For more than a decade, U.S. cybersecurity experts have been warning about Russian hacking, which is increasingly using the workforce of financially motivated criminal gangs to achieve political goals, such as strategically leaked campaign emails.
Yet the third month of war sees Russia, not the United States, fighting an unprecedented wave of hacking that mixes government activity, political volunteering, and criminal activity.
Digital assailants have looted the country’s personal economic data, destroyed websites and given decades of government emails to anti-secret activists abroad. A recent study showed that more passwords and other sensitive data from Russia were dumped on the open web in March than information from any other country.
The published documents include a cache from a regional office of media regulator Roskomnadzor, which revealed the topics its analysts were most concerned about on social media – including anti-militarism and drug legalization – and that it submitted reports to the FSB’s federal intelligence service, which have been arresting some. who complain about government policies.
A separate tax from VGTRK, or All-Russia State Television and Radio Broadcasting Co., revealed 20 years of emails from the state-owned media chain and is “a big one” in expected effect, said a researcher at cybersecurity firm Recorded Future, who spoke on condition of anonymity to discuss his work with dangerous hacking circles.
US governments and energy companies are closing the ranks of fears of Russian cyber attacks
The broadcast cache and some of the other notable prey were obtained by a small hacktivist group formed when the war began to look inevitable, called Network Battalion 65.
“Federation government: your lack of honor and blatant war crimes have given you a special prize,” read a note left on a victim’s network. “This bank has been hacked, redeemed and will soon have sensitive data dumped on the Internet.”
In its first in-depth interview, the group told The Washington Post via encrypted chat that it does not receive any guidance or assistance from officials in Ukraine or elsewhere.
“We pay for our own infrastructure and dedicate our time outside of jobs and family obligations to this,” said an unnamed spokesman in English. “We do not ask for anything in return. It is the right thing to do.”
Christopher Painter, formerly the top US diplomat in cyber issues, said the rise in such activities risked escalation and interference in covert government operations. But so far, it seems to be helping U.S. targets in Russia.
“Are the goals worthy? Yes,” said the painter. “It’s an interesting trend that they’re now the target of all this.”
Painter warned that Russia still has offensive capabilities, and U.S. officials have urged organizations to prepare for an expected Russian cyber attack that might be expected to be deployed in a moment of maximum leverage.
But perhaps the most important victim of the wave of attacks has been the myth of Russian cyber superiority, which for decades helped scare hackers in other countries – as well as criminals within its borders – away from targeting a nation with such a formidable operation.
“The sense that Russia is off-limits has expired a bit, and hacktivism is one of the most accessible forms of attack on an unjust regime or its supporting infrastructure,” said Emma Best, co-founder of the Distributed Denial of Secrets, which validated and published the regulator and issued troves among others.
While many of the hackers want to inform the public about Russia’s role in areas including propaganda and energy production, Best said a secondary motivation after the invasion is “the symbolic ‘pants” of Putin and some of the oligarchs.
“He has cultivated a strongman image for decades, but not only is he unable to stop the cyber attacks and leaks hitting his government and key industries, he is the one making it happen.”
The volunteer hackers have received a first of its kind boost from the Ukrainian government, which supported the effort and has proposed targets through its IT Army channel on Telegram. Ukraine’s government hackers are believed to be acting directly against other Russian targets, and officials have distributed hacked data, including the names of troops and hundreds of FSB agents.
“There are government institutions in Ukraine that are interested in some of the data and actively assist some of these operations,” said an analyst at security firm Flashpoint, who spoke on condition of anonymity because of the sensitivity of his work.
Ordinary criminals with no ideological interest in the conflict have also stepped into the action, taking advantage of busy security teams to grab money while the aura of invincibility declines, researchers said.
Last month, a quarterly survey of email addresses, passwords and other sensitive data released on the open web identified that more victim accounts are likely to be Russian than those from any other country. Russia topped the survey for the first time, according to Lithuanian virtual private network and security firm SurfShark, which uses the underlying information to warn affected customers.
The number of suspected Russian credentials, such as those for e-mail addresses ending in .ru, rose in March to include 50 percent of the global total, double the previous month and more than five times as many published as in January.
“The United States is first most of the time. Sometimes it’s India,” said SurfShark computer scientist Agneska Sablovskaya. “It was really surprising to us.”
Russian government websites face an ‘unprecedented’ wave of hacking attacks, the ministry said
The crime industry can also become political, and it certainly has with the war in Ukraine.
Shortly after the invasion, one of the most violent ransomware gangs, Conti, declared that it would gather to protect Russian interests in cyberspace.
The mortgage backfired in a spectacular way as it, like many Russian-speaking crime groups, had affiliates in Ukraine.
One of them then posted more than 100,000 internal bandechats and later the source code of its core application, making it easier for security software to detect and block attacks.
Network Battalion 65 went on. It changed the leaked version of the Conti code to avoid the new discoveries, improved the encryption and then used it to lock files inside state-affiliated Russian companies.
“We decided that it would be best to give Russia a taste of its own medicine. Conti caused (and still causes) a lot of heartache and pain for companies around the world,” the group said. “As soon as Russia ends this stupidity in Ukraine, we will stop our attacks completely.”
Meanwhile, Network Battalion 65 has requested ransomware payments, even as it has done shameful victims on Twitter to have poor security. The group said it has not received any money yet, but that it will donate everything it collects to Ukraine.
The Network Battalion collected e-mails and other e-mails from the state and gave them to DDoSecrets, making it one of the most important of several hacktivist providers to this site, along with a pro-Western group called AgainstTheWest and some who has adopted the branding of Anonymous, a larger, looser and recently resurrected collective that welcomes everyone.
In an interview on April 3 with a researcher known as Dissent Doe, who runs the site DataBreaches.net, the leader of AgainstTheWest said the group was formed in October and was made up of six English-speaking hackers, all privately employed but with intelligence backgrounds.
The original goal “was to steal state secrets, state software (in the form of source codes), private documents and the like. But we also had the idea that we should act against China to attack the West in cyber espionage campaigns over the years,” the hacker said.
After hitting targets in China, AgainstTheWest moved on to those in North Korea, Iran and Russia.
The leader said the group did not act directly for any intelligence service but declined to say if it was helped by any of them. “We are carrying out our work in the hope that it will benefit the Western intelligence service. We will share all private documents with anyone from the US / EU government.”
The group has published other documents through DDoSecrets. Best received a request from a U.S. military account for access beyond what she published, but declined.
Painter, the former expert on the State Department and the Department of Justice, said he was concerned that some volunteer hackers might take a step too far and damage civilian infrastructure or trigger a major response, and he warned that others might be hiding additional motives.
“In the normal course of events, you do not want to encourage vigilant hackers,” Painter said. But he agreed: “We are not in a normal course.”