Russia’s unprovoked invasion of Ukraine is leading hacking groups worldwide to increase their activities — in some cases to support a side, or possibly just to capitalize on the chaos.
Since the invasion of Ukraine earlier this week, the Anonymous hacker collective, the Conti ransomware gang and a threat actor in Belarus are among those that appear to have gotten more active — or at least expressed intentions to be. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning Thursday about a growing threat from an Iranian advanced persistent threat (APT) actor.
During the Cold War, “the superpowers fought many small wars by proxy,” said Sam Curry, CSO at Cybereason. “Today, we can expect a cyber proxy war to emerge.”
Anonymous has declared itself aligned with “Western allies” and said it would only target operations in Russia. The group has posted a number of claims on Twitter.
“The Anonymous collective is officially in cyber war against the Russian government,” the group tweeted.
On Thursday, Anonymous claimed on Twitter that it brought down numerous websites associated with the Russian government. Those included a state news site, RT News, which reportedly confirmed that it had experienced a distributed denial-of-service (DDoS) attack.
Calling the news site “propaganda,” Anonymous said the DDoS attack was carried out “in response to Kremlin’s brutal invasion of #Ukraine.”
Then on Friday, Anonymous tweeted that it has “successfully breached and leaked the database of the Russian Ministry of Defence website,” and claimed to have posted “all private data of the Russian MOD.” (The tweet was subsequently taken down because it “violated the Twitter Rules,” the site says.)
The group had earlier tweeted a video, featuring its signature Guy Fawkes-masked figure, saying that “if tensions continue to worsen in Ukraine, then we can take hostage industrial control systems.”
The involvement of Anonymous is not a surprise, since the group is “well-known for having a principled position on topics and then acting or retaliating via the Internet,” said Casey Ellis, founder and CTO at Bugcrowd.
Also unsurprisingly, Conti — believed to be a state-sponsored group operating out of Russia responsible for hundreds of ransomware attacks in recent years — threw its support behind the Russian side.
According to reports, Conti posted a message on its site on the dark web, saying that “the Conti Team is officially announcing a full support of Russian government.”
“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy,” the message said, according to reports.
The statement “represents the first major cybercriminal group to publicly back the Russian war effort,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
It also comes after many warnings from U.S. officials, who’ve emphasized that “the risk from ransomware activity may escalate as sanctions impact Russia,” Morgan said.
Digital Shadows has identified Conti as the second most active ransomware group in 2021, by number of victims, and has attributed several attacks against critical national infrastructure to the group — including the crippling ransomware attack against Ireland’s health service in May 2021.
Conti’s position statement is “noteworthy in light of Russia’s recent crackdowns on cybercrime and ransomware,” Ellis said. “It signals to me that they are either acting independently as the other groups seem to be, or possibly operating with the Kremlin’s blessing.”
Meanwhile, in Ukraine, the country’s Computer Emergency Response Team (CERT) blamed “UNC1151,” a hacking group whose “members are officers of the Ministry of Defence of the Republic of Belarus,” for a wave of phishing attacks.
The attacks targeted Ukrainian military personnel, as well as “related individuals,” CERT said in a Facebook post.
At least two other hackers groups have announced that they are supporting Russia: The Red Bandits (a self-described “cyber crime group from Russia,” which has tweeted claims about cyberattacks against Ukraine this week) and CoomingProject (a ransomware group described as “sporadically active”).
In the midst of the Russian attacks on Ukraine on Thursday, CISA posted a warning about MuddyWater, a state-sponsored Iranian APT. The group has been observed “conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors — including telecommunications, defense, local government, and oil and natural gas — in Asia, Africa, Europe, and North America,” CISA wrote in a post.
The timing of the disclosure “is interesting with the Ukraine cyberattacks and conflict playing out in parallel,” said Drew Schmitt, principal threat intelligence analyst for GuidePoint Security.
The disclosure suggests the possibility “this could be Iran stepping up operations based on a distracted world view,” though that’s not definitive, Schmitt said.
In general, the development shows that as more nations are developing cyber capabilities, more are coming to play, according to John Bambenek, principal threat hunter at Netenrich. And “there is no better training ground for nation-state actors than playing in an active warzone,” Bambenek said.
Seizing the opportunity
Without a doubt, some groups — and nation-state actors — will use the Ukraine invasion as an opportunity to escalate their ongoing cyberattacks “amidst the global chaos,” said Richard Fleeman, vice president for penetration testing ops at Coalfire.
Looking ahead, “I believe we will see the continual escalation,” Fleeman said. “These groups thrive on sentiment and will likely continue to build momentum based on their objectives.”
Curry agreed, saying that more groups “will pile in, and in the confusion other actors will conduct operations with plausible deniability.”
“Let’s all hope that sanity prevails, but let’s prepare our policies and our preparations with the expectation that peace is probably further away than anyone would like,” he said.
Ellis said that one concern with the development is the relative difficulty of attribution in cyberattacks — as well as the possibility of incorrect attribution or “even an intentional false flag operation escalating the conflict internationally.”
While all sectors of industry should be aware of the possible repercussions from the increased hacker group activity, certain sectors in the west may be more likely to be targeted, Morgan said.
The financial services sector and energy sector would be “at particular risk, should Russia-aligned threat groups target organizations they assess as equivalent to those impacted by western sanctions,” he said.
In many ways, this is uncharted territory, given that the world hasn’t had a war like this occur at a time when cyber capabilities were so advanced and widespread. It’s an “unprecedented” situation, said Danny Lopez, CEO of Glasswall — but it’s “not unexpected.”
“Cyber has joined land, sea and air to become the fourth conflict theatre,” Lopez said. And whether it’s state-sponsored groups or their proxies, “I think cyber is the new war frontier,” he said.