Here Come the Hacktivists

While the military forces of Russia and Ukraine are fighting each other on the battlefield, each side has a volunteer army of “hacktivists” who are doing what they can to disrupt the other side.

On one side, there is the IT Army of Ukraine, founded by the Ukrainian vice-president at the very beginning of the conflict in February 2022, and arrayed against them on the Russian side is the group known as KillNet.

Pascal Geenens, the Belgium-based director of threat intelligence for cybersecurity company Radware, keeps a close eye on these groups and observes how, on the Russian side at least, they have splintered and sometimes fought among themselves as they have picked on targets.

Last week, for example, Muslim hacktivist groups in Sudan, who often work with KillNet, targeted Australia after initially being angered by the use of the word “Allah” at Australian Fashion Week.

Models were walking down the runway with the word printed in Arabic on their clothes. This was enough to launch distributed denial of service (DDoS) and website defacement attacks at over 70 Australian sites, many of them educational and government institutions with no link to the Fashion Week event.

“KillNet has several activist groups that they bring together, and they attack western targets every time someone helps Ukraine, or somebody says something bad about Russia,” says Geenens, who estimates that KillNet could number as many as 30,000 volunteers.

‘They’ve also been attacking Sweden and Finland because they are juicy targets and want to join NATO.”

Hacktivism. It’s complicated

Using the Telegram messaging app and other social media, Geenens monitors hacktivist groups that have surfaced in Malaysia and India.

Some identify with the Anonymous hacktivist and activist collective. Still, things get complicated for some groups that support Russia and others that turn their sights on anti-Muslim nations.

“Anonymous Sudan, for example, I think that is two or maybe three people, but they are not accepted by the main Anonymous groups,” says Geenens.

In terms of their capability, Geenens says the standard tactic is denial-of-service, a relatively unsophisticated attack that organizations just often ride out. 

“Don’t go out and try to respond because every response you make will only inflict more damage every time you call them out”

In Russia, the leader of KillNet is a rapper KillMilk who is “very media savvy” and uses his persona as a hacker to push his musical brand and recruit more hacktivists.

“These people are attention seekers; they want to get into the media, so they go after the public websites,” says Geenens.

They raise funds from selling branded merchandise, such as jewelry rings, which is a portion of the proceeds funding the group.

They also pay a bonus for each successful attack, incentivizing hacktivists who can use bots for the attacks and make regular money.

“In the beginning, they paid out in Bitcoin, and that was a problem because every time you pay out in Bitcoin, you can track the money,” says Geenens.

“So now they are doing it in another cryptocurrency called TON, and that is much more difficult to track, and they pay out through Telegram.”

Cyber mercenaries

Geenens says that while the hacktivist community has traditionally been separate from the ransomware community, Russia’s KillNet was changing almost into a cyber equivalent of the Wagner mercenary group supporting Russian troops on the battlefield, but which is also involved in the illegal drug trade.

Through a new aggregated group called Infinity Forum, the Russian hacktivists were looking to “up their game” and make more impactful attacks looking to leak data, which they might sell. Often, however, Geenen said they had falsely claimed to have accessed data, mainly for publicity.

“There is no reason for panic, but organizations need to be prepared,” says Geenen.

“It is widely known in the security community that disrupting or impacting an organization or infrastructure requires more perseverance than skills or sophistication.”

For organizations without DDoS protection, the advice is to “ride it out,” as the attacks are unlikely to persist for an extended period, and then to get prepared with some protection for the future.

“Also, be aware that sometimes DDoS attacks can come with other attacks, like showering somebody with lots of packets which flood analytic systems so you cannot see other attacks happening,” says Geenen.

“But don’t go out and try to respond because every response you make will only inflict more damage every time you call them out, and they will come after you and keep coming from different angles.”

Many websites are not adequately protected, and administrators are often disinclined to invest in protection.

“I think we have to think about putting in some form of protection for every website and not just leave the site there and say ‘I don’t care,’” says Geenen.

“Because if you say that, I think you are part of the problem, and you are helping them build their reputations, and they are building that reputation simply by attacking websites that aren’t protected.”

Lachlan Colquhoun is the Australia and New Zealand correspondent for CDOTrends and the NextGenConnectivity editor. He remains fascinated with how businesses reinvent themselves through digital technology to solve existing issues and change their entire business models. You can reach him at [email protected].

Image credit: iStockphoto/TU IS