Search for your darkweb exposure
Cyble-CRIL
Main Menu
Cyble-Featured-Image-Ukraine-Conflict

Ongoing Cyberwarfare

Threat Actors declare allegiance to Ukraine and Russia

Executive Summary

Cyble Research Labs has observed parallel war being fought in cyberspace under the shadows of the ongoing military and political crisis between Russia and Ukraine. Though most of these activities correspond to Threat Actors (TAs) involved with either side, we take the lead from our previous reporting on Ukraine to remain abreast with the updates.

Ukraine continued to be at the center of several cyberattacks by various renowned and new cyber mercenaries in the second week of its armed conflict with Russia. Additionally, this week, we identified cyber threat activities suggesting the Ukrainian government, along with some pro-Ukrainian actors, opened with the retaliatory responses to the attacks inflicted by Russian state actors.


Ukrainian government calls for cyberattacks against Russia

In an official statement on February 27, 2022, the Deputy Prime Minister of Ukraine, Mykhailo Fedorov, released a Telegram channel link on his official Twitter account. He dubbed this the ‘IT ARMY of Ukraine’ for outsourcing assignments to impact Russian cyberinfrastructure as a retaliatory response to Ukrainian government websites and infrastructure cyber-attacks. The Telegram channel was moved to a new account, t.me/itarmyofukraine2022, which currently holds 229k subscribers.


Figure 1 – Tweet by Mykhailo Fedorov and Telegram channel’ IT ARMY of Ukraine’

On February 26, 2022, the Telegram channel listed several Russian websites as their target, including PJSC Sberbank, and requested members to attack the mentioned resources using any methods possible. From February 27 – February 28, 2022, the Telegram channel posted URLs to Sberbank’s web APIs, a few I.P. addresses resources belonging to Sberbank, and requested to launch targeted attacks against the listed resources. Later, on February 28, 2022, the Telegram channel posted the uptime status of the website, suggesting that the state-owned Russian banking and financial services organization PJSC Sberbank was unreachable and allegedly compromised.

Figure 2 – Telegram posts by’ IT ARMY of Ukraine’ claiming the compromise of PJSC Sberbank

Ransomware groups and cybercrime forums affiliations in Ukraine-Russia war

On February 25, 2022, the Conti Ransomware group released a statement on their website supporting the Russian government retaliating against Ukraine. However, their statement was modified on February 27, 2022, stating their allegiance to Russia in countering cyber aggression by Western countries.

Figure 3 – Warning posted by the Conti ransomware group on February 25, 2022
Figure 4 – Updated warning posted by the Conti ransomware group as of February 27, 2022


It is evident from the statement by the Conti Ransomware group gained controversy and led to the conflict of opinions within their group. As the events were unfolding, on February 28, 2022, a Twitter handles allegedly operated by one of the members of the Conti Ransomware group released the internal conversation excerpts of the Conti ransomware operators Jabber/XMPP server platform. The actor behind the leak is believed to be a pro-Ukraine member of the group.  The leaked chat conversations were now accessible at the data intelligence platform, IntelligenceX.

Figure 5 – Leaked chat conversations (Source: hxxps[:]//intelx[.]io/?did=51fbf19b-91f5-4d2d-b4e7-504477ebe916)

The pro-Ukrainian Twitter persona continued to leak more sensitive data on March 1, 2022. It posted screenshots allegedly captured from the Conti’s infrastructure. (Ref. Screenshots)

Figure 6 – Pro-Ukrainian Twitter persona @ContiLeaks

Meanwhile, the LockBit 2.0 Ransomware group also released a statement quoting themselves as apolitical and withdrawing their allegiance to any country. The official statement from LockBit 2.0 Ransomware group is: –

“Many people ask us, will our international community of post-paid pentesters, threaten the West on critical infrastructure in response to cyber aggression against Russia? Our community consists of many nationalities of the world, most of our pentesters are from the CIS, including Russians and Ukrainians, but we also have Americans, Englishmen, Chinese, French, Arabs, Jews, and many others in our team. Our programmers’ developers live permanently around the world in China, the United States, Canada, Russia and Switzerland. Our servers are located in the Netherlands and the Seychelles, we are all simple and peaceful people, we are all Earthlings.

For us it is just business, and we are all apolitical. We are only interested in money for our harmless and useful work. All we do is provide paid training to system administrators around the world on how to properly set up a corporate network. We will never, under any circumstances, take part in cyber-attacks on critical infrastructures of any country in the world or engage in any international conflicts.”

– Lockbit 2.0 Ransomware group


Amidst these activities, we also witnessed an apparent shutdown of the long-standing cybercrime forum RaidForums on February 25, 2022. Initially, the security community believed that the forum was seized in an undisclosed law enforcement operation. However, it is assumed that the forum was targeted and seized by an unidentified pro-Russian group/agency after the forum administrator ‘Moot’ released a warning imposing sanctions on forum members supporting Russia.

Figure 7 – RaidForums administrator’s thread, threatening to ban members supporting Russia on the forum


Pro-Ukrainian cyber threat activities targeting Russia

As per our recent observations, we started witnessing various claims on cyber channels suggesting a series of attacks against Russia in support of Ukraine.

AgainstTheWest:


On February 26, 2022, the threat actor AgainstTheWest created a Telegram channel supporting Ukraine to target Russian cyber assets. The posts claimed compromising several Russian and Belarusian infrastructure. On February 27, 2022, the actor claimed the Central Bank of the Russian Federation (Bank of Russia) attack and posted a screenshot displaying folders allegedly exfiltrated from the compromise.

Figure 8 – A Telegram post by AgainstTheWest claiming compromise of Central Bank of the Russian Federation

During the research, we also found that the actor Spectre123, earlier active at the RaidForums,released data allegedly belonging to an unidentified Russian defense manufacturing company at the leak website dubbed “Intel Repository.” The actor mentioned purchasing the data from the actor AgainstTheWest.

Figure 9 – Screenshot from Intel Repository Site

While analyzing the leaked data, we came across a text file with the following note from the actor AgainstTheWest showing their support to the western front:

“Hello, this data has been under wraps for a while now.

Because the Russian government has not backed down from the border of Ukraine, we’ve decided to go for the country ourselves and, as no other group has done so.

We were deciding to release this to Wikileaks, however, we decided against this, as it may not garner the same attention, if a journalist media would access this information.

The fact that this data was placed online, is a massive blunder on the Russian’s side.

Everyone here at ATW hopes that we can be taken more seriously.

We’re not here to attack the West in anyway. We’re looking to help our respected countries & their allies in this endeavour.”

– Threat Actor “AgainstTheWest”

On March 1, 2022, the actor AgainstTheWest claimed to compromise an undisclosed Russian steel manufacturing on their Telegram channel. The actor’s tweet claimed the impacted organization as Novolipetsk Steel (NLMK). The T.A. also claimed to strike Rosatom State Nuclear Energy Corporation, Russia, on the same day.

Figure 10 – Screenshots from AgainstTheWest’s Telegram posts

Similarly, the actor also claimed the compromise of Russian web hosting services provider FirstVDS (firstvds[.]ru). Besides this, on March 2, 2022, the actor AgainstTheWest claimed to have broken into China-based Greatwall Computer Software & System Co. Ltd. and the State Administration for Science, Technology, and Industry for National Defence on their Telegram channel.

Further, the actor posted an announcement on their Telegram channel about being temporarily inactive for a while before resuming to target Russia and China again in two separate Telegram channels.

The actor AgainstTheWest claimed to compromise following other notable private and government infrastructure.

Russian Space ForcesAccounts Chamber of the Russian FederationMagnit PJSC
AIP of the Russian FederationThe Union State of Belarus & Russian relationsChermet LLC
PJSC Aeroflot (Russia Airlines)Central Bank of the Russian Federation (Bank of Russia)Kvazar LLC
Ministry of Digital Development, Communications and Mass Media of the Russian Federation, Pskov RegionMinistry of Economic Development Russian FederationJuicy Labs LLC
Ministry of Emergency Situations of the Russian FederationSaint Petersburg City AdministrationMail.Ru Group
Federal State Statistics ServiceMinistry of Agriculture and Food of BelarusCapital Television Belarus (CTV)
Federal Service for Labour and Employment (Ministry of Labor and Social Protection of the Russian Federation)BrandQuad LLCAviatourne LLC


Table 1- List of impacted Russian Organisations

KelvinSecurityTeam:

On February 27, 2022, the actor KelvinSecurityTeam also released a statement alleging their support to Ukraine in the cyberwar against Russia. The actor on their Telegram channel claimed attacking several Russian entities, including Russia Today’s online merchandise shop shop-rt[.]com allegedly exploiting the Insecure Direct Object References (IDOR) vulnerability.

Figure 11 – KelvinSecurityTeam’s Telegram channel


Hacktivists observed in support in Ukraine:

We also observed several hacktivist factions working under the ‘Anonymous’ collectives, which declared cyberwar against Russia in support of Ukraine. The faction took over their activities on Twitter using the hashtag #OpRussia #OpNoWar #OpKremlin #FreeUkraine #FreeAnons and #FreeAssange.

On February 27, 2022, one of such hacktivist groups, ‘Anonymous T.V.,’ claimed to have brought down over 300 websites belonging to the Russian government and banking organizations. The hacktivist group previously claimed a compromised website belonging to the Russian Ministry of Defence and allegedly leaked the compromised database. (Ref.: twitter.com/YourAnonTV/status/1497846153660014593)

Our search for Twitter hashtags revealed several such Twitter accounts targeting Russia – shown in the following screenshots: –

 Figure 12 – Tweets from several Anonymous collectives targeting Russian networks


Continued Pro-Russian cyber activities targeting Ukraine and the U.S.

As previously reported by the Cyble Research Lab, we observed continued threat activities targeting Ukraine. Since our last advisory, the following threat activities targeting Ukraine and the U.S. were identified.

The actor, ‘DataFor’ at Xss cybercrime forum, continued to release Personally Identifiable Information (PII) data belonging to U.S. Law enforcement agencies. On March 1, 2022, the actor released a partial leak allegedly containing over 67k datasets of PIIs from undisclosed sources.

Figure 13 – Actor DataFor’s post at the Xss cybercrime forum

On March 1, 2022, an actor behind the Arabic–speaking Telegram channel dubbed ‘Stormous Ransomware’ also announced their support to Russia in targeting Ukraine.

“The STORMOUS team has officially announced its support for the Russian governments. And if any party in different parts of the world decides to organize a cyber-attack or cyber-attacks against Russia, we will be in the right direction and will make all our efforts to abandon the supplication of the West, especially the infrastructure. Perhaps the hacking operation that our team carried out for the government of Ukraine and a Ukrainian airline was just a simple operation but what is coming will be bigger!!”

– Stormous Ransomware group

One of their Telegram posts attributes to their claim of a distributed denial-of-service (DDoS) attack targeting the website of The Ministry of Foreign Affairs of Ukraine at the mfa.gov.ua. The actor did not post any proof suggesting their claims of its success. However, it was observed that the targeted website was unreachable when writing this advisory.

Figure 14 – Telegram post from the KelvinSecurityTeam

Conclusion

These activities indicate a peculiar modus operandi of the T.A.s amidst this hybrid warfare of volunteering in such illicit cyber operations. The policy adopted by Ukraine to thwart the Russian cyberattacks is unique to a country’s perspective of utilizing the nationalistic sentiments amongst the cybercriminals. This policy presents an exceedingly rare challenge for the governments and the corporates equally that are being targeted and exploited in an organized way. 

Considering the series of cyber-attacks that were launched to target the Ukrainian government and private infrastructure, it was very much anticipated by our research team that Ukraine would try to retaliate. Still, the Ukrainian call for support and allegiance by cyber groups is a newly witnessed cyber craft in warfare.

Recommendations

  • Keep the operating system and installed software in the system and server updated.
  • Minimize network exposure for all serial devices using network segmentation and the placement of serial devices behind network firewalls to ensure that they are not accessible via the Internet.
  • Conduct regular backup practices and maintain backups offline or in a separate network.
  • Use security solutions available for Linux and IoT devices
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • Create and save your passwords with password managers.
  • Change all internet-connected devices’ default passwords.

Recent Blogs

MOVEit Transfer Vulnerability Actively Exploited

June 2, 2023

‘NoEscape’ Ransomware-as-a-Service (RaaS)

June 1, 2023

SharpPanda APT Campaign Expands its Arsenal Targeting G20 Nations

June 1, 2023
Cyble-Blogs-MOVEit-Transfer
June 2, 2023

Cyble analyzes MOVEit Transfer vulnerability and observes active exploitation in the Cyble Global Intelligence Sensors (CGSI).

Read More »
NoEscape RaaS
June 1, 2023

CRIL analyzes the newly advertised ‘NoEscape’ Ransomware-as-a-Service (RaaS) program that claims to facilitate sophisticated extortion operations using an advanced, indigenously developed ransomware strain.

Read More »
SharpPanda APT G20 Blog
June 1, 2023

Cyble analyzes SharpPanda, a highly sophisticated APT group utilizing spear-phishing tactics to launch cyberattacks on G20 Nation officials.

Read More »

About Us 


Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint.

Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020.

Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  

Scroll to Top