Pro-Russian hackers remain active amid Ukraine counteroffensive

Pro-Russian hackers are continuing to hit targets in Ukraine amid a counteroffensive aimed at reclaiming territory held by Russian forces in what Ukrainian officials and researchers describe as an intense period of network operations as the conflict heats up.

“The activity is still very high,” said Victor Zhora, a top Ukrainian cybersecurity official told CyberScoop via online chat Thursday.

Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, which is responsible for the defense of Ukrainian government systems, said that pro-Russian hackers are focused on Ukrainian service providers, media and critical infrastructure, as well as collecting data from government networks. Zhora said his team is expecting the pace of pro-Russian operations to pick up.

But it is far from clear that these operations are making a meaningful difference to Russian forces in Ukraine, and some of these operations appear geared toward creating the impression of widespread hacking activity even when they aren’t successful.

On Friday morning, the pro-Russian hacktivist group Killnet claimed to have hit key European financial institutions, including IBAN and SWIFT, which are used to facilitate banking transactions. But there was no indication that they had actually disrupted them.

By midday Friday there was no evidence that any attacks had taken place. The European Central Bank noted that its systems were running normally. A representative for Swift told CyberScoop that it, too, was running without issue. IBAN did not immediately respond to a request for comment.

Separately on Friday, a pro-Russian hacking group claiming to operate out of Ukraine and known as Beregini, posted what appeared to be a document prepared in April by U.S. Defense Department officials describing efforts by the international coalition supporting Ukraine to speed up deliveries of air defense systems.

The document bore the “CUI” classification, denoting that it was “controlled, unclassified information,” and appears to have been prepared for the Ukraine Defense Contact Group, which coordinates international assistance for the defense of Ukraine.

Though CyberScoop could not verify the document’s authenticity, its publication by Beregini is indicative of how hack-and-leak operations — or creating the appearance of them — has become a key tool in the information domain of the conflict.

A Defense Department spokesperson told CyberScoop the agency could not confirm the veracity of the document.

Against this backdrop, state-backed Russian hackers continue to conduct operations in Ukraine. On Wednesday, Microsoft identified what it described as a new hacking unit within Russia’s military intelligence (GRU) that it dubbed “Cadet Blizzard,” which carries out a range of cyber operations, including destructive malware attacks, hack-and-leak operations and intelligence collection.

On Thursday, researchers with the Symantec Threat Hunter Team, detailed attacks carried out by a group it tracks as Shuckworm — also known as Gamaredon – targeting Ukrainian security services, military and government organizations. “The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian military service members, enemy engagements and air strikes, arsenal inventories, military training, and more,” Symantec said.

Sean Townsend, a spokesperson for the loose collective of hackers and various hacking groups in Ukraine known as the Ukrainian Cyber Alliance, told CyberScoop this week that since the Russian invasion the GRU has made “noticeable changes in tactics,” including greater coordination and attention given to hacking groups serving as fronts, such as Zarya, Hacknet and Solntsepek.

Groups such as these are either fronts for state activity or conduits through which government-operated hacking campaigns push information to the wider world.

In the run-up to and during the Russian invasion, Ukraine has been the site of prolific cyber operations as a means for intelligence collection, information operations, and, occasionally, in conjunction with kinetic attacks. The recent flurry of activity is just the latest in this busy cyber operations space — made up of hackers working for governments, in support of governments and, at times, on their own.

Over the course of the conflict, these groups have shifted their targeting, Townsend said. Last summer, for instance, many pro-Russian hacking groups sought to intercept the exchange of intelligence between Ukraine and its allies. Over the winter, their operations focused more on targets in Central Europe. Starting this spring, they’ve shifted more toward utilizing front groups.

“They apparently realize that their usual method of communication simply doesn’t work,” Townsend said.

Fifteen months into the current phase of the war, government intelligence agencies and private sector research teams are getting better at distinguishing between the various pro-Russian hackers at work in Ukraine, said Tom Hegel, a senior threat researcher with SentinelLabs. Activity that might have been lumped under a wider umbrella in the early days of the war can be better parsed and analyzed now, he said.

While pro-Russian hacking operations during the early days of the conflict had what Hegel called a “spray and pray” quality to them, today’s operations are more strategic while the pace of activity remains consistent. As operations are increasingly carried out through front groups, high-powered and deeply resourced actors— known as APTs within the cybersecurity industry — may be supporting those efforts.