Hacktivism uses hacking to advance political or societal causes, often targeted at government entities. But, there is a thin line between cybercriminals (who seek financial gain) and hacktivists (who seek change or influence). And sometimes, a cybercriminal may also have a role as a hacktivist, and vice versa. As benign as hacktivism may sound, hacktivists can, and do, wreak havoc on their targets.
It is not just governments that are in the crosshairs of hacktivists. Organizations that are located within countries seen as ‘enemies’ by hacktivists' are also subject to their targeting and scorn. Though monetary gain is not their primary objective, a negative financial impact often is the desired side effect. For example, a distributed denial-of-service (DDoS) attack can result in service outages, damaging an organization's public image and ability to serve clients.
Hacktivism was born in the 1990s, matured in the early 2000s with groups such as Wikileaks and Anonymous, and then experienced a quiet period from 2015 to 2019. But today, hacktivism is back with a vengeance, with Pro-Russian hacktivism playing a highly active role in the war in Ukraine.
The emergence of pro-Russian hacktivism
Immediately before Russia invaded Ukraine in February 2022, pro-Russian actors began to conduct DDoS attacks against key Ukrainian government infrastructure and financial institutions. The Kremlin denied government participation in these attacks, but Ukraine and many of its allies have experienced, and continue to experience, these attacks by hacktivists aligned with Russia.
Several hacktivist groups, and alliances between groups, have formed in the cyber underground since the wave of pro-Russian hacktivism began. Most communicate and coordinate their attacks via the Telegram messaging platform, which has thousands of members. Most pro-Russian hacktivist activity is in the form of DDoS attacks. But other hacktivist acts include defacing websites, breaching networks and exfiltrating data, and doxing (publicly providing personally identifiable information about an individual or organization) government and military officials.
Motivations behind pro-Russian hacktivism
A large proportion of pro-Russian hacktivism aims to support Russia's war in Ukraine and aligns with the Kremlin's strategic aims. During the war, hacktivists reacted to events in near real-time. For example, in July 2022, pro-Russian hacktivists conducted DDoS attacks against the Lithuanian government and financial entities after Lithuania decided to block the transportation of goods and supplies to Kaliningrad, a Russian exclave located between Lithuania and Poland.
But not all pro-Russian hacktivism is purely war politics. An analysis of pro-Russian hacktivist Telegram channels revealed a range of other political motivations and ideologies. Many groups have a clear anti-Ukrainian and anti-Western sentiment, likely inflamed by the ongoing war. That sentiment often is accompanied by inflammatory language and ethnic slurs probably intended to dehumanize Ukrainians as well as other ‘enemies’ of the hacktivists. Derogatory language aimed at Western allies of Ukraine tended to focus on conspiracy theories related to the strong influence of the LGBTQ+ community on Western governments and militaries. On August 17, 2022, the pro-Russian hacktivist group PHOENIX launched a series of DDoS attacks against LGBT dating websites and community forums based in Russia. The victims, based in Russia, had no relation to the war in Ukraine, implying the attacks were perpetrated for ideological reasons.
Hacktivists have big egos too; the breaches pro-Russian hacktivists inflicted regularly were celebrated and recognized by thousands of members within their respective Telegram channels. For example, the cybercriminal-hacktivist group KillNet gained international recognition when they provided a prerecorded video address to the Russian state-controlled news outlet Russia Today, which later broadcasted the speech as an "interview."
Financial gain does not play a primary role in hacktivism. However, some hacktivist groups have incentivized hacktivist activity conducted by their members using rewards and merchandise. For example, beginning in August 2022, the group Noname057(16) awarded the top three most active DDoS attackers with financial bonuses at the end of the month. In addition, the hacktivist group KillNet capitalized on its growing reputation and popularity in pro-Russian circles by selling branded merchandise such as earrings, T-shirts and rings featuring the group’s logo.
Is pro-Russian hacktivism linked to the Russian state?
There are no confirmed reports that pro-Russian hacktivism is state-sponsored. But, the Russian state had previous involvement in similar activity. For example, its Internet Research Agency sought to influence foreign elections for political objectives. Defining the Russian government's participation level in pro-Russian hacktivism is, if any, unclear. At a minimum, all pro-Russian hacktivist groups are undoubtedly state-aligned. Most of their activity is consistent with the objectives of the Russian state. However, there are no corroborated ties between the Russian government and pro-Russian hacktivist groups.
What is ahead for pro-Russian hacktivism?
Intel 471 assesses, with a high degree of confidence, that pro-Russian hacktivist groups will continue to react to current affairs, particularly those relating to Russia's relationships with foreign countries. In addition, recent events suggest the targets of pro-Russian hacktivist groups will continue to move beyond Ukraine. For example, KillNet is claiming responsibility for large-scale DDoS attacks against major U.S. airports on October 10, 2022. These DDoS attacks did not impact flights but disrupted or delayed airport services. Such attacks are likely to continue against a plethora of business sectors and countries, especially as the war in Ukraine rages on. As such, it would be prudent to monitor the tactics, techniques and procedures employed by these groups, and build or adapt your organization’s defenses around them.