In the wake of Russia's invasion of Ukraine, hacker groups on the "dark web" are positioning themselves for or against Russia. This article will tell you who is supporting whom and what attacks are taking place.
On February 24, 2022, Russia invaded Ukraine. However, prior to that, there was already some movement on the network. In fact, the hacker groups within the network were divided into 3 factions. The darkest part of the network (known as the "dark web") was divided into pro-Russian groups, pro-Ukrainian groups, and a third group of opportunists.
Most hacker groups support Ukraine, while participants associated with ransomware support Russia. And another group of opportunists tries to exploit the weaknesses of countries at war and countries affected by war to do their business and their crimes.
One of the most prosperous businesses we have seen grow and observed is the business related to the sale of credentials for compromised accounts. That's why since December 2021 we have observed how information about data breaches of Ukrainian citizens and compromised accounts of companies and services in the country has grown. Before the invasion started, this type of auctions doubled almost every month.
Russia's War on the Dark Web
Some of these attacks and dumps are.
40 million PII (personally identifiable information) records related to customers of PrivatBank, the largest bank in Ukraine.
7.5 million Ukrainian passport records and 2.1 million PII records of the country's nationals.
A database of unspecified type and size containing car registrations, license plates and data related to the Ukrainian Border Police.
28 million passport and driver's license records of Ukrainian citizens, including complete scans and photographs.
1 million records related to Nova Poshta, a private postal and courier service in Ukraine.
10 million records containing information on Ukrainian customers of Vodafone Ukraine.
3 million records about customers of Ukrainian telecommunications company lifecell, and another 13 million records related to Kyivstar, another telecommunications company in the country.
The dark web and Russia in the war in Ukraine: who supports whom?
For the sake of completeness, the largest database dumps sold on the Internet are two databases with the personal data of 53 and 56 million Ukrainian citizens, respectively. One has been known since 2006, but the second has been around since 2020.
While conducting these dark web operations, the composition of like-minded people and critics from one side or the other influenced the organization of cybercrime and hacking activities.
One of the most prominent ransomware organizations, such as Conti, announced its full support for the Russian government the day after the intrusion. A few days later, the group expanded its statement by announcing retaliation against suspected Western warmongers who attempted to attack Russia's critical infrastructure.
On Feb. 27, a member of Conti leaked conversations in the group's chat room that revealed the group's internal divide between support for Russia and support for Ukraine.
Another ransomware group, CoomingProject, announced its support for the Russian government and said it would respond to any cyberattacks against Russia. Another group, AgainstTheWest, tweeted in response that it had passed the former's identity to the French police: six young men in France were allegedly the operators.
On Feb. 26, another ransomware group, LockBit 2.0, issued a more neutral statement. The group claims to be apolitical and says it does not intend to participate in attacks on any country's critical infrastructure or engage in international conflicts.
Darknet positions itself as an anti-Russian group
On the other hand, Yegor Aushev, co-founder of a Kiev-based technology company, said he had been asked by Ukrainian government officials to recruit hackers and hacker volunteers to help defend the country online.
An announcement purportedly from the group Anonymous has been prominent in the online campaign, and on Feb. 25, someone on behalf of the group announced the release of several documents containing the Russian Defense Ministry's database.
However, a review of the information released by Anonymous does not really confirm the credibility of this organization. This is because only 1 of the documents it released could contain any usable credentials, while the others had been previously leaked.
Other lesser-known online activist groups, such as GhostSec, claimed to have attacked two IPs, affecting more than 100 Russian military domains. However, this could not be confirmed.
In addition, they leaked a new database, which turned out to be identical to the one released by Anonymous.
Attacks on Russian entities as a result of the invasion of Ukraine
Perhaps the most active group is AgainstTheWest, a group that leaked a source code database containing classified information.
They have also been blamed for denial of service (DoS) attacks, installation of malware, various cyber attacks, etc. in response to the Russian invasion of Ukraine. These attacks targeted Russian and Belarusian entities.
In fact, some of the most prominent institutions attacked were the Ministry of Transport of the Russian Federation or Aeroflot. Almost every day, the group is showing evidence of new attacks allegedly launched against various Russian government companies and entities.
Another group called Ghostsec claimed responsibility for attacks on 100 Russian military subdomains hosted on 2 IPs.
They claim to have shared gov(.ru) and mil(.) ru and other domains with compromised credentials. However, this leak proved to be the same as the Anonymous leak.
The same happened with the new leak leaked by the group on the 26th. They claimed to be the authors of an alleged cyber attack against two groups linked to the Russian government: Ghoswriter and Gamaredon, exposing part of the infrastructure they use.
Other groups such as Distributed Denial of Secrets (DDoSecrets) released 200GB of emails from Belarusian weapons manufacturer Tetraedr, demonstrating their opposition to Russia
Ukraine's Minister of Digital Transformation Fedorov announced on February 26 the creation of a "cyber army" composed of volunteers. In addition, Telegram channels showed various cyber attacks on Russian companies such as Gazprom, services such as Yandex and various Russian institutions' websites.
On February 27, the army appears to have been involved in various DDoS attacks against targets such as the Kremlin's own website.
All of these actions are somewhat beyond the capabilities of the general public, but they should be monitored and tracked as a major part of online security intelligence and prevention.
In fact, we must be on high alert for possible cyber attacks, whether they are ransomware, phishing or other types of attacks, because any of these groups actively involved in online conflicts, or criminals trying to exploit the situation, should be ready to act and not turn a blind eye.