Russia is Being Hacked at an Unprecedented Scale

Registration-Inscripción

by Matt Burgess
April 27, 2022

from Wired Website

Matt Burgess is a senior writer at WIRED focused on information security, privacy, and data regulation in Europe.

He graduated from the University of Sheffield with a degree in journalism and now lives in London.

Send tips to Matt_Burgess@wired.com.

Photograph: George Diebold

Getty Images

From "IT Army" DDoS attacks

to custom malware,

the country has become

a target like never before...

The orders are issued like clockwork. Every day, often at around 5 am local time, the Telegram channel housing Ukraine's unprecedented "IT Army" of hackers buzzes with a new list of targets.

The volunteer group has been knocking Russian websites offline using wave after wave of distributed denial-of-service (DDoS) attacks, which flood websites with traffic requests and make them inaccessible, since the war started.

Russian online payment services, government departments, aviation companies, and food delivery firms have all been targeted by the IT Army as it aims to disrupt everyday life in Russia.

"Russians have noticed regular hitches in the work of TV streaming services today," the government-backed operators of the Telegram channel posted following one claimed operation in mid-April.

The IT Army's actions were just the start.

Since Russia invaded Ukraine at the end of February, the country has faced an unprecedented barrage of hacking activity.

Hacktivists, Ukrainian forces, and outsiders from all around the world who are taking part in the IT Army have targeted Russia and its business.

DDoS attacks make up the bulk of the action, but researchers have spotted ransomware that's designed to target Russia and have been hunting for bugs in Russian systems, which could lead to more sophisticated attacks.

The attacks against Russia stand in sharp contrast to recent history. Many cybercriminals and ransomware groups have links to Russia and don't target the nation.

Now, it's being opened up.

"Russia is typically considered one of those countries where cyberattacks come from and not go to," says Stefano De Blasi, a cyber-threat intelligence analyst at security firm Digital Shadows.

At the start of the war, DDoS was unrelenting. Record levels of DDoS attacks were recorded during the first three months of 2022, according to analysis from Russian cybersecurity company Kaspersky.

Both Russia and Ukraine used DDoS to try to disrupt each other, but the efforts against Russia have been more innovative and prolonged.

Ukrainian tech companies transformed the puzzle game 2048 into a simple way to launch DDoS attacks and have developed tools to allow anyone to join the action, irrespective of their technical knowledge.

"The more we use attack automation tools, the stronger our attacks," reads a message sent to the IT Army Telegram channel on March 24.

The channel's operators urge people to use VPNs to disguise their location and help avoid their targets' DDoS protections.

Toward the end of April, the IT Army launched its own website that lists whether its targets are online or have been taken down and includes technical guides. (The IT Army did not respond to a request for comment.)

"We have made good strong hits, and a lot of websites don't work," says Dmytro Budorin, the CEO of Ukrainian cybersecurity startup Hacken.

When the war started, Budorin and colleagues altered one of the firm's anti-DDoS tools, called disBalancer, so it could be used to launch DDoS attacks.

While Kaspersky's analysis says the number of DDoS around the world has returned to normal levels as the war has progressed, the attacks are lasting for longer... hours rather than minutes.

The longest lasted for more than 177 hours, over a week, its researchers found.

"Attacks continue regardless of their effectiveness," Kaspersky's analysis says.

On March 25, the US government added Kaspersky to its list of national security threats.

The company said it was "disappointed" with the decision.

Germany's cybersecurity agency also warned against using Kaspersky's software on March 15, although it didn't go as far as banning it.

The company said it believed the decision was not made on a technical basis.

Budorin says DDoS has been useful for helping Ukrainians contribute to the war effort in other ways than fighting and says that both sides have improved their attacks and defense.

He admits DDoS may not have a huge impact on the war, though.

"It doesn't have a lot of effects with respect to the end goal, and the end goal is to stop the war," Budorin says.

Since Russia began its full-scale invasion, the country's hackers have been caught,

trying to disrupt power systems in Ukraine

deploying wiper malware

launching predictable disruption attacks against the Ukrainian government...

However, Ukrainian officials now say they have seen a drop in activity.

"The quality decreased recently as the enemy cannot prepare as much as they were able to prepare," Yurii Shchyhol, the head of Ukraine's cybersecurity agency, the State Service for Special Communication and Information Protection, said in a statement on April 20.

"The enemy now mostly spends time on protecting themselves, because it turns out their systems are also vulnerable," Shchyhol said.

Dmytro Budorin says that, beyond pivoting his company's technology to help launch DDoS attacks, it also created a bug bounty program for people to find and report security flaws in Russian systems.

More than 3,000 reports have been made, he says.

He claims this includes details of leaked databases, login information, and more severe instances where code can be run remotely on Russian systems.

The company validates the vulnerabilities and passes them on to Ukrainian authorities, Budorin says.

"You don't go through the main door," he says.

"You go through the regional offices. There are so many bugs, so many open windows."

While cyberwarfare throughout the conflict may not have been as obvious or have the impact some predicted, many incidents may happen without publicity or outsider knowledge.

"I think the most sophisticated operations going on right now are espionage - to find out what the opponent is trying to do, wants to do, and will do next," De Blasi says.

"We may have to wait years before we discover anything about that."

Visibly, hacktivists and others attacking Russia have obtained and published hundreds of gigabytes of Russian data and millions of emails - the files may help unravel parts of the Russian state.

But other attacks are happening, says Lotem Finkelstein, director of threat intelligence and research at Israeli cybersecurity company Check Point.

In early March, a new kind of ransomware was discovered.

While most ransomware groups have links to Russia - something that has proved costly for the Conti ransomware group when it backed Putin - the new ransomware was designed to go after Russian organizations.

"I, the creator of RU_Ransom, created this malware to harm Russia," the code's ransom note says, according to an analysis by security firm Trend Micro.

The malware can spread as a worm and can wipe systems of data, although as of early March researchers had not yet spotted its use in the real world.

"This is very rare to see the ransomware that targets Russia specifically," Finkelstein says, adding that Check Point is working on new research that shows how Russia has been targeted throughout the war.

"Russia is now experiencing attacks that they are not used to seeing," Finkelstein says.

While cyberattacks against Russia have increased, there are hints that this may push the country further down the path of Internet isolation.

For the past few years,

Russian officials have talked of creating its own sovereign Internet and breaking away from the global system...

When the DDoS attacks started, Russia appeared to geofence government websites, and at the start of March, according to national media reports, the country's Ministry of Digital Development told websites to improve their cybersecurity measures and keep control of their own domain names.

"I believe that full disconnect from the Internet would still be an extreme approach, even now," says Lukasz Olejnik, an independent cybersecurity researcher and consultant.

"Furthermore, the government is apparently still in a kind of self-denial, acting as if nothing significant was happening due to the cyberattacks, or even due to the Western sanctions, too."

Despite this denial, Olejnik says, the country is still "doubling down" and pushing toward its long-term goal of a sovereign Internet...

Video

Sandworm - A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

Return Home

Return to Russia and The EU

Return to The End of The Internet... As We Know It?