Hacking Russia was off-limits, but the Ukraine war made it a free-for-all
The Washington Post May 1, 2022
For more than a decade, U.S. cybersecurity experts have warned about Russian hacking that increasingly uses the labor power of financially motivated criminal gangs to achieve political goals, such as strategically leaking campaign emails.
Prolific ransomware groups in the last year and a half have shut down pandemic-battered hospitals, the key fuel conduit Colonial Pipeline and schools; published sensitive documents from corporate victims; and, in one case, pledged to step up attacks on American infrastructure if Russian technology were hobbled in retribution for the invasion of Ukraine.
Yet the third month of war finds Russia, not the United States, struggling under an unprecedented hacking wave that entwines government activity, political voluntarism and criminal action.
Digital assailants have plundered the country’s personal financial data, defaced websites and handed decades of government emails to anti-secrecy activists abroad. One recent survey showed more passwords and other sensitive data from Russia were dumped onto the open Web in March than information from any other country.
The published documents include a cache from a regional office of media regulator Roskomnadzor that revealed the topics its analysts were most concerned about on social media — including antimilitarism and drug legalization — and that it was filing reports to the FSB federal intelligence service, which has been arresting some who complain about government policies.
A separate hoard from VGTRK, or All-Russia State Television and Radio Broadcasting Co., exposed 20 years of emails from the state-owned media chain and is “a big one” in expected impact, said a researcher at cybersecurity firm Recorded Future who spoke on the condition of anonymity to discuss his work on dangerous hacking circles.
The broadcasting cache and some of the other notable spoils were obtained by a small hacktivist group formed as the war began looking inevitable, called Network Battalion 65.
“Federation government: your lack of honor and blatant war crimes have earned you a special prize,” read one note left on a victim’s network. “This bank is hacked, ransomed and soon to have sensitive data dumped on the Internet.”
In its first in-depth interview, the group told The Washington Post via encrypted chat that it gets no direction or assistance from government officials in Ukraine or elsewhere.
“We pay for our own infrastructure and dedicate our time outside of jobs and familial obligations to this,” an unnamed spokesperson said in English. “We ask nothing in return. It’s just the right thing to do.”
Christopher Painter, formerly the top U.S. diplomat on cyber issues, said the surge in such activity risked escalation and interference with covert government operations. But so far, it appears to be helping U.S. goals in Russia.
“Are the targets worthy? Yes,” Painter said. “It’s an interesting trend that they are now being the target of all this.”
Painter warned that Russia still has offensive capabilities, and U.S. officials have urged organizations to prepare for an expected Russian cyber-assault, perhaps held to be deployed in a moment of maximum leverage.
But perhaps the most important victim of the wave of attacks has been the myth of Russian cyber-superiority, which for decades helped scare hackers in other countries — as well as criminals within its borders — away from targeting a nation with such a formidable operation.
“The sense that Russia is off-limits has somewhat expired, and hacktivism is one of the most accessible forms of striking at an unjust regime or its supporting infrastructure,” said Emma Best, co-founder of Distributed Denial of Secrets, which validated and published the regulator and broadcast troves among others.
While many of the hackers want to inform the public about Russia’s role in areas including propaganda and energy production, Best said a secondary motivation post-invasion is “the symbolic ‘pantsing’” of Putin and some of the oligarchs.
“He’s cultivated a strongman image for decades, yet not only is he unable to stop the cyberattacks and leaks hitting his government and key industries, he’s the one causing it to happen.”
The volunteer hackers have gotten a first-of-its-kind boost from the government of Ukraine, which endorsed the efforts and has suggested targets through its IT Army channel on Telegram. Ukraine government hackers are assumed to be acting directly against other Russian targets, and officials have distributed hacked data including the names of troops and hundreds of FSB agents.
“There are state institutions in Ukraine interested in some of the data and actively helping some of these operations,” said an analyst at security company Flashpoint who spoke on the condition of anonymity because of the sensitivity of his work.
Ordinary criminals with no ideological stake in the conflict have also gotten in on the act, taking advantage of preoccupied security teams to grab money as the aura of invincibility falls, researchers said.
Last month, a quarterly survey of email addresses, passwords and other sensitive data released on the open Web identified more victim accounts likely to be Russian than those from any other country. Russia topped the survey for the first time, according to Lithuanian virtual private network and security firm SurfShark, which uses the underlying information to warn affected customers.
The number of presumed Russian credentials, such as those for email addresses ending in .ru, in March jumped to encompass 50 percent of the global total, double the previous month and more than five times as many published as were in January.
“The U.S. is first most of the time. Sometimes it’s India,” said SurfShark data researcher Agneska Sablovskaja “It was really surprising for us.”
The crime business can also turn political, and it definitely has with the war in Ukraine.
Soon after the invasion, one of the most ferocious ransomware gangs, Conti, declared that it would rally to protect Russian interests in cyberspace.
The pledge backfired in a spectacular fashion, since like many Russian-speaking crime groups it had affiliates in Ukraine.
One of them then posted more than 100,000 internal gang chats, and later the source code for its core program, making it easier for security software to detect and block attacks.
Network Battalion 65 went further. It modified the leaked version of the Conti code to evade the new detections, improved the encryption and then used it to lock up files inside government-connected Russian companies.
“We decided it would be best to give Russia a taste of its own medicine. Conti caused (and still causes) a lot of heartache and pain for companies all around the world,” the group said. “As soon as Russia ends this stupidity in Ukraine, we will stop our attacks completely.”
In the meantime, Network Battalion 65 has asked for ransomware payments even as it has shamed victims on Twitter for having poor security. The group said it hasn’t gotten any money yet but would donate anything it collects to Ukraine.
Network Battalion obtained the state broadcast emails and other hoards and gave them to DDoSecrets, making it one of the most important of several hacktivist suppliers to that site, alongside a pro-Western group named AgainstTheWest and some who have adopted the branding of Anonymous, a larger, looser and recently resurgent collective that welcomes anyone.
In an April 3 interview with a researcher known as Dissent Doe who runs the website DataBreaches.net, AgainstTheWest’s leader said the group formed in October and was composed of six English-speaking hackers, all privately employed but with intelligence backgrounds.
The initial objective “was to steal state-secrets, government software (in the form of source codes), private documents and such. However, we also had the idea that we should act on China for attacking the west in cyberespionage campaigns over the years,” the hacker said.
After hitting targets in China, AgainstTheWest moved on to those in North Korea, Iran and Russia.
The leader said the group was not acting directly for any intelligence agency but declined to say whether it was being helped by any of them. “We’re doing our job in the hopes that it benefits western intelligence. We share all private documents with anyone from the government in the U.S./EU.”
The group has made other documents public through DDoSecrets. Best received one request from a U.S. military account for access beyond what she published but turned it down.
Painter, the former State Department and Justice Department expert, said he was concerned that some volunteer hackers might take a step too far and harm civilian infrastructure or trigger a major reaction, and he cautioned that others might be hiding additional motives.
“In the normal course of events, you don’t want to encourage vigilante hackers,” Painter said. But he then agreed, “We’re not in a normal course of events.”