sought to disrupt the operations of the Ukrainian government and key institutions.
Figure 3. A poor-quality deepfake video of the Ukrainian president was generated to promote a demoralizing message. |
Recent events provide an excellent opportunity to study Russian TTPs in the conduct of cyber operations. Based on our observations, Russian threat actors may have been leveraging prior access to Ukrainian networks and other foreign accesses to prepare pre-invasion offensive operations. Latent compromises of network appliances and other high-bandwidth appliances held by pro-Russian groups may have been upgraded with more effective malware to conduct DDoS attacks against key IT infrastructure. Accesses to Ukrainian government networks may have harboured logic bombs to activate wiper malware to generate disruption prior to the invasion. On the Ukrainian side, a major surge of hacktivism, mostly organized via Telegram, has quickly materialized following kinetic Russian operations. These channels, often uncontrolled and created by unknown individuals, have quickly coordinated large amounts of often low-skilled actors into DDoS attacks against multiple Russian and Belarus strategic targets. Smaller, higher-skilled groups have remained isolated and released a steady flow of data leaks. Some of these leaks were false and performed by groups with suspicious motives. These events, combined with relentless propaganda efforts using social media may provide valuable intelligence on TTPs on both sides, by various threat actors in times of major conflict.
Known Chinese threat actors allegedly have been actively targeting European and American officials related to the Ukrainian situation using common Techniques, Tactics and Procedures (TTPs). On February 28, 2022, Threat actor Mustang Panda (aka TA416) was observed leveraging a compromised diplomatic account from a NATO partner to target an individual working in refugee and migrant services. The attack leveraged basic spear-phishing tactics, using Portable Executable (PE) files and archives (Zip) files dropping the PlugX malware, which has been used by Chinese-speaking actors for multiple years. On March 22nd, 2022, the Ukrainian national CERT (UA-CERT) reported a spear-phishing campaign targeting Ukrainian officials using archive files (RAR) bundling Office documents and Batch scripts dropping the HeaderTip malware. At least one security company attributed the campaign to Chinese state-sponsored actors. These tactics are fairly basic and have long been part of Chinese TTPs for spear-phishing campaigns. Based on the few reports reviewed, Chinese-based cyber threat actors may show interest in targeting individuals involved with the logistics and management of refugees, as well as U.S. government officials associated with the conflict.
The Ukraine invasion by Russia resulted in an uptick in hacktivism activities, resulting in a significant increase in data leaks from Russian organizations. The Cyber Partisans hacking group was able to disrupt logistical assets from the Belarusian Railway systems that caused resupply issues for the Russian army. Chinese threat actors also did their part with multiple spear-phishing campaigns aimed at key NATO, EU and Ukrainian officials.