Experts expressed concerns about the influx of non-government cyber groups taking sides in the Russian invasion of Ukraine.
Several ransomware groups and members of the hacktivist collective Anonymous announced this week that they were joining the military conflict between Ukraine and Russia.
On Thursday, members of Anonymous announced on Twitter that they would launch attacks against the Russian government. Hacktivists defaced some local government websites in Russia and temporarily removed others, including the website of Russian news outlet RT.
The group claimed on Friday that it would leak login credentials for the website of the Russian Defense Ministry.
The action comes hours after Yegor Aushev, the co-founder of the Kiev-based cybersecurity company, told Reuters that he had been asked by a senior Ukrainian Defense Ministry official to publish a call for help within the hacking community. Aushev said the Defense Ministry is looking for both offensive and defensive cyber actors.
Anonymous was not the only group involved in the conflict. On Friday, ransomware groups Conti and ComingProject published messages saying they support the Russian government.
Conti said it was officially declaring full support for the Russian government, writing that "if any body decides to conduct cyberattacks or any war activities against Russia, we will take all possible measures." We are going to use resources so that critical infrastructure can be attacked by the enemy."
Many experts interpreted the message as a response to an NBC story that appeared on Thursday, showing that US President Joe Biden was already presented with several options for a devastating cyberattack on Russian infrastructure. has gone. The White House vehemently denied the report.
Soon after releasing the message, Conti revised it, softening the tone and support for the Russian government. The updated statement said Conti would use its "full potential to retaliate if Western warheads attempt to target critical infrastructure in Russia or any Russian-speaking region of the world."
“We are not allies with any government and we condemn the ongoing war. However, since the West is known for waging its wars primarily targeting civilians, we can use our resources for the betterment of peaceful civilians and Will have to strike back for security. The US will be at stake because of cyberattacks," the new Conti message said.
#Conti #ransomware just changed the phrasing of their statement regarding Russia's support. Claiming that they do not ally with any government and condemn the war.@VK_Intel @malwrhunterteam pic.twitter.com/JaLYPlDjwb
— Yelisey Boguslavskiy (@y_advintel) February 25, 2022
The announcements came as Ukraine was facing DDoS incidents, phishing attacks and malware. CERT-UA said phishing messages were being sent to military personnel and attributed the operation to officials from the Belarusian Defense Ministry. Internet connectivity continues to be intermittent across the country, with Netblocks reporting outages in several cities.
Experts were extremely wary of outside groups taking sides in the conflict and launching attacks on their behalf. The announcements further intimidated experts when NATO Secretary-General Jens Stoltenberg said on Friday that "cyber attacks could trigger Article 5" of the NATO charter.
Cybersecurity firm Sophos said Conti and Anonymous's announcements "raise the risk for everyone, whether or not they are involved in this conflict."
"Vigilance strikes in any direction raise the fog of war and create confusion and uncertainty for all," Sophos said.
Emsisoft threat analyst Brett Callow called the situation "unpredictable and volatile" but noted that Conti has made bold political claims in the past.
"It's probably just bluster as well [but] it would be a mistake to assume the threat is empty. If your company hasn't already gone shields up, now is the time," Callow said.
BugCrowd CTO Casey Ellis said one of his primary concerns with recent developments is the relative difficulty of attribution in cyberattacks, as well as the potential for incorrect attribution or even a deliberate false flag operation to spark conflict internationally. is increasing.
Ellis explained that Conti's statement of position is notable in light of Russia's recent crackdown on cybercrime and ransomware because it indicates they are either acting independently of what other groups appear to be or possibly under the influence of the Kremlin. Working with blessings, Ellis explained.
Digital Shadows' Chris Morgan noted that his data shows Conti was the second most active ransomware group by number of victims in 2021. Morgan said he blamed Conti for several attacks against critical national infrastructure, including attacks on the healthcare sector in the United States, New Zealand and Ireland.
The Irish government released a report this week saying it could cost more than $100 million to recover from the Conti ransomware attack last year.
Kanti's activities have also been boosted by the recent hiring of developers of the infamous Trickbot Trojan, which has enabled them to control the development of another malware, MarketBackdoor, which the group now uses as its primary early access tool. uses in. Conti constantly redefine and evolve its work processes and should be considered a resourceful and sophisticated adversary," Morgan said.
Recorded Future expert Alan Liska told ZDNet that the decision by ransomware groups to retaliate is real and should be a concern.
"Given what a hot mess Conti is right now, I have trouble believing they could organize an office lunch with little more than a focused vengeance. That being said, we know that. Ransomware groups have more targets they can hit right now and we know when Ryuk decided to retaliate against the US in 2020 they were easily able to do so," Liska said.
"More broadly, whether it's ransomware groups, anonymous, or what Ukraine is calling 'cyber patriots' to aid independent cyber activity, is going to be part of any military action going forward. I'm not saying that." I'm sure it's a good idea, it's just reality."
Others, such as Flashpoint senior analyst Andras Toth-Ciefra, said hacktivists engaging in armed conflict is not a novel development, explaining that Anonymous has previously targeted governments.
But like Liska, Toth-Sefra said the ransomware group openly engaging with the Russian government would be a "new and worrying development."
“So far, Flashpoint analysts have not noticed significant patriotic pride in illegal communities regarding Russia’s aggression against Ukraine, which is in line with the reaction of the Russian public in general. The situation is different from the emergence of “patriotic hackers”. About Russia's 2008 war against Georgia: Many Russian-speaking cybercriminals either live in Ukraine themselves or have Ukrainian allies or infrastructure."
“But Cyber Underground has remained largely neutral so far, one should not forget that Ukraine has cooperated with Western law enforcement against ransomware gangs in recent years, which may affect the calculations of the ransomware collective. So far Flashpoint has seen another prolific ransomware gang (Lockbit) suggesting they remain neutral."
On Friday, the BBC reported a Russian vigilante hacker group flooded Ukrainian government servers with DDoS attacks every day after work. A hacker admitted to emailing 20 bomb threats to schools, setting up an official Ukrainian government email address, and hacking into the dashboard feeds of Ukrainian officials.
The hackers openly boasted about the vigilante work they plan to do in the future, which they said involves the use of ransomware.
Allegro Solutions CEO Karen Walsh said the Conti announcement could also bring a measure of confusion for US companies with cyber insurance plans that have carved out wars-related cyberattacks.
“Based on how military legal experts classify Conti and any ransomware attacks perpetrated by cyber threat actors acting on behalf of Russia, organizations may find that their cyber liability insurance does not help them. In November, the Lloyds Market Association published updates to their cyber liability policies that specifically addressed war boycotts," Walsh said.
“Specifically, these changes refer to cyber operations conducted during the war. As part of risk mitigation, companies should begin reviewing their cyber liability insurance exclusions and ensure that they do their best to address the issue.” Question your carrier about the situation."