The new malware and cooperation between Zarya and Akur group demonstrate how pro-Russian hacktivists are growing their tactics, techniques, and procedures (TTPs) as the Russo-Ukrainian conflict enters its second year. Pro-Russian hacktivists have moved beyond the basic denial-of-service scripts and crowdsourced attacks to more advanced and potent techniques, leveraging and cooperating with other hacktivist groups within the Russian-speaking community.
Download a Copy Now
A pro-Russian hacktivist group named Zarya is building Mirai variants to grow its DDoS botnet used to perform attacks on the west. Akur group provides bulletproof hosting services for pro-Russian hacktivists. Zarya is hosting its propaganda website, attack campaign log, and malware on hosts in the akur[.]group domain.
The new malware and cooperation between Zarya and Akur group demonstrate how pro-Russian hacktivists are growing their tactics, techniques, and procedures (TTPs) as the Russo-Ukrainian conflict enters its second year. Pro-Russian hacktivists have moved beyond the basic denial-of-service scripts and crowdsourced attacks to more advanced and potent techniques, leveraging and cooperating with other hacktivist groups within the Russian-speaking community
Background
The ongoing Russo-Ukrainian conflict has resulted in a rising number of cyber-attacks, with Russia and Ukraine primarily leveraging Denial-of-Service attacks to degrade and disrupt their adversary's network and applications. From government websites to critical infrastructure systems, no target has been immune to these attacks.
As the conflict continues to escalate, the digital threat actors involved have become more organized and sophisticated, with the emergence of social communities supporting malicious activities through various platforms like online forums and social media groups. This has resulted in a proliferation of malicious activities and the spread of sophisticated tools and techniques across the internet, sometimes even supporting criminal activities such as buying and selling stolen data or hosting malware used in cyber-attacks.
ZARYA
Zarya, also referred to by its Russian name Zаря, which translates to "dawn," is a pro-Russian hacktivist group that emerged in March 2022. Initially, the group operated as a special forces unit under the command of Killnet. The group's objectives and motivations shifted as the conflict in Ukraine evolved. This led to a breakaway from Killnet, with the group at times going by 0x000000, and a focus on recruiting skilled hackers from other pro-Russian threat groups that were burning out in the spring of 2022.
In May 2022, Zarya rejoined Killnet as part of a larger project called ЛЕГИОН, also known as its translation, ‘Legion.’ During the summer of 2022, the group, Zarya Legion, established itself as a leading force within Legion, setting an example for other groups and eventually becoming an independent entity known as just Zarya in August 2022.
The group is primarily known for its involvement in Denial-of-Service attacks, website defacement campaigns, and data leaks. These tactics have been leveraged to support the group's pro-Russian agenda and have significantly disrupted targeted organizations and individuals.
Figure 1: Zarya history
AKUR GROUP
The Akur Group is a pro-Russian threat group formed in November 2022. Despite having a small number of subscribers, fewer than one hundred, the group has made its presence known in the pro-Russian hacktivist community. In recent months, the group has been observed launching Denial-of-Service attacks and website defacement campaigns.
Figure 2: Akur referencing its new botnet
Additionally, the Akur Group has been attempting to establish itself as a hosting service for other pro-Russian hacktivist groups. The group registered its domain, akur.group, in November 2022 through Reg.ru and leveraged Cloudflare to secure its website.
Cyberfront
The Akur Group is currently providing hosting services for the website of the pro-Russian hacktivist group Zarya. This website, known as 'Zarya - CyberFront,' serves as a platform for the group to showcase its recent hacking activities, data leaks, and other relevant information. The CyberFront website provides insight into the group's tactics, targets, and objectives and serves as a means of communication with its supporters and potential recruits.
Figure 3: Zarya CyberFront website hosted on Akur Group (hxxps://zarya[.]akur.group/)
Zarya's CyberFront website provides information about targeted verticals for the pro-Russian hacktivist group, Zarya. According to the website, the group primarily targets government agencies, service providers, critical infrastructure, and civil service employees.