Hacktivism in the Russia-Ukraine War, Questionable Claims and Credits War
One of the most active players in the cyberspace during the war in Ukraine are hacktivists that support either Russia or Ukraine for ideological reasons. Those groups currently create the highest “noise” in the cyberspace around the conflict, but not always the highest damage. As the war between the countries continues, we see a trend that more and more claims about “big successes” of hacktivists groups are either questionable or it is impossible at all to verify them.
While in the past, hacktivists’ successes were mostly in areas of executing DDoS attacks and hacking or defacing small websites of non-significant organizations, during the last week several hacktivist groups claimed successful targeting of high profile organizations. The hacktivists claimed two types of attacks:
- DDoS attacks
- Hacking into networks of sensitive or high profile organizations with aim to leak the data and/ or to disrupt operations
While most of the claims about DDoS attacks seem to be relatively reliable and it was possible to confirm that some of the websites that were claimed as attacked, were actually unavailable, the situation is more complicated in regards to the entities that were allegedly breached. While it is not easy to confirm the claims of those groups, our research reveals that many of the claims are false, and the screenshots and the data from the allegedly breached networks is either old, or were previously published in the past, or just insignificant in many cases.
This trend is relevant to both sides, while we were able to see that some claims of KillNet group on the pro-Russian side are questionable, as well as the claims of AgainstTheWest and KelvinSecurity groups on the pro-Ukrainian side.
Also, it seems that many of the hacktivists groups are more focused on building self-reputation and recieving credit for supporting Ukraine or Russia, than to cause real damage to the countries.
Figure 1 – credit fight between hacktivists groups
Case Study 1 – AgainstTheWest
AgainstTheWest is a Western-aligned hacktivist group that has been active since October 2021, and previously carried out attacks targeting government and corporate entities tied to the Chinese Communist Party. According to their twitter they decided to disband on February 13th due to lack of motivation and seems the war in Ukraine gave them what they needed. The group announced their return and collaboration with Anonymous, against Russia.
Figure 2 – relaunche of AgainstTheWest activity against Russia
Since the beginning of the war, AgainstTheWest managed very active twitter and telegram accounts, reporting dozens of high end targets in Russia that they breached.
But, checking their claims deeper reveals that for many of the claims there are no solid proofs apart of very generic screenshots that are allegedly from the breached organizations.
Figure 3 – “proof” by AgainstTheWest of Central Bank of Russia breach
One additional organization that AgainstTheWest claimed to breach is Yandex, and they shared files from what they defined as “Yandex’s development portal”.
Figure 4 – “proof” by AgainstTheWest of Yandex development portal breach
In this case, we were able to identify that the screenshot and the files that were posted by the group is just a copy of public repository that contains Yandex browser update :
Figure 5 – public repository that contains the same files AgainstTheWest published
In addition to those questionable claims on the breaches, AgainstTheWest focus a lot on struggles with other hacktivists groups like Anonymous on credit for breaches, and for recognition, not really caring about Ukraine.
Figure 6 – credit fight between AgainstTheWest and Anonymous
Case Study 2 – KelvinSecurity
KelvinSecurity Team defines itself as Private Information Hacker Company. The group published several provocative twitter messages on March 1st about Nuclear Reactor in Joint Institute for Nuclear Research in Russia, trying to make an impression that they breached the reactor. KelvinSecurity published a link to the “monitoring system of Nuclear Reactor in Dubna” together with a “leaked database from the Russian nuclear institute” and the “video from nuclear reactor”.
Figure 7 – KelvinSecurity publication about nuclear reactor
Verifying this information showed that the published database contains a list of presentations by physicists from different institutes and universities across Russia, with some of their personal information, but no sensitive information apart of it. The information about the monitoring system has been openly available years before the conflict, and the “Internal Nuclear Reactor Video” was already published on the YouTube channel of KelvinSecurity group a year ago.
Figure 8 – Video on KelvinSecurity Youtube channel from an year ago
Case Study 3 – KillNet
KillNet, a pro-Russian group, recently launched a “KillNet Botnet DDoS” service. Last week, the group pushed a campaign against Anonymous group that supports Ukraine.
On March 1st KillNet released a video claiming to have taken down the Anonymous website, as a retaliation for their attacks against Russian websites.
Figure 9 – Claim that the website of Anonymous is down
As there is no real official Anonymous website, this attack against a generic Anonymous website appears to be more of a morale booster for the pro-Russian side, and a publicity event for KillNet, gathering followers and fans over news and social media than a real attack.
Figure 10 – Copycat page called out
The same as a there is a fog of war and disinformation in the battle field between Ukraine and Russia, it also happens in the field of cyber-attacks by hacktivists groups, and each claim should be carefully verified before it is taken as a true.
Tips on safer news consumption
- Beware of fake news. Avoid and be cautious of fast-spreading misinformation
- Check time-stamps. Look out for timestamps on content – you can find yourself sharing old, non-relevant news
- Trace the origins of content. Be aware of the content you engage with. Where did it originate from? Are you being called to amplify it? Do you have a strong emotional reaction to it? Are you being asked to spend money?
- Double-check the link you get. Always look out for and check links you receive. Are they borrowed from somewhere else? Is it leading to a copied page?
- Rely on sources you trust. Always use information from trustworthy and official sources