In Ukraine, hacktivists fight back with data leaks

The video opens in typical Anonymous style, with 3D-rendered text and grainy Guy Fawkes masks flickering over images of street protest.

“Greetings, world! We are Anonymous,” a distorted voice says. “We see the clouds of war ... and it angers us.”

Uploaded to YouTube and shared to the 7.8 million followers of @YourAnonNews on Twitter, this video was cited as the moment that Anonymous “declared war on Russia.” It’s a misleading claim since Anonymous is less of a standing army than an all-purpose hacktivist nom de guerre, but the move was still significant. A lot of internet bystanders were getting ready to make trouble for Russia — and they were going to use the mantle of Anonymous to do it.

Many expected a more organized cyber-offensive from Russia, but it hasn’t materialized for reasons that are difficult to pin down. The reality has been more chaotic, with little oversight or coordination. These smaller incidents are more favorable for Ukraine, but they’re also qualitatively different from military operations like Stuxnet or Sandworm. And while conventional warfare continues to devastate Ukraine, the Anonymous campaign has been running more quietly in the background, with consequences that are hard to predict.

On February 26th, Ukraine’s deputy prime minister Mykhailo Fedorov — who is also minister for digital transformation — announced the creation of a volunteer-led cyber army, enlisting the help of any and all skilled workers from the IT sphere to participate in a range of digital actions against Russia.

The cyber volunteers were already venturing into uncharted territory. Coordinated through a Telegram channel of, at present, more than 300,000 users, membership of the so-called “IT Army” was both globally distributed and centrally directed, plotting a new line between decentralized digital activism and state-sponsored hacking. But while the IT Army embarked on a new kind of cyberwarfare, Anonymous’s #OpRussia represented a different, altogether more chaotic tendency.

The IT Army has leaned heavily on DDoS attacks — carried out on targets like gas, oil and infrastructure companies, the Moscow Stock Exchange, and even the Kremlin website using an app called disBalancer — but the most impactful actions have come from stealing data and posting it to the public. In one case, groups operating under the names Anonymous Liberland and the Pwn-Bär Hack Team obtained over 200GB of emails from Belarusian defense weapons manufacturer Tetraedr, which have been made available through the leak website Distributed Denial of Secrets.

In another incident, a hacking group breached a website belonging to Russia’s Space Research Institute and leaked files online that appeared to include descriptions of lunar missions. Days before, another group called Against The West (ATW) — which was previously known for leaking data obtained from the Chinese Communist Party — released a trove of files purportedly obtained from energy company PromEngineering, including power station blueprints and schematics.

The latest major leak happened on March 10th, when Distributed Denial of Secrets published more than 800GB of leaked data from Roskomnadzor: the Federal Service for Supervision of Communications, Information Technology, and Mass Media, or Russia’s primary censorship agency. Though the actor that obtained the data is not yet unknown, the nature of the leaks is at minimum highly embarrassing to Roskomnadzor and potentially more damaging depending on the exact information released.

In attempting to strike blows against Russia, hacktivist groups aligned with Ukraine have effectively been leaking whatever sensitive information they can find against Russian targets. But once this information is released, it’s hard to contain — and there may be unintended consequences. DarkOwl, a dark web intelligence company, is one organization that has been tracking data leaks tied to the Ukraine invasion in a blog. A DarkOwl analyst told The Verge that information contained in corporate leaks could be valuable for spear phishing or surveillance campaigns, especially for the most sophisticated actors.

“You’ve got sensitive corporate information here. You know, you’ve got shipping addresses and account numbers and things like that,” the analyst said. “There’s also photographs and screenshots that have been taken. As we have seen, that can be used in more strategic espionage activity by a nation state actor in the future.”

But many of the leaks also contain large volumes of information about companies’ clients, most of which are ordinary Russians with little connection to the elite interests that have waged the war. That information could put them at risk at a later date.

“This flurry of action that we see right now is basically to vandalize and create as much chaos as possible,” says Jeremiah Fowler, an American cybersecurity researcher based in Ukraine. “But having names, user details, credit information, any of that out there long term, you know that we have no idea what they’re going to do with that. There’s unfortunately so much anger about all this that a lot of innocent Russian people may be targeted by default.”

The loosely coordinated, sometimes amateur nature of hacktivist support for Ukraine has also meant that it is harder to verify exactly what is taking place at a given moment. Some well-publicized Anonymous actions have been patently false: in one example, an Anonymous info channel claimed that an affiliated group had shut down the main control system for Russian satellites; in another, debunked by the Check Point cybersecurity firm, a group that claimed to have hacked into CCTV cameras inside a nuclear power plant was found to be reusing years-old footage from YouTube.

Other plausible hacks have been hard to confirm. On February 26th, some social media users shared footage that allegedly showed Russian TV channels hacked to broadcast pro-Ukrainian messages and inform watchers of the truth about the Ukraine invasion. (News media in Russia is heavily censored, even more so after Putin signed a “fake news” law that threatened up to 15 years in prison for people who spread unapproved information about Russian war losses.)

Fowler says his research partner had directly observed a hijacked Russian TV broadcast and that it was possible that it had happened many more times. Fowler said that he had encountered unsecured file systems when researching Russian media agencies and that someone with the technical skill to discover them could easily change broadcast footage:

“Let’s say you had administrative access,” Fowler said. “You take a video of some of this horrific [war] footage that we’re seeing, and you name that the same as the source material. So next time the software pulls from that source, instead of getting whatever news they’re providing, the audience is going to see something else. And the system doesn’t know any different because the file has the same name.”

Fowler said that he had also seen evidence of numerous Russian company databases that had been accessed by outsiders, with data deleted, or files rewritten en masse to say “Putin stop this war” — to the extent that in a sample of 100 publicly exposed databases, 92 appeared to have been tampered with. Many of these databases contained names, account details, and other personally identifying information, Fowler said; and there’s no way to know exactly who might have had access to it.

Some individuals who act now as “cyber patriots” supporting Ukraine may also be involved in criminal activity, said Jon Clay, vice president of threat intelligence at Trend Micro — and computer systems that are compromised now as protest could later be exploited for financial gain.

“A lot of these cyber patriots may be part of a cybercriminal group,” Clay said. “So they’re being given cover by the nation state to target these other groups, or agencies in a different country. And that’s where it’s going to be difficult to draw the line because, you know, very quickly they can pivot to just turning on the cybercrime component of their business.”

Groups involved in pro-Ukraine hacks could implant backdoors into computer systems that they could reactivate for future exploits, Clay said, with stealthier actors able to remain undetected for months or even years. Further down the line, these groups might sell user data for profit or deploy ransomware, he said.

As long as the battlefield is still blanketed in what has been called “the fog of cyberwar,” there is also a possibility that some of the most sophisticated cyber threat actors are operating under cover of hacktivism.

In a webinar Thursday, Kaspersky’s director of global research and analysis Costin Raiu said that some cyber activity in Ukraine had the hallmark of Advanced Persistent Threat groups (APTs) — the most elevated level of cyber threat group, and usually one that is directed by a military agency or backed by a nation state — and might have been hidden under “false flag” cybercrime or hacktivist operations.

Still, the haphazard nature of the hacktivist actions can cause real damage — often to people or infrastructure with no connection to the invading forces. “It’s very dangerous for people when you can’t see three steps down the line to be taking offensive activities,” said Chester Wisniewski, principal research scientist at Sophos. “A hallmark of what we would consider acceptable offensive hacking on behalf of the British, the Israelis, the Americans, even the Russians and the Chinese, is to understand what the possible impacts of your actions are going to be and to minimize collateral damage by being very precise and targeted in those actions.”

“Civilians aren’t prepared to do that effectively,” Wisniewski adds. “And I’m very concerned about that.”