But in the third month of the war, Russia, not the United States, is struggling with an unprecedented wave of hacking that combines government activity, political volunteerism, and criminal action.
Digital attackers have looted the country’s personal financial records, defaced websites and leaked decades of government emails to anti-secrecy activists abroad. A recent survey found that in March more passwords and other sensitive data from Russia were leaked onto the open Internet than information from any other country.
The released documents include a cache of a regional office of media regulator Roskomnadzor that revealed the issues its social media analysts were most concerned about – including anti-militarism and drug legalization – and that it filed reports with the federal intelligence agency FSB, which also included the The case was the arrest of some complaining about government policy.
A separate VGTRK hoard, or All-Russia State Television and Radio Broadcasting Co., revealed 20 years of emails from the state media chain and is “big” in terms of the expected impact, said a researcher at cybersecurity firm Recorded Future who spoke under on condition of anonymity to discuss his work in dangerous hacking circles.
US government and energy companies are closing ranks amid fears of Russian cyberattacks
The broadcast cache and some of the other notable loot were obtained by a small hacktivist group called Network Battalion 65, which formed when war looked inevitable.
“Government of the Federation: Your lack of honor and flagrant war crimes have earned you a special award,” read a note left on a victim’s network. “This bank is being hacked, bought out and soon sensitive data will be dumped on the internet.”
In its first in-depth interview, the group told The Washington Post via encrypted chat that it was not receiving any direction or assistance from government officials in Ukraine or anywhere else.
“We pay for our own infrastructure and devote our time to it outside of jobs and family commitments,” said an unnamed spokesman in English. “We don’t ask for anything in return. It’s just right.”
Christopher Painter, formerly the top US diplomat on cyber issues, said the surge in such activity risks escalation and interference in covert government operations. But so far it appears to be helping US targets in Russia.
“Are the goals worthy? Yes,” said Painter. “It’s an interesting trend that they’re now the target of all this.”
Painter warned that Russia still has offensive capabilities, and US officials have urged organizations to prepare for an expected Russian cyberattack, which may be deployed at a moment of maximum leverage.
But perhaps the most important casualty of the attack wave was the myth of Russia’s cyber supremacy, which for decades helped deter hackers in other countries — as well as criminals within its borders — from targeting a nation with such a formidable operation.
“The sense that Russia is off-limits has somewhat expired, and hacktivism is one of the most accessible forms to attack an unjust regime or its supporting infrastructure,” said Emma Best, co-founder of Distributed Denial of Secrets, which acknowledged and published, among other things, the Regulatory and Broadcasting Finds.
While many of the hackers want to educate the public about Russia’s role in areas like propaganda and energy production, Best said a secondary motivation after the invasion was “the symbolic panting” of Putin and some of the oligarchs.
“He has cultivated the image of a strongman for decades, but not only is he unable to stop the cyberattacks and leaks that are hitting his government and key industries, he is the one who caused them.”
The volunteer hackers have received a unique boost from the Ukrainian government, which has backed the effort and proposed targets via his IT Army channel on Telegram. Ukrainian government hackers are believed to be working directly against other Russian targets, and officials have leaked hacked data, including the names of troops and hundreds of FSB agents.
“There are state institutions in Ukraine that are interested in some of the data and are actively supporting some of these operations,” said an analyst at security firm Flashpoint, who spoke on condition of anonymity because of the sensitivity of his work.
Common criminals with no ideological interest in the conflict have also gotten involved, taking advantage of busy security teams to steal money while the aura of invincibility fades, researchers said.
Last month, a quarterly investigation of email addresses, passwords, and other sensitive data leaked onto the open Internet identified more victim accounts likely to be of Russian origin than those from any other country. Russia topped the poll for the first time, according to Lithuanian virtual private network and security company SurfShark, which uses the underlying intelligence to warn affected customers.
The number of suspected Russian credentials, such as .ru email addresses, jumped to 50 percent of the global total in March, double the previous month and more than five times the published data as in January.
“The US is usually the first. Sometimes it’s India,” said SurfShark data researcher Agneska Sablovskaja. “That was really surprising for us.”
Russian government websites are facing an ‘unprecedented’ wave of hacking attacks, the ministry says
The crime business can also get political, and that definitely has to do with the war in Ukraine.
Soon after the invasion, one of the most ruthless ransomware gangs, Conti, announced that they would join forces to protect Russian interests in cyberspace.
The promise backfired spectacularly because, like many Russian-speaking criminal groups, it had branches in Ukraine.
One of them then released more than 100,000 internal gang chats and later the source code of its core program, making it easier for security software to detect and block attacks.
Network Battalion 65 went even further. It modified the leaked version of the Conti code to bypass the new detections, improved encryption, and then used it to lock files at government-affiliated Russian companies.
“We decided it would be best to give Russia a taste of its own medicine. Conti caused (and still causes) a lot of heartache and pain for businesses around the world,” the group said. “As soon as Russia stops this stupidity in Ukraine, we will completely stop our attacks.”
Meanwhile, Network Battalion 65 continued to ask for ransomware payments shamed victims on Twitter for bad security. The group said it hasn’t received any money yet but would donate everything it collects to Ukraine.
Network Battalion received the state-broadcast emails and other hoards and passed them on to DDoSecrets, making it one of the most important of several hacktivist purveyors to this site, alongside a pro-Western group called AgainstTheWest and a few branding Anonymous, a larger, looser and recently resurgent collective that welcomes everyone.
In an April 3 interview with a researcher named Dissent Doe, who runs the website DataBreaches.net, the leader of AgainstTheWest said the group formed in October and consists of six English-speaking hackers, all privately employed but with intelligence backgrounds.
The original goal “was to steal state secrets, government software (in source code form), private documents and the like. However, we also had the idea that we should take action against China because it has been targeting the West in cyberespionage campaigns over the years,” the hacker said.
After hitting targets in China, AgainstTheWest moved on to those in North Korea, Iran and Russia.
The leader said the group does not act directly for an intelligence agency, but declined to say if it is backed by any of them. “We do our work in the hope that Western intelligence will benefit from it. We share all private documents with anyone from the US/EU government.”
The group has released more documents about DDoSecrets. Best received a request from a US military account for access beyond what she published, but refused it.
Painter, the former State and Justice Department expert, said he was concerned that some volunteer hackers might go a step too far and damage civilian infrastructure or spark a larger response, and warned that others might be hiding additional motives.
“Normally you don’t want to encourage confident hackers,” Painter said. But then he agreed: “We are not in a normal course of events.”