Telegram becomes a digital forefront in the Conflict

03/03/2022

Cyber-attacks, fraud and news feeds: Cyber criminals and Hacktivists Leverage Telegram for conflict-related Activities

Highlights:

  • Amid the Russia-Ukraine conflict, user volume grew a hundred folds daily on Telegram related groups, peaking at 200k per group
  • Anti-Russian cyber-attack groups that were recently created are growing steadily every single day, rising to over 250K users per group
  • Some groups disguised as fundraising for Ukraine are suspected to be fraudulent
  • Independent news feed groups bypass news agents and “broadcast” firmly unedited “facts”

 

The Russia-Ukraine conflict is closing its first week, and numbers of growing related cyber-attacks recently surfaced. Recently, Check Point Research (CPR) released data on cyber-attacks on Ukraine’s government and military sector, which surged by a staggering 196% in the first three days of combat. Cyber-attacks on Russian organizations increased by four percent. CPR has also warned of fraudulent emails being sent to dupe people who are seeking to donate to Ukraine from abroad.

Over past years, the encrypted instant-messaging application Telegram has become a cyber criminal’s favorite go-to platform. This is not the first time our researchers have reported troubling activity over Telegram. In past reports, CPR researchers have shown how criminals use the platform for black market activities, like fake certificate reports.

Since the surge of the conflict on February 24, CPR researchers have been closely monitoring growing activity being managed on Telegram. CPR saw about 6 times more groups concerning the conflict, than the day before the invasion. In this report, we provide some visibility to what looks like a war front of its own.

In this report we focus on three types of groups observed by our researchers as rapidly growing:

  1. Cyber-attack groups against Russia that urge followers to attack Russian targets in different tools and ways, mainly DDoS
  2. Groups urging followers to support Ukraine by fund raising, of doubtful authenticity, often suspected to be fraud
  3. Numerous “news feed” groups, airing updated and “exclusive” news reports about the conflict, bypassing mainstream news outlets

 

Anti-Russia cyber target list

Cyber hacktivists are choosing Telegram to transfer messages, cyber arms and tools, and are “pointing” attackers to relevant Russian targets. Since the beginning of the war, we have seen tens of groups being created daily. Some groups boast over 250,000 users. CPR estimates that about 23% of the groups observed on Telegram attempt to unite hackers, IT professionals, and other IT “fans” to attack Russian targets in the cyberspace. These groups are used to coordinate the attack, decide on targets and share results, even offering to help each other towards the goal.  DDoS attacks became very common as a cyber-weapon, with anti-Russian attackers pointing against targets they favor, and request group users to follow.
For example, the Anna group is calling followers to attack Russian targets via DDoS, SMS or call-based attacks.

A shout out for SMS and call-based attacks on Russian targets

In another example shown below, the “Mark” group is calling users to attack Russian websites, providing URL’s.

A shout out for DDoS attack on Russian websites

Invitation to attackers to a variety of attack methods

One of the groups, which refers to itself as an “IT Army of Ukraine” consists of 269,972 users, and have been transmitting call outs for attackers to targets Russians in several ways. DDoS is the most common request.

Over 260K users in a group calling for DDoS attacks against Russia

Cyber criminals are leveraging the conflict to steal funds under the disguise of altruistic donations

Times of distress and crisis always motivate criminals and fraudsters.
Spotting their activity since the war started looks to be a growing phenomenon in the form of Telegram groups, requesting to raise funds for Ukraine and its population.
Our investigations shows that many of such requests and groups are highly suspected to be fraudulent.
Each of these groups on Telegram consist of tens of thousands of users, and we have been spotting this growth since the fighting started, expecting this to further grow as the conflict propagates. CPR estimates that roughly 4% of the groups observed on Telegram are geared toward donations to support a side of the current conflict, many of which are suspicious.

Group raising funds through Bitcoin and Ethereum accounts – Over 20k Users

News feeds from fighting zones bypass traditional media

In the era of social media, traditional news channels are merely a side show for numerous news feed telegram groups. These groups on Telegram report unedited, non-censored feeds from war zones, 24 hours a day, including footage that traditional mainstream media often refrained from airing live. In fact, about 71% of the groups we see are dedicated to news around the current conflict.
CPR researchers observed such groups appearing rapidly from the beginning of the conflict and have continued to grow since then. In such groups, the quality of news feeds is not a factor and users often leverage this to spread “news” and “facts” that are not actually verified, or checked. This is a form of psychological weapon, used to demoralize and influence morals.

Live news channel “Russia vs. Ukraine Live news” with over 110K users on Telegram

Ukraine War report channel, with over 20K users on Telegram

 

In addition, CPR cited 2% of the groups titled with other conflict related subjects. Most of them are either non-active or has almost no users in it.

 

How to remain protected from fraud and cyber-crime while using Telegram

Like any online based communication software, users must remain vigilant and careful about the information published on Telegram. To stay protected, CPR recommends the following:

  • Do not press on links that have origins unfamiliar to you, especially in times of crisis and extreme circumstances. Criminals might leverage and exploit the situation to try to steal credentials, private details and other personal information by sending out malware or phishing links.
  • Beware of suspicious requests. If a message from an unknown source makes a request or a demand that seems unusual or suspicious, this might be evidence that it is part of a phishing attack.
  • Sending money to unknown sources requesting assistance may often result in fraud. Beware of whom you are communicating with and what kind of information you are being asked to provide. For financial donations always go to the official sites of recognized organizations
  • Consume news feeds and seek “truth” from reliable sources that you can trust.

 

CPR continues to monitor the evolving situation in the conflict, and we shall report accordingly.