ArchiveOODA OriginalSecurity and Resiliency

Weaponizing Hacktivists Seems a Logical Progression for Russia

The Ukraine conflict has garnered substantial cyber activity drawing in not only the state cyber assets of both Russia and Ukraine, but sympathizers, volunteers, and non-state hacktivist actors supporting both sides. While much focus has scrutinized what Moscow could and could not do with respect to conducting brutal cyber offensives during the conflict, Russian hacktivists have coalesced and been launching campaigns that have caused temporary impacts against their targets.  Admittedly, most of these attacks have had limited value; whether via web page defacement or DDoS, victims have been able to quickly recover without suffering longstanding damage.  Still, a hacktivist force potentially poses a viable threat depending on the skills and capabilities of the actors involved and is one that can be utilized as another tool in a state’s arsenal if organized and deployed effectively.  Moscow has two such groups at its disposal that if harnessed correctly, could be a thorn in the side of pro-Ukraine defenders, causing them to direct resources to mitigate their threat.

In late June 2022, the large pro-Russian hacktivist collective “Killnet” targeted several Lithuanian public and private entities as well as targets in Norway via distributed denial-of-service (DDoS) attacks.  The former was in direct response to Lithuania’s decision to block the transit of goods sanctioned by the European Union within the Russian exclave of Kalingrad, a move Moscow deemed aggressive.  Killnet is a fairly recent incarnation, formed in January 2022 and consisting of primarily pro-Russian hackers.  The group has since gained notoriety for its support of Moscow since the onset of the Ukrainian conflict. Per a Killnet spokesperson, the group had “demolished” 1,652 adversarial Web resources, and with respect to Lithuania, pledged to continue until Lithuania lifted the blockade. The DDoS attacks successfully temporarily impacted transportation agencies and financial institutions, and notably disrupted access to servers of users of the secure data network, according to Lithuania’s National Cyber Security Center (NKSC).

The DDoS attack came quickly after another pro-Russian hacktivist collective known as “Cyber Spetsnaz” posted a message on Telegram declaring cyberwar against Lithuanian organizations and providing a list of possible targets, many of them critical infrastructures. The purpose of this target list is to develop a coordinated plan of attack to maximize the impact of a DDoS attack against them, by distributing the targets among the various sub-operational units within the larger group.  These units consist of an array of individuals with various capabilities and specialties.  In April 2022, Cyber Spetsnaz created its first division it called “Zarya” whose ranks included an array of penetration testers, OSINT specialists, and hackers.  Cyber Spetsnaz has since created more divisions under its umbrella. Then in May, the group announced a new campaign called “Panopticon,” an effort to recruit an additional 3,000 volunteer hackers willing to engage in disruptive cyber attacks against the European Union and Ukrainian public and private sector targets.

No longer to just be content launching disruptive attacks against mostly government targets to register their political discontent, Killnet and Cyber Spetsnaz are becoming more organized in how they are structured and operate. Recently, Killnet and Cyber Spetsnaz announced a more formal affiliation, which suggests that sub-groups and members may collaborate, coordinate, or even conduct joint operations in order to be a force multiplier against targeted organizations..  Indeed, one cybersecurity company that has been tracking these hacktivist events observed online discussions between members of both Killnet and Cyber Spetsnaz trying to make plans for a coordinated attack, an acknowledgement that these large groups may be stronger working together than apart.

Also notable is how these groups are looking to diversify their activities, incorporating other tactics in addition to standard web page defacement and DDoS.  A new division of Cyber Spetsnaz dubbed “Sparta” has been formed to conduct cyber espionage attacks to steal Internet resources, financial intelligence, and other sensitive data from NATO, its members, and its allies. The theft of sensitive information can be weaponized depending on the type of data and the intent of the attackers for stealing it. Historically, such information has been used to support influence and disinformation campaigns, expose weaknesses in a high-profile target, conduct follow-on targeting or other types of offensive activity, or in the event of mapping out a network, identify vulnerabilities to be exploited for more disruptive/destructive attacks.  It is too early to ascertain the reasoning behind this particular cyber espionage but the fact that these activities support a wide range of attacks will undoubtedly encourage additional espionage, increasing the Russian hacktivist threat.  Notably, diversifying operations is not just the goal of Cyber Spetsnaz.  In an interview with Killnet’s leader, the group is in the process of “expanding its arsenal” from just DDoS.

By pushing the boundaries of their operations, these two groups are improving their knowledge and capabilities of how to conduct an array of offensive operations. A June 26 posting from Killnet viewed its attacks against Lithuania as “a testing ground for our new skills.”  Traditionally, most hacktivist attacks have been mostly nuisance activities executed to garner attention to the social/political behind their campaigns.  They have rarely caused any lasting effects, and genuinely fade out as they move to other, more current causes and targets. But the longer the conflict goes on, the more opportunities Killnet and Cyber Spetsnaz will have to refine what they’re doing and to better effect.  What’s more, there is preliminary information that suggests (but is not conclusive) that at least some Russian hacktivist groups may be working with, on behalf of, or even under the tutelage of Russian intelligence. Recently, one cybersecurity company’s research intimated that Russian intelligence operatives were involved in a breach where the information stolen ended up in the hands of another pro-Russian hacktivist group dubbed “XakNet.”  The extent of this relationship remains unknown, but it certainly demonstrates how intelligence services can collaborate with nonstate nationalist groups to achieve certain objectives.

Clearly, the strong ties between Russia’s cyber criminals and its government have long been suspected, even if they have more to do with financial interests than larger strategic ones. Still, it is difficult not to recognize how advantageous it would be for Moscow to leverage this hacktivist asset, especially the longer this or any other geopolitical crisis in which it is involved endures. An organized, capable hacktivist capability instantly provides Moscow a semi-nonstate actor that can be readily deployed to conduct offensive attacks under the auspices of patriotic nationalism.  It also provides the Kremlin with another organized albeit “unofficial” tool that can be used in future hybrid attacks against its adversaries.  A more mature and capable hacktivist “cyber irregular” force would require defenders to take the threat seriously, and therefore dedicate resources to account for it in addition to defending against the more robust and sophisticated Russia’s state cyber actors.

The current capabilities of Killnet, Cyber Septsnaz, and XakNet for that matter might not be of that caliber, but that can quickly change. Their experience during this time has imparted them invaluable experience in organizing attacks, executing them, and studying how entities defend and respond to them.  Even if they are not that capable now to deliver substantial attacks, the more they operate in these climates, the more knowledgeable they become in being able to do so in the future. When the Ukraine conflict concludes, there will be ample enough time for Russia to identify where it went wrong with respect to its cyber operations.  No doubt, seeing how the global community came to help Ukraine with its cyber defense, Moscow may seek to identify those capable hacktivist and criminal groups that it can resource and train for the next geopolitical flashpoint that surfaces. As Russia has demonstrated an ability to apply lessons-learned from its previous forays in conducting cyber attacks during periods of geopolitical conflict, Moscow will likely do the same here, and look to bolster these groups to be a more formidable presence in service of its country.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.