Anonymous hacktivists, ransomware groups get involved in Ukraine-Russia conflict
Multiple ransomware groups and members of the hacktivist collective Anonymous announced this week that they are getting involved in the military conflict between Ukraine and Russia.
On Thursday, members of Anonymous announced on Twitter that they would be launching attacks against the Russian government. The hacktivists defaced some local government websites in Russia and temporarily took down others, including the website of Russian news outlet RT.
The group claimed on Friday that it would leak login credentials for the Russian Ministry of Defense website.
The actions came hours after Yegor Aushev, co-founder of a Kyiv-based cybersecurity company, told Reuters that he was asked by a senior Ukrainian Defense Ministry official to publish a call for help within the hacking community. Aushev said the Defense Ministry was looking for both offensive and defensive cyber actors.
Anonymous was not the only group to get involved in the conflict. On Friday, ransomware groups Conti and CoomingProject published messages saying they supported the Russian government.
A message posted by members of the Conti ransomware group.
Conti said it was officially announcing full support for the Russian government, writing that "if any body will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy."
Many experts interpreted the message as a response to an NBC story that came out on Thursday indicating US President Joe Biden has already been presented with several options for devastating cyberattacks on Russian infrastructure. The White House vociferously denied the report.
Shortly after releasing the message, Conti revised it, softening the tone and support for the Russian government. The updated statement said Conti would use its "full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world."
"We do not ally with any government and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression," the new Conti message said.
#Conti #ransomware just changed the phrasing of their statement regarding Russia's support. Claiming that they do not ally with any government and condemn the war.@VK_Intel @malwrhunterteam pic.twitter.com/JaLYPlDjwb
— Yelisey Boguslavskiy (@y_advintel) February 25, 2022
The announcements came as Ukraine continued to face a barrage of DDoS incidents, phishing attacks and malware. CERT-UA said military personnel were being sent phishing messages and attributed the campaign to officers within the Belarus Ministry of Defense. Internet connectivity across the country continues to be intermittent, with Netblocks reporting outages in multiple cities.
Experts were extremely wary of outside groups picking sides in the conflict and launching attacks on their behalf. The announcements further scared experts when NATO Secretary General Jens Stoltenberg said on Friday that "cyberattacks can trigger Article 5" of the NATO charter.
Cybersecurity firm Sophos said the declarations from Conti and Anonymous "increase the risk for everyone, whether involved in this conflict or not."
"Vigilante attacks in either direction increase the fog of war and generate confusion and uncertainty for everyone," Sophos said.
Emsisoft threat analyst Brett Callow called the situation "unpredictable and volatile" but noted that Conti has made bold political claims in the past.
"This is is probably just bluster too [but] it would be a mistake to assume the threat is empty. If your company hasn't already gone Shields Up, now is the time," Callow said.
Bugcrowd CTO Casey Ellis said one of his primary concerns with recent developments is the relative difficulty of attribution in cyberattacks, as well as the possibility of incorrect attribution or even an intentional false flag operation escalating the conflict internationally.
Conti's position statement is noteworthy in light of Russia's recent crackdowns on cybercrime and ransomware because it signals that they are either acting independently as the other groups seem to be or possibly operating with the Kremlin's blessing, Ellis explained.
Digital Shadows' Chris Morgan noted that their data shows Conti was the second most active ransomware group in 2021 by number of victims. Morgan said they attributed several attacks against critical national infrastructure to Conti, including attacks on the healthcare sector in the United States, New Zealand and Ireland.
The Irish government released a report this week saying the Conti ransomware attack that hit them last year may cost more than $100 million to recover from.
"Conti's activities have also recently been bolstered by hiring the developers of the infamous Trickbot trojan, which has also enabled them to control the development of another malware, the BazarBackdoor, which the group now use as their primary initial access tool. Conti consistently redefine and develop their working processes and should be considered a resourceful and sophisticated adversary," Morgan said.
Recorded Future expert Allan Liska told ZDNet the threat from ransomware groups deciding to retaliate is real and should be a concern.
"Given what a hot mess Conti is right now, I have trouble believing they can organize an office luncheon much less a focused retaliation. That being said, we know ransomware groups have more targets than they can hit right now and we know when Ryuk decided to retaliate against the US in 2020 they were easily able to do so," Liska said.
"More broadly speaking, whether it is ransomware groups, anonymous, or Ukraine calling on 'Cyber Patriots' to assist Independent cyber activity is going to be part of any military action going forward. I am not saying it is a good idea, it is just the reality."
Others, like Flashpoint senior analyst Andras Toth-Czifra, said hacktivists getting involved in armed conflict is not a novel development, explaining that Anonymous has targeted governments before.
But like Liska, Toth-Czifra said ransomware groups openly associating with the Russian government would be a "new and worrying development."
"So far, Flashpoint analysts have not observed significant patriotic pride in illicit communities about Russia's aggression against Ukraine, which is in line with the response of the Russian public in general. The situation is different from the emergence of "patriotic hackers" in the context of Russia's 2008 war against Georgia: many Russian-speaking cybercriminals either live in Ukraine themselves or have Ukrainian associates or infrastructure," Toth-Czifra explained.
"But while the cyber underground has largely remained neutral so far, one shouldn't forget that Ukraine has cooperated with Western law enforcement against ransomware gangs in recent years, which may influence the calculations of ransomware collectives. So far Flashpoint has seen another prolific ransomware gang (LockBit) suggesting that they would remain neutral."
On Friday the BBC reported on a Russian vigilante hacker group flooding Ukrainian government servers with DDoS attacks after work each day. One hacker admitted to emailing 20 bomb threats to schools, setting up an official Ukrainian government email address and hacking into the dashboard feeds of Ukrainian officials.
The hacker openly boasted about the vigilante work they plan to take on in the future, which he said includes the use of ransomware.
Allegro Solutions CEO Karen Walsh said the Conti declaration may also bring a measure of confusion to US companies with cyber insurance plans that have carve-outs for cyberattacks related to wars.
"Depending on how the military legal experts classify Conti and any ransomware attacks perpetrated by cyber threat actors acting 'on behalf of' Russia, organizations may find that their cyber liability insurance doesn't help them. In November, Lloyd's Market Association published updates to their cyber liability policies that specifically address the war exclusion," Walsh said.
"Notably, these changes mentioned cyber operations carried out in the course of war. As part of risk mitigation, companies should begin reviewing their cyber liability insurance exclusions and make sure that they question their carriers about their position on this issue."