the video it opens in typical Anonymous style, with 3D-rendered text and grainy Guy Fawkes masks flickering over footage of street protests.
“Greetings, world! We are Anonymous,” says a distorted voice. “We see the clouds of war … and she makes us angry.”
Uploaded to YouTube and shared with the 7.8 million @YourAnonNews followers on Twitter, this video was cited as the moment Anonymous “declared war on Russia.” It’s a misleading claim as Anonymous is less of a standing army than an all-purpose hacktivist. name of war, but the movement was still significant. Many Internet bystanders were preparing to cause trouble for Russia, and were going to use the mantle of Anonymous to do so.
Many expected a more organized cyber offensive from Russia, but it has not materialized for reasons that are hard to pin down. The reality has been more chaotic, with little supervision or coordination. These smaller incidents are more favorable for Ukraine, but they are also qualitatively different from military operations like Stuxnet or Sandworm. And while conventional warfare continues to ravage Ukraine, Anonymous’s campaign has been running more quietly in the background, with consequences that are hard to predict.
On February 26, Ukraine’s Deputy Prime Minister Mykhailo Fedorov, who is also the Minister of Digital Transformation, announced the creation of a volunteer-led cyber army, with the help of each and every skilled worker in the IT sphere to participate in a variety of digital activities. actions against Russia.
The cyber volunteers were already venturing into uncharted territory. Coordinated through a Telegram channel of currently more than 300,000 users, the membership of the so-called “IT Army” was globally distributed and centrally directed, drawing a new line between decentralized digital activism and hacking sponsored by the state. But while the IT Army embarked on a new kind of cyber warfare, Anonymous’s #OpRussia represented a different, far more chaotic trend.
The IT military has relied heavily on DDoS attacks, carried out on targets such as oil, gas and infrastructure companies, the Moscow Stock Exchangeand even the Kremlin website using a app called disBalancer — but the most shocking actions come from data theft and its release to the public. In one case, groups operating under the names Anonymous Liberland and Pwn-Bär Hack Team obtained more than 200 GB of emails from the Belarusian defense weapons manufacturer Tetraedr, which have been made available via the Distributed Denial of Secrets leak website.
In another incident, a group of hackers breached a website belonging to the Russian Space Research Institute and files leaked online that appeared to include descriptions of lunar missions. Days earlier, another group called Against The West (ATW), which was previously known for leaking data obtained from the Chinese Communist Party – launched a treasure trove of files supposedly obtained from the energy company PromEngineeringincluding plans and schematics of the power plant.
The last major leak occurred on March 10, when Distributed Denial of Secrets published more than 800 GB of leaked data from Roskomnadzor – the Federal Service for Supervision of Communications, Information Technology and Media, or the main censorship agency of Russia. Although the actor who obtained the data is not yet unknown, the nature of the leaks is, at the very least, very embarrassing for Roskomnadzor and potentially more damaging based on the exact information published.
Trying to strike blows at Russia, Ukraine-aligned hacktivist groups have been leaking whatever sensitive information they can find against Russian targets. But once this information is published, it is difficult to contain and there can be unintended consequences. DarkOwl, a dark web intelligence company, is an organization that has been monitoring of data leaks linked to the invasion of Ukraine in a blog A DarkOwl analyst said the edge that the information contained in corporate leaks could be valuable for spear phishing or surveillance campaigns, especially for more sophisticated actors.
“You have sensitive corporate information here. You know, you have shipping addresses and account numbers and things like that,” the analyst said. “There are also photographs and screenshots that have been taken. As we have seen, that can be used in more strategic espionage activity by a nation-state actor in the future.”
But many of the leaks also contain vast amounts of information about the companies’ customers, most of whom are ordinary Russians with little connection to the elite interests that have waged the war. That information could put them at risk at a later date.
“This flurry of action that we see right now is basically to vandalize and create as much chaos as possible,” says Jeremiah Fowler, an American cybersecurity researcher based in Ukraine. “But having names, user details, credit information, anything out there long-term, you know we have no idea what they’re going to do with it. Unfortunately, there is so much anger about all of this that many innocent Russian people may be targeted by default.”
The loosely coordinated, sometimes amateurish nature of hacktivist support for Ukraine has also meant that it is more difficult to verify exactly what is going on at any given time. Some highly publicized Anonymous actions have been patently false: in one example, an Anonymous news channel claimed that an affiliated group had shut down the main control system of russian satellites; in another, debunked by cybersecurity firm Check Point, a group claiming to have hacked into CCTV cameras inside a nuclear power plant was found to be reuse footage from years of YouTube.
Other plausible hacks have been difficult to confirm. On February 26, some social media users shared images allegedly showing hacked Russian TV channels to broadcast pro-Ukrainian messages and inform viewers about the truth about the invasion of Ukraine. (The media in Russia is heavily censored, even more so after Putin signed a “fake news” law which threatened up to 15 years in prison for people who spread unapproved information about Russian war losses).
Fowler says that his fellow investigator had directly observed a hijacked Russian television broadcast and that it may have happened many more times. Fowler said that he had come across insecure file systems when investigating Russian media agencies and that someone with the technical ability to uncover them could easily change the broadcast images:
“Let’s say you have administrative access,” Fowler said. “You take a video of some of these horrible [war] footage we’re looking at, and you name it the same as the source footage. So the next time the software pulls from that source, instead of getting the news they provide, the audience will see something else. And the system doesn’t know anything different because the file has the same name.”
Someone hacked Russian state TV channels. They feature Ukrainian music and national symbols.
Internet users suspect that it may be another action by the hacker group #Anonymousdeclared a cyber war on Russia in connection with the attack on #Ukraine. pic.twitter.com/XaoclymVTs
— BECZKA ✌️ (@beczka_tv) February 26, 2022
Fowler said he had also seen evidence of numerous Russian company databases being accessed by outsiders, with data deleted or files rewritten en masse to say “Putin stop this war,” to the point that in a sample of 100 databases of publicly exposed data, 92 appeared to have been tampered with. Many of these databases contained names, account details and other personally identifiable information, Fowler said; and there is no way of knowing exactly who might have had access to it.
Some people now acting as “cyber patriots” supporting Ukraine may also be involved in criminal activity, said Jon Clay, vice president of threat intelligence at Trend Micro, and computer systems that are compromised now in protest could later be exploited for gain. financial gains.
“Many of these cyber patriots may be part of a cyber criminal group,” Clay said. “So the national state is giving them cover to attack these other groups or agencies in a different country. And that’s where it’s going to be hard to draw the line because, you know, very quickly they can pivot to just activate the cybercrime component of their business.”
Groups involved in pro-Ukrainian attacks could implant backdoors into computer systems that could be reactivated for future exploits, Clay said, with stealthier actors able to remain undetected for months or even years. Later, these groups could sell user data for profit or deploy ransomware, he said.
As long as the battlefield is covered by what has been called “the fog of cyber warfare”, there is also the possibility that some of the most sophisticated cyber threat actors are operating under cover of hacktivism.
in a webinar On Thursday, Kaspersky’s director of global research and analysis, Costin Raiu, said some cyber activities in Ukraine bore the hallmarks of advanced persistent threat (APT) groups, the highest level of group. of cyber threats and typically run by a military agency or backed by a nation-state, and could have been hidden under “false flag” cybercrime or hacktivist operations.
Still, the haphazard nature of hacktivist actions can cause real damage, often to people or infrastructure that have no connection to the invading forces. “It’s very dangerous for people when they can’t see three steps down the line to do offensive activity,” said Chester Wisniewski, a senior research scientist at Sophos. “A hallmark of what we would consider acceptable offensive hacking on behalf of the British, the Israelis, the Americans, even the Russians and the Chinese, is understanding what the potential impacts of your actions will be and minimizing collateral damage by being very precise and focused on those actions.”
“Civilians are not prepared to do that effectively,” adds Wisniewski. “And I’m very worried about that.”