On February 24, 2022, Anonymous — a global collective of hackers — announced it was launching a cyber operation against Russian President Vladimir Putin and the Russian state for invading Ukraine. At 2:50 PM EST on February 24, 2022, an Anonymous Twitter account with 1.3 million followers tweeted, “The Anonymous collective is officially in cyberwar against the Russian government.”
Since February 2022, many other hackers have launched cyber offensives against Russia, targeting numerous entities, government departments, media, and social media platforms. Currently, most of what has taken place are DDoS (Distributed Denial of Service) attacks, which target a website’s ability to operate, penetrating its infrastructure with a flood of requests, effectively disrupting the website’s service.
However, there is potential for the cyberwar between hackers and Russia to escalate further, using malware on U.S. and European critical infrastructure, which could potentially disrupt utilities ranging from water to gas, or power. These types of attacks are the most severe cyberattacks and can result in a loss of life from the interruption of critical services.
Such attacks would likely trigger NATO’s Article 5, putting the alliance in a position to where it would be forced to respond, leading to a direct conflict with Russia. In February 2022, NATO Secretary-General Jens Stoltenberg said that cyberattacks against a NATO country could lead to triggering Article 5. Additionally, a NATO official who spoke to Reuters in February 2022, said that a cyberattack could trigger Article 5.
Overwatch spoke with three cyber security and hacking experts. First, Occupytheweb@three_cube is a pentester, forensic investigator, and skilled hacker who has trained members of the U.S. military and intelligence community on hacking skillsets. Second, a member of ATW, a team of hackers who have breached Chinese Communist Party systems and are now acting against Russia. Third, Mr. Ken Westin is a cyber security expert with 15+ years of experience in threat hunting, insider threat research, and vulnerability research.
Research
According to data on the dark web about Anonymous’ operations, the collective group of hackers has breached “Russian military databases, economic websites, Department of Information projects based in Russia, Russian TV channels, Russian telecommunications, Russian radio systems, in addition to Russian and Belarusian banks.”
Videos posted to social media show Russian TV interrupted and replaced with footage of the war in Ukraine and messages in support of Ukrainians.
According to the Ukrainian government, more than 400,000 people around the world have joined in a crowdsourced cyber offensive against the Russian state.
One of the most significant hacks of Russian state media was against The Russian News Agency (TASS). TASS, which has millions of monthly visitors, was breached with a message reading, “Dear citizens. We urge you to stop this madness, do not send your sons and husbands to certain death. Putin is forcing us to lie and is putting us in danger.”
As of the writing of this brief, the Russian state’s government website, government.ru, remains inaccessible, as well as the Moscow Stock Exchange website.
In addition, hackers against Russia’s invasion of Ukraine, set up a website, 1920.in, where people can send messages to random Russian phone numbers about the war in Ukraine.
Hackers are also using platforms like Shodan — a search engine that finds devices that are online globally — to identify and target vulnerabilities in Russian devices and systems that have lapsed on their security updates or may be easier to exploit.
Subject Matter Experts
Occupytheweb@three_cube
Occupytheweb@three_cube told Overwatch about the effectiveness of cyber operations against the Russian state. “From what we have been able to do so far, I think we have been reasonably successful. Nearly all websites ending .ru are unreachable. We have implemented one of the largest DDoS attacks in history. Over 100,000 participants have helped to flood all the Russian websites making them unavailable. This is a simple, brute force attack that can be very effective when you have the number of participants we have for a short period of time. Russia is preparing its defenses to this attack now. We expect a response soon.”
Occupytheweb@three_cube said that things could escalate with Russia, to where they target industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. “I believe that Russia if they have their backs to a wall, will pull the trigger on all the backdoors they have in systems throughout the West nations from the SolarWinds hack and other compromises. Ultimately, both sides will likely pull the SCADA/ICS trigger if things escalate further. This could be devastating for all sides.”
“These are industrial systems that run everything from the electricity grid, water and sewer systems, refineries, manufacturing plants, etc. Russia shut down the electrical grid in Ukraine in 2014-2015 with the Blackenergy3 attack.”
Occupytheweb@three_cube said that private corporations’ SCADA/ICS systems could be vulnerable. “We know that Russia has SCADA/ICS-specific malware that we have detected in the past. Of course, the West has SCADA/ICS specific malware as well, but my research indicates that in the last 5 years the Russians have undertaken a concerted effort to improve their SCADA/ICS defenses, whereas, in the West, these systems are defended by private corporations whose interests and incentives often diverge from national security interests.”
When we asked what the overall goal was from the hacks, Occupytheweb@three_cube said the objective is similar to the economic sanctions imposed on Russia by NATO countries.
Pascal from ATW
Overwatch asked Pascal about the chances of Russia hitting SCADA/ICS systems in the U.S. or Europe. Pascal said, “Highly likely. Not by the likes of the FSB. More by the GRU (Russian Military Intelligence) SVR (Russian Foreign Intelligence Service). As someone who has worked in intelligence, I know that when countries allow civilians to act out online against a country, such as West Europe, the USA, etc. The Russians won’t take kindly for those actions and will likely try to do the same ‘hack-back’ type of attacks, which their country has faced.”
We also asked Pascal what kind of data he is seeing Russians keeping on U.S. entities. Pascal said, “This is the first time we’ve seen any external government and country data. I think that they have a lot deeper down online and on their RUNet intranet. Especially from the SolarWinds hacks. However, with their attacks on Ukrainian infrastructure, I feel that they could be clasping at straws. I base this belief off the fact that state-backed Russian APTs (Advanced Persistent Threat) are only using wiper malware and defacements to hack into Ukrainian infrastructure. If this country had a lot of resources, it could easily ruin the online world for Ukraine. Conclusion: I don’t see them having too much grease on US entities. However, this isn’t a reason to think that they aren’t capable of changing this.”
Ken Westin
Overwatch asked Westin how 400,000 hackers working on behalf of Ukrainian interests could impact Russia. He said, “I am not sure if the number is that high and of course, you are dealing with quite a spectrum of skill sets. The bulk of the offensive security actions against Russia by civilians has been mostly propaganda types of activities such as website defacement, TV broadcasts, maybe the occasional database compromise, but nothing on the cyber side that would affect things like the power grid or other services. Russia is also slowly shutting out the outside world, so it is getting more difficult to even gain access to networks inside Russia except through established proxies and backdoors.”
We also asked Westin where he sees the cyberwar in the next 30 days. Westin explained how even if Russia attacked infrastructure, it would play its hand, and threat intelligence would be quickly shared across a wide network, helping further mitigate the threat.
“Particularly as the U.S. has led the financial sanctions against Russia, it is highly likely that Russia sees the US financial system as well as the financial systems of NATO countries as a legitimate target, if things continue to escalate, we may see this shift to critical infrastructure. Something to remember is that when a nation or cybercriminal use a new exploit whether it’s a zero-day or a new attack technique, it reveals their hand, and threat intelligence is quickly shared across networks mitigating the new threat, so they usually hold these close to their chest and realize that with some they will only be used once.”
OUR ASSESSMENT
Cyber operations against the Russian state could potentially lead to further escalation with the hacking of ICS/SCADA systems and NATO triggering Article 5. Further, analysts assess that NATO allies with less robust cyber security infrastructure in place may find their critical infrastructure targeted by ransomware gangs affiliated with the Russian government. However, these attacks are unlikely to trigger a significant response from NATO.
Overwatch also assesses Russian hackers may retaliate to the defacing of Russian media websites and the disruption of Russian TV channels with a tit for tat response, attacking U.S. and European media sites in addition to telecommunication mediums, broadcasting messaging in support of the Kremlin’s invasion of Ukraine.
Should hackers turn to more advanced cyberweapons like malware and viruses, the impact could transcend Russian or Ukrainian borders, leading to a broader conflict on the world stage. Additionally, after the malware is open to use, individual hackers or hacking groups can obtain the software and weaponize it further to use against countries, states, or other entities.
Further, as hackers united in their efforts against the Russian state and in support of Ukraine, analysts foresee a potentially similar response to the Chinese state, should it invade Taiwan in the future. As the age of cyber warfare evolves, we may see more significant activities affect geopolitical relations outside of diplomatic procedures. This involvement will participate in more non-kinetic operations to set favorable conditions and achieve strategic objectives. In 2003, the PRC Central Military Commission (CMC) introduced their “Three Warfares” framework. This framework included “Strategic Psychological Operations, Overt and Cover media Manipulations, and Exploitation of National and International Legal Systems”.
Overwatch will continue to monitor such events through OSINT and provide forward-thinking assessments on how they may impact other global interests.