Russia, once considered a top force in cyberspace, now being mocked by world's best hackers
But the war in Ukraine has showed that their capabilities were greatly overestimated.
Most experts were convinced that a modern full-scale war was impossible without hackers. Humans’ dependence on technology has become so obvious that attempts to disable these technologies during hostilities are fully expected.
In the context of a possible Kremlin attack, analysts speculated that the offensive by ground forces would be accompanied by hacker attacks on critical infrastructure that further intimidated people and destabilized the situation.
There are a large number of hacker groups in Russia that are allegedly not affiliated with the government, but often act in the interests of the regime. But hackers are also part of Russia's armed forces and intelligence services.
NV found out how effective the attacks of Russian hackers were, how the hacking community supported Ukraine, and whether online special operations will really be a weapon of the future.
Russian hackers against Ukraine
The Russians already have extensive experience of cyber-attacks against Ukraine: in 2021, Ukraine ranked second in the number of cyber-attacks carried out against a particular country. Something like a dress rehearsal took place in February, when (probably) Russian hackers managed to shut down some Ukrainian government, military and banking websites for a while.
Read also: Another DDoS attack takes down Ukraine’s government, security service, MFA websites
Since the beginning of the war, Russian hackers have actively supported (and continue to support) the ground offensive. And if not for the war, then, for example, the news of the breakdown of the satellite provider Viasat would certainly have been top news: This is the biggest cyber-attack of our time, with thousands of satellite modems in Ukraine and abroad failing, leaving millions without communications.
The deputy head of the State Special Communications Service of Ukraine, Viktor Zhora, said that "this was a huge loss of communication at the beginning of the war," and that the attack affected not only ordinary users, as Viasat had provided services to the military and critical infrastructure. That is why Russian hackers chose this company as the target of their attack.
"Under normal circumstances it would be one of the biggest infosec stories of the year, if not bigger," says Thomas Rid, professor of strategic studies at Johns Hopkins School of Advanced International Studies.
"An ongoing, brutal war with such powerful images is changing the psychological environment for digital sabotage, crowding it out of the news cycle – one more reason why hacking is probably less attractive right now."
During the two months of the war, at least six groups of Russian hackers carried out more than 430 cyber-attacks. Many of them coincided with missile attacks and ground attacks on certain objects.
Read also: Russian cyber-attacks in Ukraine have peaked, says State Special Communications Service
However, the State Special Communications Service announced on May 2 that Russian cyber-attacks against Ukraine had reached a maximum. The Russians have failed to carry out a large-scale attack that would indeed cause significant damage to the Ukrainian economy, army or population.
But it's too early to relax. "Despite the fact that the attacks (of Russian hackers) mostly do not cause significant damage to our information infrastructure, their number is constantly growing," the State Special Communications Service said.
The combination of all these factors revealed two important points to the world:
hackers are far from the weapons of the future we have heard so much about. Their actions may be threatening, but during a war, missile strikes and shelling are obviously to be taken more seriously;
the power of Russian hackers has been overstated. Russian hackers, who have become something of a brand in the West, have proved incapable of resisting Ukraine and its allies. This is best explained by Stefano De Blasi, a cyber-threat intelligence analyst at Digital Shadows: "Until now, Russia has been one of the countries from which the cyber threat comes, not the victim."
Just now the fire has already spread to Russia, as Russian companies are now suffering from cyber-attacks. Hacker groups around the world have come out in support of Ukraine, thanks to which millions of internal documents of Russian state-owned companies, including Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media), the Central Bank of Russia, Gazprom, and other pillars of the Russian regime have been leaked on the Internet.
Read also: Euthanasia for Russia
The myth of Russia’s cyber advantage became the main victim of the first cyber war in world history. This is not the first hoax to be debunked by the war in Ukraine. Three months ago, the Russian propaganda machine was also considered perhaps the strongest in the world, pushing stories about the "second most powerful army in the world." These have been shown to be delusions.
However, the State Special Communications Service warns that the enemy should still not be underestimated.
"So far, Ukraine has managed to successfully resist cyber-attacks from Russia. Due to the sanctions, the enemy has already has already faced certain resource constraints, both material and technological, and it will be increasingly difficult for it to prepare and carry out new attacks. However, we must be constantly ready for them, because, despite limited resources, Russian military hackers still have a high motivation to attack."
IT army
Since the beginning of the war, the cyber front has been led by an IT army project from the Ministry of Digital Transformation – a community of volunteers who still organize constant DDoS attacks against Russian resources, coordinating them via a Telegram channel with nearly 300,000 users. This is the public part of the ministry's work, which anyone can join, even without special skills.
Read also: Microsoft disrupts Russian hacker attack on Ukraine, EU, US
At the beginning of the war, DDoS attacks were the main weapon, because of their simplicity, and were used by both Ukraine and Russia. Even the NV.ua website was subjected to a similar attack. Experts note that the attacks on Russian servers were more powerful, and the longest of them lasted 177 hours.
The IT army shut down hundreds of different Russian websites, including those of government agencies, propaganda media websites, popular banking service sand, of course, state-owned companies. Due to constant DDoS attacks on the 1C accounting service, Russia has abolished fines for the late submission of financial statements. Russia has also decided to abolish labeling and verification of labeling on some goods due to the attack on the national Chestny Znak (Honest Sign) system.
However, DDoS attacks will not really affect the war, even in cyberspace. Sooner or later, servers are restored, protections are improved, and the attacks become less effective.
Cyber war fog
The non-public part of the work of the Ministry of Finance will probably be much more interesting. However, for security reasons, they promised to tell the details of these cyber-attacks only after the war. In comments to NV, the Minister of Digital Transformation, Mykhailo Fedorov, confirmed the information that "a very large number of companies in cybersecurity" are helping Ukraine: they mostly work for "non-public purposes."
"These are complex attacks aimed at not only gaining access to a website or database, but also spreading the truth about what is happening,” the minister said. “We have already hacked more than 80 databases that are critical for Russia. These are databases of citizens, businesses – rather sensitive data. Also, a digital blockade has made, for example, so that today Vkontakte (a Russian social network) cannot even buy servers. Their cybersecurity has been hit hard by sanctions."
One of Russia's strongest hacking groups, Trickbot, which has long been suspected of links to the FSB, said in late February that it would support Russia in the war against Ukraine. It is believed that this group is behind the DDoS attacks on Ukrainian websites before the war.
A few days after the start of the war, an anonymous user from Ukraine published internal chats, and later the source code of the Conti rogue program, which became a real headache for cybersecurity experts due to its frequent and quite effective use. In this way, he practically destroyed one of the most dangerous Russian hacking groups, whose members are now forced to think solely about their own safety, hiding and destroying evidence against themselves.
Group Network Battalion 65' (NB65) went further – it modified the Conti code and then used it to hack and block files inside Russian companies.
"We have decided that it would be best to hit Russia with its own weapons. They've hit school districts, hospitals, universities and businesses all over the place for years. After their code was leaked to the internet we took it and modified it to make it run more efficiently and with stronger encryption. We will use it against every Russian company we find. It's NB65's way of saying "Russian APT groups, f**k off!", a representative of NB65 told NV.
He suggested that the Conti code had been leaked by a Ukrainian member of the Tricked group, who had decided to take revenge on his former comrades for supporting the war.
NB65 has become actively engaged in the case. For example, on April 2, the group broke into Russia's most popular electronic payment system – Qiwi: hackers gained access to inside information and deleted 10.5 terabytes of company backups. Previously, their victims also included VGTRK (the All-Russia State Television and Radio Broadcasting Company), Roskosmos (the State Space Corporation), Russian banks, and even private companies. This is how the group differs from most other hackers such as the Anonymous community, which has consistently argued that Russia's civilian population is not their enemy, and that only the top leadership is responsible for the war.
The hackers said they would continue to work on Russian targets until the war ended. They have friends and even family members who "have been affected by Russia's war crimes," so they have no plans to stop.
"Popular support among the civilian population in Russia for this war is staggeringly high", the hackers said, explaining their decision.
"Due to the nature of most russian companies and their relationship to the government we decided that no company would be considered off limits. If they are operating normally then they are contributing the the blood shed in Ukraine. Do Russian civilians want to be hacked? No, probably not. But, Ukrainian civilians don't want cruise missiles dropped on apartment building, either."
NB65 members also believe that the forces of Russian hackers have clearly overestimated. The representative of the group is convinced that this happened due to the active work of online extortionists from Russia who operated around the world.
"It's very clear that they are not these titans of cyber security," the hackers added.
The fact that "the majority of the country runs environments of cracked Windows installations with fake activation keys" has become a special revelation for them.
Sea of data
NB65, along with Anonymous and AgainstTheWest, another pro-Western hacker group, have become one of the main providers of cracked archives containing information about Russian companies, which are processed and centrally published by DDoSecrets. The project's website has become an unofficial hub for publishing terabytes of secret inside information from Russian state-owned companies.
For example, Anonymous has made public about 5.8 terabytes of data from domestic sources. Currently, the main problem is not to obtain the information, but to study it.
In the first 10 years, WikiLeaks, a similar organization, has published about 10 million documents. DDoSecrets journalist Lorax Horne told NV that they had managed to get the same amount in two and a half months of the war in Ukraine, and that's without taking into account the files attached to emails.
"The flood of Russian data has meant a lot of sleepless nights, and it's truly overwhelming," said Emma Best, a co-founder of DDoSecrets.
She says it will take journalists and researchers more than a year to process all the information that has been made public recently.
However, hackers are not limited to obtaining information. Some are more destructive. For example, a new extortionist program RU_Ransom appeared in March. Immediately after being launched, the program checks the user's geolocation. If the user is in Russia, all files on the computer are blocked, after which the program deletes them without a trace.
"I, the creator of RU_Ransom, created this malicious program to harm Russia... There is no way to decrypt your files. No payment, only losses," reads a message displayed during the operation of the program.
If someone tries to run the program outside of Russia, it will display the following message: "This program can be run only by a Russian user," after which it will automatically close. However, so far no mass distribution of this software has been reported.
Some experts suggest that Russia has long been thinking about creating a Splinternet. This is something like the Internet, which combines several split networks that do not depend on each other. Iran, China, and North Korea have already taken steps in this direction, but they still use the same technologies as the rest of the world, so it is too early to talk about the full emergence of the Splinternet.
Meanwhile, the endless cyber-attacks that undermine not only Russia's defense capabilities but also the authority of "Russian hackers," could provoke the Kremlin to further promote the idea of hiding in a cocoon and isolate itself from the rest of the world – not only the real one, but the virtual one of the Internet.
