War in Ukraine and Its Impact on Hackers

The Russian invasion of Ukraine started on February 24th, and no one was left indifferent. Cybercriminals are divided into two camps: those who support an independent and free Ukraine with a right to self-determination and those who defend Russia’s so-called security aims. Binary Defense experts have observed people on social media and dark web forums reacting to the incident. 

The invasion was immediately denounced by Raid Forums, an English-speaking hacker forum. BHF forum expressed its position by adding “no war” to the forum’s title. A moderator of XSS, the biggest Russian-speaking dark forum, announced that they would ban any conversation about the war in Ukraine. “We support peace,” added the moderator. Despite attempts to silence pro-war individuals on XSS, forum members continue to discuss the conflict. 

Conflict Has Affected Many Hackers Personally

The cybercrime group behind the Raccoon Stealer (password-stealing software) has halted operations after claiming that one of its developers died in the war.

“Dear Clients, unfortunately, due to the “special operation,” we will have to close our project Raccoon Stealer. The members of our team who are responsible for critical moments in the operation of the product are no longer with us. We are disappointed to close our project; further stable operation of the stealer is physically impossible,” added the group member. 

Some hackers express their position using words like “Everything will be Ukraine” or “Stop War” in their titles or comments. One user asked the community on the popular dark web to help Ukrainian refugees temporarily relocate to one of the CIS (Commonwealth of Independent States) counties. 

“The country received a large number of refugees from Ukraine; the situation there is difficult. Money will go to a third party, not to the Russian Federation or Ukraine! Money will be used to help children only! In our plans to purchase children’s LEGO-type constructors, shampoos, soaps, and household needs specifically for people living in refugee camps, mainly for children and mothers! I ask you to refrain from political and military comments,” pointed out the author.

Anonymous Declared a Cyberwar on Russia

Anonymous, a collective hacking group, has made a public declaration of war. On February 24, the hacking organization @YourAnonOne, linked to Anonymous, claimed that it was targeting Vladimir Putin’s regime.

“The Anonymous collective is officially in cyberwar against the Russian government,” was posted by the hacking group on Twitter. 

After that, the organization has claimed responsibility for several cyber incidents, including Distributed Denial of Service (DDoS) attacks, which have shut down banks, government websites like the Kremlin and Ministry of Defense, as well as the state-run news agencies Russia Today and RT news. Anonymous also claimed to have hacked Russian official television networks, broadcasting pro-Ukraine content like patriotic songs and photographs from the attack. 

The Russian Ministry of Emergencies’ website was hacked. On the home page appeared the hyperlink with the words: “Don’t trust the Russian media – they are lying”, “Full information about the war in Ukraine,” and “Russia’s default is imminent”.

Anonymous and its affiliates also breached many databases of Russian companies, organizations, and state entities, such as:

  • The Ministry of Defense
  • The Ministry of Economic Development
  • Gazprom, a majority state-owned multinational energy corporation
  • Roskomnadzor, the federal executive agency responsible for monitoring, controlling and censoring 
  • Rosneft, Russia’s oil giant
  • Rosatom, Russia’s nuclear energy operator
  • Central Bank of Russia
  • The Ministry of Culture
  • Technotec, oil and gas field services provider to Rosneft and Gazprom Neft 
  • Russian Orthodox Church
  • Aerogas, a company that specializes in the oil and gas industry
  • MashOil, a company that designs, manufactures, and maintains drilling, mining, and fracking equipment
  • Marathon Group, an investment firm owned by oligarch Alexander Vinokurov, who is currently under EU sanctions. Vinokurov is the son-in-law of Lavrov, the Russian Foreign Minister 
  • Thozis Corp., a Russian investment firm owned by Zakhar Smushkin, a Russian oligarch
  • Gazregion, a construction company specializing in gas pipelines and facilities
  • Elektrocentromontazh (ECM), Russia’s leading electricity organization
  • ALET, a Russian customs broker for gasoline and energy

Recently, on May 1, the Anonymous-affiliated organization NB65 breached a massive cache of files from Qiwi, a Russian corporation that provides payment and financial services in Russia and the Commonwealth of Independent States (CIS). Every week, Anonymous and its affiliates release new Russian-based databases and have promised to continue to do so until the war is over. 

From The Other Side

The XakNet Team, the Russian hacking group, was created in an attempt to balance the sides in Anonymous’ cyberwar against Russia. It claimed responsibility for stealing business correspondence from the Ukrainian Foreign Ministry system. The illegally obtained information was leaked to Mash, a Russian news organization, and it has already published part of it. Hundreds of thousands of letters – diplomatic notes, notifications, and claims were provided by hackers.

The XakNet Team teamed up with Killnet, a pro-Russian hacker organization that has claimed to have shut down websites in Ukraine as well as other websites in countries friendly to Ukraine. On April 29, they launched Distributed Denial-of-Service (DDoS) attacks on websites managed by the Romanian government. The gang has previously launched DDoS attacks against websites in the United States, Czech Republic, Estonia, Germany, and Poland, all with the goal of stopping the supply of military weapons and equipment to Ukraine.

Analysts at Binary Defense will continue to monitor forums and other sources for new developments in the topic.