A Blog by Jonathan Low


Apr 24, 2022

How Ukraine-Allied Hackers Have Broken Into Dozens of Russian Institutions

Many of the successful hacks reflect a 'civil war' within the hacking and ransomware community. 

Some of them have pledged allegiance to Putin and to Russia while others - including most of those in eastern Europe - are incensed by the Russian invasion of Ukraine and have joined its side. JL 

Kate Conger and David Sanger report in the New York Times, image The Daily Swig:

Hackers have broken into dozens of Russian institutions over the past two months, including the Kremlin’s internet censor and one of its primary intelligence services, leaking emails and internal documents to the public in an apparent hack-and-leak campaign that is remarkable in its scope. The hacking campaign “once again proves that in the age of pervasive cyberintrusions and the generation of vast amounts of digital exhaust by nearly every person in a connected society, no one is able to hide and avoid identification for egregious war crimes for long.”

Hackers claim to have broken into dozens of Russian institutions over the past two months, including the Kremlin’s internet censor and one of its primary intelligence services, leaking emails and internal documents to the public in an apparent hack-and-leak campaign that is remarkable in its scope.

The hacking operation comes as the Ukrainian government appears to have begun a parallel effort to punish Russia by publishing the names of supposed Russian soldiers who operated in Bucha, the site of a massacre of civilians, and agents of the F.S.B., a major Russian intelligence agency, along with identifying information like dates of birth and passport numbers. It is unclear how the Ukrainian government obtained those names or whether they were part of the hacks.

Much of the data released by the hackers and the Ukrainian government is by its nature impossible to verify. As an intelligence agency, the F.S.B. would never confirm a list of its officers. Even the groups distributing the data have warned that the files swiped from Russian institutions could contain malware, manipulated or faked information, and other tripwires.

Some of the data may also be recycled from previous leaks and presented as new, researchers have said, in an attempt to artificially increase the hackers’ credibility. Or some of it could be manufactured — something that has happened before in the ongoing cyberconflict between Russia and Ukraine, which dates back more than a decade.

But the hacking effort appears to be part of a campaign by those opposing the Kremlin to help in the war effort by making it extremely difficult for Russian spies to operate abroad and by planting a seed of fear in the minds of soldiers that they could be held to account for human rights abuses.

Dmitri Alperovitch, a founder of the Silverado Policy Accelerator, a Washington think tank, and the former chief technology officer at the cybersecurity firm CrowdStrike, said there was reason to maintain a healthy skepticism about the reliability of some of the leaks.

But he added that the hacking campaign “once again may prove that in the age of pervasive cyberintrusions and the generation of vast amounts of digital exhaust by nearly every person in a connected society, no one is able to hide and avoid identification for egregious war crimes for long.”

The leaks also demonstrate Ukraine’s willingness to join forces with amateur hackers in its cyberwar against Russia. In early March, Ukrainian officials rallied volunteers for hacking projects, and the Ukrainian government has been publishing information about its opponents on official websites. A channel on the messaging platform Telegram that lists targets for the volunteers to hack has grown to more than 288,000 members.

American intelligence officials say they believe that hackers operating in Russia and Eastern Europe have now been split into at least two camps. Some, like Conti, a major ransomware group that was itself hacked in late February, have pledged fealty to President Vladimir V. Putin of Russia. Others, mostly from Eastern Europe, have been offended by the Russian invasion, and particularly the killings of civilians, and have sided with the government of President Volodymyr Zelensky of Ukraine.

Some of the online combatants have shifted away from tactics used earlier in the conflict. In the first phase of the war, Ukrainian hackers focused on attacks intended to knock Russian websites offline. Russian hackers targeted Ukrainian government websites in January, ahead of the invasion, installing “wiper” malware that permanently clears data from computer networks. More recently, Russian hackers appear to have mounted attacks that could have turned off electricity or shut down military communications. (Several of those efforts were foiled, American officials say.)

But the disclosure of personal data is more akin to information warfare than cyberwarfare. It has echoes of Russia’s tactics in 2016, when hackers backed by a Russian intelligence agency stole and leaked data from the Democratic National Committee and from individuals working on Hillary Clinton’s presidential campaign. Such hacks are intended to embarrass and to influence political outcomes, rather than to destroy equipment or infrastructure.

Experts have warned that the involvement of amateur hackers in the conflict in Ukraine could lead to confusion and incite more state-backed hacking, as governments seek to defend themselves and strike back against their attackers.

“Some cybercrime groups have recently publicly pledged support for the Russian government,” the Cybersecurity and Infrastructure Security Agency warned in an advisory on Wednesday. “These Russian-aligned cybercrime groups have threatened to conduct cyberoperations in retaliation for perceived cyberoffensives against the Russian government or the Russian people.”

Distributed Denial of Secrets, or DDoSecrets, the nonprofit organization publishing many of the leaked materials, was founded in 2018 and has published material from U.S. law enforcement agencies, shell companies and right-wing groups. But since the beginning of the war in Ukraine, the group has been flooded with data from Russian government agencies and companies. It currently hosts more than 40 data sets related to Russian entities.

“There has been a lot more activity on that front since the start of the war,” said Lorax B. Horne, a member of DDoSecrets. “Since the end of February, it hasn’t been all Russian data sets, but it has been an overwhelming amount of data that we’ve been receiving.”

DDoSecrets operates as a clearinghouse, publishing data it receives from sources through an open submission process. The organization says that its mission is transparency with the public and that it avoids political affiliations. It is often described as a successor to WikiLeaks, another nonprofit group that has published leaked data it received from anonymous sources.

On March 1, the Ukrainian news outlet Ukrainska Pravda published names and personal information that it said belonged to 120,000 Russian troops fighting in Ukraine. The information came from the Center for Defense Strategies, a Ukrainian security think tank, the news outlet reported. In late March, Ukraine’s military intelligence service leaked the names and personal data of 620 people it said were officers with Russia’s F.S.B.

And in early April, the military intelligence service published the personal information of Russian soldiers it claimed were responsible for war crimes in Bucha, a suburb where investigators say Russian troops waged a campaign of terror against civilians.

“All war criminals will be brought to justice for crimes committed against the civilian population of Ukraine,” the military intelligence service said in a statement on its website that accompanied the Bucha data dump. (Russia has denied responsibility for the Bucha killings.)

Russian state-backed hackers have also carried out a number of cyberattacks in Ukraine since the war began, targeting government agencies, communications infrastructure and utility companies. They have largely relied on destructive malware to erase data and disrupt the operations of critical infrastructure companies, but they have occasionally used hack-and-leak tactics.

In late February, a group calling itself Free Civilian began to leak personal information that supposedly belonged to millions of Ukrainian civilians. Although the group posed as a collective of “hacktivists,” or people using their cyberskills to further their political ends, it actually operated as a front for Russian state-backed hackers, according to researchers at CrowdStrike. The hack-and-leak operation was intended to sow distrust in Ukraine’s government and its ability to secure citizens’ data, the researchers said.

Hackers affiliated with Russia and Belarus have also targeted news media companies and Ukrainian military officials in an effort to spread disinformation about a surrender by Ukraine’s military.

But much of Russia’s hacking efforts have focused on damaging critical infrastructure. Last week, Ukrainian officials said they had interrupted a Russian cyberattack on Ukraine’s power grid that could have knocked out power to two million people. The G.R.U., Russia’s military intelligence unit, was responsible for the attack, Ukraine’s security and intelligence service said.

U.S. officials have repeatedly warned American companies that Russia could carry out similar attacks against them and have urged them to harden their cyberdefenses. The governments of Australia, Britain, Canada and New Zealand have issued similar warnings.

In early April, the Justice Department and the F.B.I. announced that they had acted in secret to pre-empt a Russian cyberattack by removing malware from computer networks around the world. The move was part of an effort by the Biden administration to put pressure on Russia and discourage it from launching cyberattacks in the United States. Last month, the Justice Department charged four Russian officials with carrying out a series of cyberattacks against critical infrastructure in the United States.

But so far, the Russian activity directed at the West has been relatively modest, as Chris Inglis, the national cyber director for the Biden administration, acknowledged on Wednesday at an event hosted by the Council on Foreign Relations.

“It’s the question of the moment — why, given that we had expectations that the Russian playbook, having relied so heavily on disinformation, cyber, married with all other instruments of power, why haven’t we seen a very significant play of cyber, at least against NATO and the United States, in this instance?” he asked.

He speculated that the Russians thought they were headed to quick victory in February, and when the war effort ran into obstacles, “they were distracted,” he said. “They were busy.


Post a Comment