Threat Actors declare allegiance to Ukraine and Russia
Cyble Research Labs has observed parallel war being fought in cyberspace under the shadows of the ongoing military and political crisis between Russia and Ukraine. Though most of these activities correspond to Threat Actors (TAs) involved with either side, we take the lead from our previous reporting on Ukraine to remain abreast with the updates.
Ukraine continued to be at the center of several cyberattacks by various renowned and new cyber mercenaries in the second week of its armed conflict with Russia. Additionally, this week, we identified cyber threat activities suggesting the Ukrainian government, along with some pro-Ukrainian actors, opened with the retaliatory responses to the attacks inflicted by Russian state actors.
Ukrainian government calls for cyberattacks against Russia
In an official statement on February 27, 2022, the Deputy Prime Minister of Ukraine, Mykhailo Fedorov, released a Telegram channel link on his official Twitter account. He dubbed this the ‘IT ARMY of Ukraine’ for outsourcing assignments to impact Russian cyberinfrastructure as a retaliatory response to Ukrainian government websites and infrastructure cyber-attacks. The Telegram channel was moved to a new account, t.me/itarmyofukraine2022, which currently holds 229k subscribers.
On February 26, 2022, the Telegram channel listed several Russian websites as their target, including PJSC Sberbank, and requested members to attack the mentioned resources using any methods possible. From February 27 – February 28, 2022, the Telegram channel posted URLs to Sberbank’s web APIs, a few I.P. addresses resources belonging to Sberbank, and requested to launch targeted attacks against the listed resources. Later, on February 28, 2022, the Telegram channel posted the uptime status of the website, suggesting that the state-owned Russian banking and financial services organization PJSC Sberbank was unreachable and allegedly compromised.
Ransomware groups and cybercrime forums affiliations in Ukraine-Russia war
On February 25, 2022, the Conti Ransomware group released a statement on their website supporting the Russian government retaliating against Ukraine. However, their statement was modified on February 27, 2022, stating their allegiance to Russia in countering cyber aggression by Western countries.
It is evident from the statement by the Conti Ransomware group gained controversy and led to the conflict of opinions within their group. As the events were unfolding, on February 28, 2022, a Twitter handles allegedly operated by one of the members of the Conti Ransomware group released the internal conversation excerpts of the Conti ransomware operators Jabber/XMPP server platform. The actor behind the leak is believed to be a pro-Ukraine member of the group. The leaked chat conversations were now accessible at the data intelligence platform, IntelligenceX.
The pro-Ukrainian Twitter persona continued to leak more sensitive data on March 1, 2022. It posted screenshots allegedly captured from the Conti’s infrastructure. (Ref. Screenshots)
Meanwhile, the LockBit 2.0 Ransomware group also released a statement quoting themselves as apolitical and withdrawing their allegiance to any country. The official statement from LockBit 2.0 Ransomware group is: –
“Many people ask us, will our international community of post-paid pentesters, threaten the West on critical infrastructure in response to cyber aggression against Russia? Our community consists of many nationalities of the world, most of our pentesters are from the CIS, including Russians and Ukrainians, but we also have Americans, Englishmen, Chinese, French, Arabs, Jews, and many others in our team. Our programmers’ developers live permanently around the world in China, the United States, Canada, Russia and Switzerland. Our servers are located in the Netherlands and the Seychelles, we are all simple and peaceful people, we are all Earthlings.
For us it is just business, and we are all apolitical. We are only interested in money for our harmless and useful work. All we do is provide paid training to system administrators around the world on how to properly set up a corporate network. We will never, under any circumstances, take part in cyber-attacks on critical infrastructures of any country in the world or engage in any international conflicts.”– Lockbit 2.0 Ransomware group
Amidst these activities, we also witnessed an apparent shutdown of the long-standing cybercrime forum RaidForums on February 25, 2022. Initially, the security community believed that the forum was seized in an undisclosed law enforcement operation. However, it is assumed that the forum was targeted and seized by an unidentified pro-Russian group/agency after the forum administrator ‘Moot’ released a warning imposing sanctions on forum members supporting Russia.
Pro-Ukrainian cyber threat activities targeting Russia
As per our recent observations, we started witnessing various claims on cyber channels suggesting a series of attacks against Russia in support of Ukraine.
On February 26, 2022, the threat actor AgainstTheWest created a Telegram channel supporting Ukraine to target Russian cyber assets. The posts claimed compromising several Russian and Belarusian infrastructure. On February 27, 2022, the actor claimed the Central Bank of the Russian Federation (Bank of Russia) attack and posted a screenshot displaying folders allegedly exfiltrated from the compromise.
During the research, we also found that the actor Spectre123, earlier active at the RaidForums,released data allegedly belonging to an unidentified Russian defense manufacturing company at the leak website dubbed “Intel Repository.” The actor mentioned purchasing the data from the actor AgainstTheWest.
While analyzing the leaked data, we came across a text file with the following note from the actor AgainstTheWest showing their support to the western front:
“Hello, this data has been under wraps for a while now.
Because the Russian government has not backed down from the border of Ukraine, we’ve decided to go for the country ourselves and, as no other group has done so.
We were deciding to release this to Wikileaks, however, we decided against this, as it may not garner the same attention, if a journalist media would access this information.
The fact that this data was placed online, is a massive blunder on the Russian’s side.
Everyone here at ATW hopes that we can be taken more seriously.
We’re not here to attack the West in anyway. We’re looking to help our respected countries & their allies in this endeavour.”– Threat Actor “AgainstTheWest”
On March 1, 2022, the actor AgainstTheWest claimed to compromise an undisclosed Russian steel manufacturing on their Telegram channel. The actor’s tweet claimed the impacted organization as Novolipetsk Steel (NLMK). The T.A. also claimed to strike Rosatom State Nuclear Energy Corporation, Russia, on the same day.
Similarly, the actor also claimed the compromise of Russian web hosting services provider FirstVDS (firstvds[.]ru). Besides this, on March 2, 2022, the actor AgainstTheWest claimed to have broken into China-based Greatwall Computer Software & System Co. Ltd. and the State Administration for Science, Technology, and Industry for National Defence on their Telegram channel.
Further, the actor posted an announcement on their Telegram channel about being temporarily inactive for a while before resuming to target Russia and China again in two separate Telegram channels.
The actor AgainstTheWest claimed to compromise following other notable private and government infrastructure.
|Russian Space Forces||Accounts Chamber of the Russian Federation||Magnit PJSC|
|AIP of the Russian Federation||The Union State of Belarus & Russian relations||Chermet LLC|
|PJSC Aeroflot (Russia Airlines)||Central Bank of the Russian Federation (Bank of Russia)||Kvazar LLC|
|Ministry of Digital Development, Communications and Mass Media of the Russian Federation, Pskov Region||Ministry of Economic Development Russian Federation||Juicy Labs LLC|
|Ministry of Emergency Situations of the Russian Federation||Saint Petersburg City Administration||Mail.Ru Group|
|Federal State Statistics Service||Ministry of Agriculture and Food of Belarus||Capital Television Belarus (CTV)|
|Federal Service for Labour and Employment (Ministry of Labor and Social Protection of the Russian Federation)||BrandQuad LLC||Aviatourne LLC|
On February 27, 2022, the actor KelvinSecurityTeam also released a statement alleging their support to Ukraine in the cyberwar against Russia. The actor on their Telegram channel claimed attacking several Russian entities, including Russia Today’s online merchandise shop shop-rt[.]com allegedly exploiting the Insecure Direct Object References (IDOR) vulnerability.
Hacktivists observed in support in Ukraine:
We also observed several hacktivist factions working under the ‘Anonymous’ collectives, which declared cyberwar against Russia in support of Ukraine. The faction took over their activities on Twitter using the hashtag #OpRussia #OpNoWar #OpKremlin #FreeUkraine #FreeAnons and #FreeAssange.
On February 27, 2022, one of such hacktivist groups, ‘Anonymous T.V.,’ claimed to have brought down over 300 websites belonging to the Russian government and banking organizations. The hacktivist group previously claimed a compromised website belonging to the Russian Ministry of Defence and allegedly leaked the compromised database. (Ref.: twitter.com/YourAnonTV/status/1497846153660014593)
Our search for Twitter hashtags revealed several such Twitter accounts targeting Russia – shown in the following screenshots: –
Continued Pro-Russian cyber activities targeting Ukraine and the U.S.
As previously reported by the Cyble Research Lab, we observed continued threat activities targeting Ukraine. Since our last advisory, the following threat activities targeting Ukraine and the U.S. were identified.
The actor, ‘DataFor’ at Xss cybercrime forum, continued to release Personally Identifiable Information (PII) data belonging to U.S. Law enforcement agencies. On March 1, 2022, the actor released a partial leak allegedly containing over 67k datasets of PIIs from undisclosed sources.
On March 1, 2022, an actor behind the Arabic–speaking Telegram channel dubbed ‘Stormous Ransomware’ also announced their support to Russia in targeting Ukraine.
“The STORMOUS team has officially announced its support for the Russian governments. And if any party in different parts of the world decides to organize a cyber-attack or cyber-attacks against Russia, we will be in the right direction and will make all our efforts to abandon the supplication of the West, especially the infrastructure. Perhaps the hacking operation that our team carried out for the government of Ukraine and a Ukrainian airline was just a simple operation but what is coming will be bigger!!”– Stormous Ransomware group
One of their Telegram posts attributes to their claim of a distributed denial-of-service (DDoS) attack targeting the website of The Ministry of Foreign Affairs of Ukraine at the mfa.gov.ua. The actor did not post any proof suggesting their claims of its success. However, it was observed that the targeted website was unreachable when writing this advisory.
These activities indicate a peculiar modus operandi of the T.A.s amidst this hybrid warfare of volunteering in such illicit cyber operations. The policy adopted by Ukraine to thwart the Russian cyberattacks is unique to a country’s perspective of utilizing the nationalistic sentiments amongst the cybercriminals. This policy presents an exceedingly rare challenge for the governments and the corporates equally that are being targeted and exploited in an organized way.
Considering the series of cyber-attacks that were launched to target the Ukrainian government and private infrastructure, it was very much anticipated by our research team that Ukraine would try to retaliate. Still, the Ukrainian call for support and allegiance by cyber groups is a newly witnessed cyber craft in warfare.
- Keep the operating system and installed software in the system and server updated.
- Minimize network exposure for all serial devices using network segmentation and the placement of serial devices behind network firewalls to ensure that they are not accessible via the Internet.
- Conduct regular backup practices and maintain backups offline or in a separate network.
- Use security solutions available for Linux and IoT devices
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Create and save your passwords with password managers.
- Change all internet-connected devices’ default passwords.