Google sees that Russia is coordinating its actions with hackers in cyberattacks related to the war in Ukraine.
“We have never previously observed such a volume of cyberattacks, diversity of threat actors, and coordination of efforts,” the report says; some U.S. institutions have become targets.
According to researchers from Google, there is growing evidence that pro-Russian hackers and online activists are cooperating with the country’s military intelligence.
Western officials and security experts are interested in possible links to the Kremlin because they could help explain Moscow’s intentions both inside and outside Ukraine, despite recent military setbacks that prompted Russian President Vladimir Putin to announce mobilization this week.
Officials in the U.S. and Europe have warned throughout the war that Russian hackers could strike Ukraine’s allies by attacking critical infrastructure and government systems with cyberattacks, but so far this has not happened.
Over the past few months, Google’s cybersecurity group Mandiant has observed apparent coordination between pro-Russian hacker groups, allegedly made up of “patriot hackers,” and cyber intrusions carried out by Russia’s military intelligence agency, the GRU. Mandiant claims that in four cases it observed hacker activity linked to the GRU where “wiper” malware was deployed on victims’ networks.
The initial wiping software caused disruptions, destroying computer systems across the organization. Then hacktivists stepped in. After each of these hacks — within 24 hours of the wipe — hacktivist organizations published data stolen from the same organizations.
According to Mandiant, which was acquired by Google in a deal completed earlier this month, three pro-Russian hacktivist groups were involved. They are called XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn.
Combined with other war-related activity, this has created an unprecedented situation, according to a Mandiant report on hacktivists to be published on Friday. “We have never previously observed such a volume of cyberattacks, diversity of threat actors, and coordination of efforts over the same few months,” the report says.
A representative of the Russian embassy in Washington did not respond to requests for comment, but Russia denies involvement in hacking.
Hacktivist groups represent a way for Russia to project a broader and more threatening online presence, said Michael S. Rogers, former head of the National Security Agency, who is now an operating partner at venture capital firm Team8 Labs Ltd.
“The Russian government is trying to create more capacity,” he said. “These groups are attractive because they give them plausible deniability.”
John Hultquist, vice president of intelligence analysis at Mandiant, said that now that XakNet has established itself as a hacktivist group, it can be used as cover for a more serious cyber operation conducted by Russian intelligence.
The evidence is not conclusive proof, but repeated links between GRU-related attacks and hacktivists are “hard to ignore and suggest that the connection is not accidental,” Hultquist said.
Last spring, the Department of Homeland Security issued a warning naming XakNet (pronounced hack-net) and another group known as Killnet as possible threats to U.S. infrastructure. It also warned that the war in Ukraine could lead to a surge in attacks by criminal and hacktivist groups.
Security researchers say Killnet has attacked a range of targets, including sites in Japan, Italy, Norway, Estonia, and Lithuania, using distributed denial-of-service (DDoS) attacks that attempt to overwhelm servers with internet traffic. According to Hultquist, the group sometimes operates in coordination with XakNet.
In recent months, Killnet has given interviews to Russian media, and researchers say media attention reinforcing the idea that Russia’s war has public support may be a more important goal than any cyber disruption. “They are very loud, but at best they are just annoying,” said Vlad Kuliuzhny, an analyst at cyber threat intelligence company Flashpoint.
But there have been several incidents targeting the U.S. In July, Congress.gov, the official provider of legislative information for Congress, was taken offline for about two hours due to a DDoS attack, according to a Library of Congress spokesperson. “The library network was not compromised, and no data was lost as a result of the attack,” the spokesperson said.
In August, Killnet claimed to have launched an attack against U.S. defense contractor Lockheed Martin Corp., and around the same time it released documents it said were taken from Gorilla Circuits, a defense industry contractor based in San Jose, California, which produces circuit boards.
A representative of Gorilla Circuits confirmed that the company experienced a security incident several months ago — in the fall of 2021. “In accordance with applicable law, Gorilla Circuits sent written notification of the incident to individuals and entities whose information may have been affected,” he said. “Since then, there have been no security incidents at Gorilla Circuits.”
A Lockheed Martin spokesperson said: “Every day we face threats from sophisticated adversaries around the world and regularly take steps to improve the security of our systems and protect the data of our employees, customers, and programs.”
.jpg)
Google’s Mandiant cybersecurity group saw possible coordination between the Kremlin and online activists.
Hacktivist groups have existed for more than a decade. Russian hacktivists carried out a destructive online attack on Estonia in 2007 after Estonia removed a Soviet-era monument from its capital Tallinn. Banks, government websites, and media companies were taken offline for about a week.
Jonas Skardinskas, director of cybersecurity management at Lithuania’s National Cyber Security Centre, said Lithuania experienced at least two waves of denial-of-service attacks on government websites starting in June this year. But the attacks — some of which were claimed by Killnet — were unusual because they were dispersed and never reached a critical level, but continued for a long time.
“They were meant to be more annoying than destructive,” he said in an interview.
Still, officials have reason for concern. Gert Auväärt, a senior cybersecurity official in Estonia, said in an interview in Tallinn last week that the small Baltic country experienced a wave of DDoS attacks in August after the removal of remaining Soviet war memorials. Killnet claimed responsibility for the attacks, which some officials said were the largest since the 2007 digital siege.
Estonia successfully repelled the attack, Auväärt said, but Western officials were surprised by the level of traffic involved, which peaked at more than 200 gigabytes per second — far above the usual single-digit figures involved in denial-of-service attacks.
“When discussing this issue with our allies both here in Europe and across the Atlantic, these numbers impressed them,” Auväärt said.
Based on materials from The Wall Street Journal