More than two months have passed since Russian ground forces first invaded Ukraine on February 24. While Russian and Ukrainian troops face off in bloody combat on the physical battlefield, another war rages in parallel in an entirely separate arena - cyberspace. Hacktivist groups backing each side of the conflict have joined the war effort, launching a series of wide-scale cyberattacks targeting critical infrastructures and industries in hostile nations.
In the past month, Cybersixgill has observed significant chatter on the cybercriminal underground, discussing the plans, tactics, targets and results of cyberattacks launched by hacktivist groups on both sides. Here's what we found:
- Cybersixgill recently identified a post on a dark web forum, whereby the author shared a huge data leak exfiltrated by a pro-Ukrainian hacktivist group following their successful breach of the Russian state-owned multinational energy corporation Gazprom. The leaked data included information relating to the company's source code and ‘WellPro’ - well intervention projects. The post generated high interest among the cybercriminal community.
- Cybersixgill spotted another post on a dark web ‘Dedicated Leaks Site’ (DLS), including 1.23 million emails (equivalent to 1.7 TB of data), stolen from Elektrocentromontazh - the primary provider of electrical equipment in power generation and transmission facilities in Russia - extracted by a pro-Ukrainian hacktivist collective.
- Cybersixgill also collected a post from the official Telegram channel of the Ukrainian “IT Army”, sharing a screenshot of a message sent by Russian consulting firm Offshore Technology Consulting (OTC) to their customers, informing them of a recent Distributed-Denial-of-Service (DDoS) attack that had disrupted the company’s operations. In the ‘IT Army’ Telegram post, the author congratulates the perpetrators of the attack, encouraging fellow members to keep up the good work. The same group member also posted an additional message, sharing an exhaustive list of potential Russian targets (website URLs with related IP addresses and ports) for further DDoS attacks in the near future.
Where are we seeing a split in terms of forums taking sides? What type of information is being shared?
On February 24, the day Russia launched its ground operation in Ukraine, an administrator of a notorious underground forum announced to members that the site would block users who connect to the site from Russia, in a declaration of the forum operators’ allegiance to Ukraine. On a separate, Russian-speaking underground hacking forum, Cybersixgill observed several threat actors expressing their intent to purchase access to any corporation in Ukraine or NATO, indicating that this forum’s allegiance is with Russia. A member of another notorious cybercriminal forum shared a poll aiming to determine how many threat actors considered themselves likely to target Russian entities. The results of the poll showed that 83% of the respondents were not willing to launch cyberattacks on Russian entities, demonstrating an overall pro-Russian stance on the forum. In a fourth cybercriminal forum, several members were observed spreading hate speech against the Russian government, harshly condemning the Kremlin for the bloody invasion of Ukraine. The overall tone of agreement by other members suggests that this forum is primarily composed of pro-Ukrainian actors.
Any stats on percent increase in conversations?
Cybersixgill has noted a steady increase in the number of Telegram posts in Russian, which seems to have been embraced by Russian citizens as a medium to access uncensored information on the conflict, beyond the information embargo imposed by the Kremlin.
For the Chinese Dark Web, are they talking about Ukraine at all?
Cybersixgill has also observed a steady increase in Telegram and QQ (Chinese IM platform) discourse among Chinese-speaking actors in relation to the Russia-Ukraine conflict. As opposed to the discourse observed on Russian-speaking platforms, the escalating tensions between Russia and Ukraine had already been a topic of interest within Chinese discourse even before Russia’s invasion on February 24th. This interest somewhat abated following the ground-force invasion and as the physical hostilities raged on. After this brief interlude, Chinese interest in the conflict appeared to have been reignited during the first week of April, and in particular in the week following the 5th of April. This rekindled interest could be attributed to Russia’s withdrawal of their troops from Bucha on April 1st, and the subsequent publication of photos and videos by Ukrainian authorities depicting the brutal devastation left in the wake of Russia’s brief occupation of the town.