Pro-Russian Hacktivists: A Reaction to a Western Response to a Russian Aggression
Newton’s third law of motion states that for every action, there is an equal and opposite reaction. With a slight alteration, Newton’s law can be applied to geopolitics: for every action, there will be a more extensive opposite reaction. Newton’s geopolitical version of the law can only lead to escalation as two opponents go back and forth, iterating through several responses.
The emergence of pro-Russian hacktivists is a reaction to the western cyber response against the aggression of Russia’s invasion of Ukraine. Western hackers volunteering for the IT Army of Ukraine started conducting attacks against Russian targets, joined by factions of Anonymous under their battle tag #OpRussia, on the first day following the invasion by Russia. As a reaction, several opposite groups formed, amongst them a faction of Anonymous calling itself ”Anonymous Russia.” Soon a cluster of pro-Russian hacktivist allies and affiliates started to form around a group called Killnet.
At the beginning of the invasion of Ukraine by Russia, Anonymous launched Operation Russia, performing cyberattacks against Russian government websites, banks, broadcasting networks, and news outlets. The state-controlled broadcasting network Russia Today (RT), known to spread Russian propaganda, confirmed that its website was unavailable most of February 24 and 25, 2022. The outage resulted from a large DDoS attack originating from over 100 million devices. Anonymous also claimed to be responsible for defacing the websites of Russian news outlets Tass, Izvestia and Kommersant, whose sites were replaced with an anti-Putin message and a call to end the war. Anonymous mobilized people via Twitter, suggesting they counter misinformation and censorship by the Russian government by informing Russian people of the reality of Ukraine’s invasion by posting online reviews on Russian restaurants and businesses on Google Maps. Several Russian state-owned broadcasting channels were hacked by the collective and started broadcasting patriotic songs, pro-Ukraine content, and true images of the war in Ukraine.
However, the decentralized, anonymous and leaderless nature of the hacktivist collective makes it difficult to attribute attacks to the group. Anyone can claim to work under the Anonymous banner. During the cyber war against Russia, a Twitter account linked to Anonymous had to denounce fake claims made by accounts that pretended to speak and act on behalf of the collective.
On March 1, 2022, the Russian hacker group Killnet claimed they had taken down the Anonymous website “anonymoushackers[.]net” and called on Russians not to believe the internet fakes and to stay calm. According to Killnet, “the internet is full of fake information about hacking Russian banks, attacks on the servers of Russian media and much more. All this has no danger to people. This ’information bomb‘ carries only text. And no more harm. Don’t give in to fake information on the internet. Do not doubt your country.”
Killnet is a pro-Russia hacker group known for its denial-of-service attacks targeting government and private company websites in countries supporting Ukraine during the 2022 Russian invasion of Ukraine.
The group was reformed shortly after the invasion to oppose “Russophobes” and protect the interests of Russian citizens. Before the invasion, Killnet sold DDoS-for-hire services based on their botnet. Although KillNet’s objectives align with official Russian government organizations such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR), their ties are unconfirmed.
Killnet is the most media-savvy pro-Russia hacktivist group. The attention it generated allowed it to create a large social following and a cluster of like-minded hacktivist groups that share and act on common objectives. Prominent members of the cluster include Anonymous Russia, Anonymous Sudan, Infinity Hackers Group, BEAR.IT.ARMY, Akur Group, Passion Group, SARD, and National Hackers of Russia.
In February 2023, Infinity Team, a collaboration between Killnet and Deanon Club, established its own forum and marketplace called Infinity. The forum offers advertisement spaces, paid status for those who want to perform business on the forum, and it currently offers a variety of hacking resources and services through its hack shop, including DDoS services.
US Civilian Network Infrastructure Targeted by Pro-Russian Hacktivists
Killnet Threat to Health and Public Sectors
Infinity Forum: Another Killnet Social Circle
Exploring Killnet’s Social Circles
Anonymous Sudan is a group of politically motivated hackers from Sudan who have been conducting denial-of-service attacks against several Swedish and Danish organizations and critical infrastructure under the tags #OpSweden and #OpDenmark since January 23, 2023.
The group claims to be “hacktivists.” Their actions are in reaction to a far-right activist, Rasmus Paludan, who holds both Danish and Swedish citizenship. Paludan burned a copy of the Quran in Sweden on January 21, 2023, and vowed to continue burning the Muslim holy book in Denmark until Sweden is admitted into NATO.
During a multi-day campaign in March 2023, the group targeted medical facilities, universities, and airports in France. The attack’s motivation was a cartoon depiction of the prophet Muhammad, allegedly referencing the controversial Charlie Hebdo caricatures. During the same period, the group also leaked information from several airlines and payment providers, claiming they hacked the organizations and put up sensitive data for sale.
Because of their common objectives regarding Sweden, Killnet announced the addition of Anonymous Sudan as an official member in its cluster of hacktivists targeting western nations and countries opposing Russia. While there are allegations that Anonymous Sudan might be a Russian government false flag operation, there is only circumstantial evidence. During an interview with a Danish journalist, the leader of Anonymous Sudan was confirmed to be fluent in Arabic and Muslim.
NoName057(16) is a pro-Russian threat group known for launching defacement and DDoS attacks against Ukraine and those that directly or indirectly support Ukraine. The hacktivist group formed in March of 2022 on Telegram and became a notable threat group. While less media savvy than Killnet, it is considered one of the most active groups—and the most prominent threat to western organizations. The group operates solitarily and explicitly noted that they don’t want to be associated with their fellow pro-Russian hacktivist group Killnet or its affiliates. After an article published on Hacker.ru by Maria Nefyodova, a respected Russian journalist, NoName057(16) reacted in a Telegram message, noting “[We] operate independently and have nothing to do with the KillNet hack group. We choose our own targets for DDOS attacks,” demanding to edit the publication or it might turn ugly.
In July 2022, the group quietly launched a crowdsourced botnet project named ”DDOSIA.” The project, similar to the pro-Ukrainian Liberator by disBalancer and the fully automated DDoS bot project by the IT ARMY of Ukraine, leverages politically-driven hacktivists willing to download and install a bot on their computers to launch denial-of-service attacks. Project DDOSIA, however, raises the stakes by providing financial incentives for the top contributors to successful denial-of-service attacks. By February 2023, the number of active members with the DDOSIA bot installed was estimated to be about 1,500.
The DDOSIA project allows the group to continuously attack government and private organization websites, mainly targeting western nations that support Ukraine during the ongoing invasion of Russia.
Anonymous Russia is a group of pro-Russian hackers whose origin is linked to Killnet and became a prominent threat group in the summer of 2022.
While the name implies the threat group is part of Anonymous, it is not aligned with mainstream or western-based Anonymous groups or OpRussia. Anonymous is decentralized, and anyone can claim to work under the Anonymous banner. Typically, Anonymous is anti-political, but in this case, Anonymous Russia supports the Russian invasion of Ukraine and targets those who support Ukraine.
The group mainly specializes in defacements, data leaks, and denial-of-service attacks that are launched in lockstep with Killnet. Some of their more notable targets include European Parliament, U.S. airports, and U.S. government websites during their midterm election. The threat group is very social, constantly amplifying messages posted by other Killnet-affiliated groups.
The origins of the Passion group remain unknown, but they have made their presence known since the start of 2023. The group, affiliated with Killnet and Anonymous Russia, has been associated with defacement and denial-of-service attacks targeting individuals and organizations who do not support the Russian invasion of Ukraine. Passion has a strong online presence through its Telegram channels, some dating back to March 2022. Other hacktivist groups, such as Anonymous Russia, MIRAI, Venom, and Killnet, have promoted Passion.
The Passion group’s tactics, techniques, and procedures (TTPs) resemble those of the other hacktivist groups involved in the Russo-Ukrainian conflict. In 2023, Passion group began offering DDoS-as-a-service attacks to pro-Russian hacktivists. The Passion Botnet was leveraged during the attacks on January 27, targeting medical institutions in the USA, Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the United Kingdom as retaliation for sending tanks in support of Ukraine.
Passion: A Russian Botnet
A Mistake to Underestimate
Pro-Russian hacktivists have been actively attacking anyone who supports Ukraine or goes against Russia for over 12 months. Killnet has been dedicated to its cause and has had the time to build experience and increase its circle of influence across affiliate pro-Russian hacktivist groups. We’ve seen groups like NoName057(16) successfully exploring crowd-sourced botnets with financial incentives and Passion group providing DDoS-as-a-service attacks to like-minded groups. Killnet’s influence, reach, and skills are growing, and they are not showing signs of slowing down or retiring soon.
Every threat needs to be taken seriously and its risk assessed. A few months ago, I would assess the risk posed by pro-Russian hacktivist groups as moderately low. But, after more than a year of building experience, advancing tools, and growing their social networks, I’m more likely to increase the risk to moderately high. There is no reason for panic, but I prefer organizations to be prepared. It is widely known in the security community that disrupting or impacting an organization or infrastructure requires more perseverance than skills or sophistication.
If you’ll be attending the RSA Conference in San Francisco on April 24-27, make sure and stop by the Radware booth (#2139). Meet with our team of experts and take your cybersecurity to the next level. Better yet, you can set up an appointment with them here.