Pro-Russian hacktivism isn’t real, top Ukrainian cyber official says

SAN FRANCISCO — In the wake of Russia’s invasion of Ukraine, a flurry of pro-Russian “hacktivist” groups have claimed to carry out attacks on Russian enemies in a fit of patriotism.

But that’s largely a fiction, a top Ukrainian cybersecurity official told CyberScoop on Thursday. Most of those groups are fronts for various Russian government agencies, and in other cases, they are coerced by the Russian government into performing attacks or publishing hacked materials obtained by more established Russian government hacking units, said Illia Vitiuk, the head of the Department of Cyber Information Security in the Security Service of Ukraine.

“More than 90% of all cyber attacks targeting Ukraine are either conducted by special services or by state sponsored groups,” Vitiuk. “I do believe that there is no so-called ‘hacktivism’ in Russia at all.”

In the weeks ahead of the Russian invasion of Ukraine in February of 2022, the Kremlin cracked down on Russian cybercriminals, including by arresting several members of the REvil ransomware gang, raising hopes that Moscow was finally reining in the cybercriminal underground. In reality, Vitiuk said, this was a ploy.

“This was an attempt to intimidate them and others to show that you need to work for us,” Vitiuk said. “And now you need to work against Ukraine.”

By May, the prosecution of the REvil suspects had stalled, and an attorney for one of the arrested individuals openly suggested to Russian media that his client should be released to work for Russian security services and that any funds seized from his client should be donated as “humanitarian aid” to people living in the Russian-occupied areas of eastern Ukraine.

Vitiuk said that many of the cybercriminals who participate in this kind of activity are usually “young, but talented people searching for easy money.” Even for the cybercriminal groups that are purely financially motivated, the message from the Russian government is “you attack and we won’t put you into prison,” he said.

Many of the hacking groups that do function as proxies carry out distributed denial-of-service (DDoS) attacks, but these attacks are not particularly effective in the long run. “Most of the activists conduct DDoS and say, ‘Oh, we attacked Ukraine,’ and we don’t even feel it,” Vitiuk said.

Ukrainian entities, both public and private, continue to weather a steady stream of attacks and other malicious cyber activity. Speaking to a crowd assembled at the FBI booth on the RSA conference floor, Vitiuk said that Russian hackers are constantly attacking the Ukrainian energy sector, logistics, defense industry, media outlets, internet providers and telecom companies. “Since the very beginning, even toy stores were under attack,” Vitiuk said.

The more serious attacks — which have included a dozen or more distinct wipers designed to delete and permanently destroy data, according to independent researchers — are the work of various top-level Russian government-backed hacking units, including the Russian military intelligence unit commonly known as Sandworm and Gamaredon, which Vitiuk’s agency has linked to the FSB.

But even these groups will launder hacked and stolen materials through phony hacktivist groups. Sometimes the GRU will carry out an operation and then post about it on a Telegram channel belonging to a hacktivist group in order to create the impression that these groups are effective, Vitiuk said.

Determining the relationship between Russian criminal groups and the state has been an enduring topic of interest for researchers. In the days after the invasion, the Conti ransomware syndicate declared their support for the Russian cause — and promptly saw their internal chat logs leak online. An analysis of the logs by Trellix revealed connections to Russia’s FSB.

While some of the pro-Russian groups are independent from the Russian government, there are multiple groups “whose moderators we suspect are either a front for, or operating in coordination with, the Russian state,” researchers with Mandiant concluded in a September 2022 analysis. In one case, the GRU-sponsored APT28 deployed its tools on the network of a Ukrainian victim “whose data was subsequently leaked on Telegram within 24 hours of wiping activity by APT28,” the researchers wrote.

Vitiuk contrasted the dynamic in the Russian cybercrime ecosystem with what he’s seen in Ukraine, where hackers have come together to launch attacks on Russian targets. In some instances, hackers have approached Ukraine’s security service and provided them with information rather than leak it online, Vitiuk said, declining to provide additional details on those interactions.

“There were some people that were previously involved and even convicted for hacker activity in Ukraine that came to us and said, ‘Now we are fighting with you against Russia, what should we do?’,” Vitiuk said.