On Thursday, members of anonymous on indicated that they would launch attacks against the Russian government. The hacktivists attacked some local government websites in Russia and temporarily shut down others, including the website of Russian news channel RT. On Friday, the group claimed it would release credentials for the Russian Defense Ministry’s website.
The actions came just hours after Yegor Aushev, co-founder of a Kyiv-based cybersecurity company, told Reuters that he had been asked by a senior official at Ukraine’s Defense Ministry to publish an appeal for help to the hacking community. Aushev said the MoD is looking for both offensive and defensive cyber actors.
Anonymous wasn’t the only group to get involved in the conflict. On Friday, ransomware groups Conti and CoomingProject released messages supporting the Russian government.
Conti officially announced his full support for the Russian government, writing: “If any organization decides to organize a cyber attack or war activities against Russia, we will use all our possible resources to attack an enemy’s critical infrastructure.”
Many experts interpreted the message as a response to an NBC report published on Thursday, according to which US President Joe Biden had already been presented with several options for devastating cyber attacks on Russia’s infrastructure. The White House vehemently denied this report.
Shortly after the news was released, Conti revised it, toning down the tone and support for the Russian government. The updated statement said Conti would use its “full capacity to retaliate should Western warmongers attempt to attack critical infrastructure in Russia or any Russian-speaking region of the world.”
“We are not affiliated with any government and we condemn the ongoing war. However, because the West is notorious for waging its wars primarily against civilians, we will use our resources to strike back when the well-being and safety of peaceful citizens are at stake from American cyber aggression the new Conti message.
The announcements came as Ukraine continued to face a spate of Distributed Denial of Service (DDoS) incidents, phishing attacks and malware. According to CERT-UA, phishing messages were sent to military personnel, with the campaign being traced to officers in the Belarusian Defense Ministry. Internet connections across the country remain erratic, with Netblocks reporting outages in several cities.
Experts expressed extreme concern that outside groups could take sides in the conflict and launch attacks on their behalf. Cybersecurity firm Sophos said Conti and Anonymous’ statements “increase the risk for everyone, whether they are involved in this conflict or not.”
“Vigilante attacks in both directions are increasing the fog of war, creating confusion and uncertainty for all,” Sophos said.
Emsisoft threat analyst Brett Callow called the situation “unpredictable and volatile,” but noted that Conti has made bold political claims in the past. “This is probably just bluster, but it would be a mistake to assume that these are just empty threats,” Callow said.
Bugcrowd CTO Casey Ellis said one of his main concerns with recent developments is the relative difficulty of attribution in cyberattacks, as well as the possibility of misattribution or even a deliberate false flag operation escalating the conflict internationally.
Conti’s statement is notable given Russia’s recent crackdown on cybercrime and ransomware, as it suggests they are either operating independently, as the other groups appear to be, or possibly operating with the Kremlin’s blessing, Ellis explained.
Digital Shadows’ Chris Morgan noted that Conti was the second most active ransomware group in 2021 by number of victims. Morgan said Conti was responsible for multiple attacks on critical national infrastructure, including attacks on the healthcare sector in the United States, New Zealand and Ireland.
The Irish government released a report this week saying the Conti ransomware attack that hit it last year could cost more than $100 million to recover from.
“Conti’s activities have also recently been boosted by hiring the developers of the infamous Trickbot Trojan, which has also allowed them to control the development of another malware, the BazarBackdoor, which the group now uses as its primary Entry tool used. Conti is constantly redefining and evolving their work processes and should be viewed as an imaginative and sophisticated opponent,” Morgan said.
Recorded Future expert Allan Liska told Pentest7 that the threat from ransomware groups that decide to retaliate is real and should be a cause for concern. “Considering the chaos at Conti right now, I have a hard time believing they could organize an office lunch, let alone a targeted retaliation. That being said, we know ransomware groups have more targets than they can hit right now, and we know that when Ryuk decided to retaliate against the US in 2020, it could do so with ease,” Liska said.
“Whether it’s ransomware groups, Anonymous, or Ukraine calling on ‘cyber patriots’ for support, independent cyber activity will be part of any future military action. I’m not saying that’s a good idea, it’s just the reality.”
New and worrying development
Flashpoint senior analyst Andras Toth-Czifra said that the involvement of hacktivists in armed conflicts is not a new development and explained that Anonymous had previously attacked governments. But like Liska, Toth-Czifra said that ransomware groups openly collaborating with the Russian government are a “new and worrying development.”
“So far, Flashpoint analysts have observed no significant patriotic pride in the illegal communities over Russia’s aggression against Ukraine, which is consistent with the reaction of the Russian public in general. The situation differs from the emergence of “patriotic hackers” related to Russia’s war against Georgia in 2008: many Russian-speaking cybercriminals either live in Ukraine themselves or have Ukrainian partners or Ukrainian infrastructure,” Toth-Czifra explained.
“But while the cyber underground has remained largely neutral so far, it’s worth remembering that Ukraine has been collaborating with Western law enforcement agencies against ransomware gangs in recent years, which could affect the ransomware collectives’ calculus.” So far, Flashpoint has seen that another prolific ransomware gang (LockBit) has indicated it would remain neutral.”
On Friday, the BBC reported on a Russian hacker group flooding Ukrainian government servers with DDoS attacks every day after hours. A hacker admitted to emailing 20 bomb threats to schools, setting up an official Ukrainian government email address and hacking into Ukrainian officials’ dashboard feeds. The hacker openly boasted about the vigilantism he plans for the future, which includes the use of ransomware.
Do cyber insurance companies pay in cyber war?
Karen Walsh, CEO of Allegro Solutions, said the Conti statement could also create some confusion for companies with cyber insurance policies that provide exemptions for war-related cyber attacks. “Depending on how military legal experts classify Conti and all ransomware attacks perpetrated by cyber threat actors acting “on behalf of Russia,” companies might find that their cyber liability insurance isn’t helping them.” In November, the Lloyd’s Market Association issued updates to its cyber liability policies that specifically address the war exclusion,” said Walsh.
“These changes relate specifically to cyber operations carried out as part of a war. As part of risk mitigation, companies should start reviewing their cyber liability insurance exclusions and making sure their insurers stand by their position.” Insurance companies typically do not cover war damage.
Vectra AI, a leading provider of AI-powered threat detection and response for hybrid and multi-cloud enterprises, today responded to the widening Ukraine-Russia conflict. For example, Vectra offers a range of free cybersecurity tools and services for companies that fear they may be targeted as a result of this conflict.
In recent days, cyber attacks have crippled banks’ websites and ATMs, as well as military computer networks. Disinformation campaigns intended to foment panic spread across mobile networks. “The escalation of cyber conflicts will lead to unforeseen consequences,” said Hitesh Sheth, President and CEO of Vectra AI. “No organization, public or private, can be sure that it will remain a mere spectator.”
The company is actively tracking emerging indicators of attacks related to the conflict in Ukraine and Russia, as well as other conflicts around the world.
For immediate support in the current emergency situation, Vectra AI offers the following services free of charge:
- scanning from Azure AD and M365 environments for signs of attack activity.
- Monitoring AWS infrastructure for signs of active attacks, in addition to providing detection and response tools to both the network and AWS account control plane.
- Monitoring network infrastructure in both cloud and on-premises environments for signs of attack, including deploying Vectra sensors specifically designed to detect criminal behavior patterns.
- Support for storing historical metadata to support incident response investigations based on Indicators of Compromise (IOCs) for specific attack variants.
Attacks previously attributed to Russian actors are known to disrupt the Microsoft Enterprise Cloud and gain access to critical information. With the acquisition of Siriux, Vectra AI is able to immediately detect criminal activity in Microsoft Azure Active Directory that could lead to compromise of Exchange Online mailboxes. Vectra AI will also offer a free Siriux scan for institutions and businesses that believe they may be the target of an attack.
“As the conflict escalates and cyber risks increase, Vectra AI wants to be part of the solution,” said Sheth. “We believe that together we can significantly reduce the risks associated with nation-state cyberattacks. By offering our products and services for free during this crisis, we hope we can help more organizations protect themselves.”