Russia Likely Continues to Run Fake Groups, Although Regional Players Also at Work
Hacktivism arguably had its heyday more than a decade ago. Activists used chaotic online attacks to loudly advance their political, social or religious goals, oftentimes with big doses of provocation and self-promotion.
Security experts report that such groups nonetheless continue to operate and complicate life for their targets, whether from a grassroots desire to wreak revenge or as a deniable extension of state policy. Their tactics tend toward distributed denial-of-service attacks, website defacements – the digital equivalent of spray paint graffiti – and stealing and leaking data.
A relative newcomer calling itself Mysterious Team Bangladesh has been blending tactics as it pursues targets in a number of countries – but primarily India, Israel and Australia, says a new report from Singapore-based cybersecurity firm Group-IB.
Over the past year, Group-IB tied the hacktivist group to more than 750 DDoS attacks and 70 website defacements. It says that in 2.6% of known attacks, Mysterious Team Bangladesh also hit SQL databases and stole data. The group claims to date from 2020 although researchers said most of its attacks seem to have occurred since June 2022.
“The group is primarily driven by religious and political motives,” Group-IB’s researchers said. “The gang initiates multi-wave campaigns focused on specific countries rather than individual companies.” Events that drove the group to attack various countries appear to have included a Quran-burning in Sweden, as well as the Arabic word for God being used on clothes displayed at an Australian fashion show.
By no means is Mysterious Team Bangladesh the most well-known active hacktivist group – a distinction that could easily be granted to a raft of interconnected Russian groups that appeared around the time of Moscow’s all-out invasion of Ukraine last year.
As Russia massed more troops on Ukraine’s border in early January 2022, a now-notorious group called KillNet emerged. Originally, it offered a hack-for-hire service, before organizing DDoS attacks against Ukraine, coordinated via Telegram.
Anecdotal evidence suggests these are fronts. KillNet affiliate Anonymous Sudan, for example, claims to be based in the impoverished East African nation, but researchers say its use of expensive proxies for launching DDoS attacks suggests otherwise (see: KillNet DDoS Attacks Further Moscow’s Psychological Agenda).
Life After LulzSec
In the early 2010s, hacking efforts organized under such banners as Anonymous, AntiSec and LulzSec made hacktivism a widely used term. Such groups served as an outlet for members’ rage, desire for retribution or sometimes just teenage kicks. Copious data leaks and unwanted publicity for victims ensued.
By mid-2015, such groups’ prevalence had declined. By the end of the decade, threat intelligence firm Recorded Future described hacktivist groups as being either “small sets of regional actors targeting specific organizations to protest regional events, or nation-state groups operating under the guise of hacktivism” (see: Down and Out in Hacktivist Land).
That bifurcation continues today and complicates any attempt to discuss hacktivists, since not all of them are really hacktivists. As Google Cloud’s Mandiant Intelligence division recently wrote, “Russian government-linked actors have historically employed false hacktivist facades as a means of obscuring their role in targeting Western countries.”
Moscow isn’t unique in coopting hacktivism for geopolitical ends. To pick just one other example: the pro-Iran, self-proclaimed hacktivist group Homeland Justice in fact appears to be run directly by Tehran.
Not all hacktivism today is tied to the war. “Most of the groups originating from Asia-Pacific do not have significant involvement in the ongoing conflict and are more focused on their region,” Group-IB said. “In regional hacktivist scenes, the focus remains predominantly internal.”
Experts have historically ranked hacktivists’ capabilities as well below government-aligned nation-state attackers or sophisticated cybercrime groups. Group-IB said that’s been changing, thanks in part to easy access to more powerful malware, including for building botnets, and automated tools for penetrating networks and dumping databases.
“Modern hacktivists possess a comparable level of sophistication as financially motivated threat actors,” it said. “The impact on the infrastructure of a potential victim directly depends on the security measures in place.”
Another shift has been a surge in funding creativity that includes but goes far beyond just soliciting donations. Self-proclaimed hacktivist groups have been seen “demanding ransoms from their victims, selling stolen data, selling training courses, and even offering hack-for-hire services,” although groups’ impetus often appears to be less about getting funds and more about self-promotion, says a new report from threat intelligence firm Kela.
Hacktivists for Ukraine
Russia’s invasion of Ukraine did appear to trigger a rise in bona fide hacktivism. Many individuals pledged to serve in the crowdsourced IT Army of Ukraine. Such moves led to Western intelligence officials cautioning that however wrong the conflict might be, hack attacks remain illegal and civilians who participate might be classified as enemy combatants by Russia.
Established names – notably Anonymous – also pledged support for Ukraine and organized sites for educating adherents about how to launch DDoS attacks against Russia, coordinated via IRC channels. Likewise, Anonymous spinoff GhostSec, which may only comprise two people, switched from years of targeting “governments and state companies in Canada, Lebanon, South Africa, Saudi Arabia. Brazil, Colombia, Ecuador, Sudan, Iran, and the UAE,” to targeting Russia, Group-IB reported.
GhostSec seems like a typical hacktivist group. In February 2022, it claimed to have hacked the Joint Institute for Nuclear Research, including stealing research and gaining access to control systems running the Nuclotron-based Ion Collider Facility. The group provided no evidence to support that claim. Early this year, GhostSec claimed to have used ransomware to hit operating technology systems in Belarus. These claims appeared to be overblown, Mandiant reported.
This is a repeat story with any hacktivists tied to the war. “In many cases data turned out to be taken from old sources that had been compromised before the conflict, and the information was presented by hacktivists as new and more valuable than it actually was,” Group-IB reported early this year (see: Russia-Ukraine War: Role of Hacktivists Vastly Overestimated).
Who Funds KillNet?
KillNet began as a hack-for-hire service before becoming notorious for coordinating DDoS attacks against Ukraine. Affiliates or spinoffs of the group have included KillMilk, Tesla Botnet, Anonymous Russia and Zarya.
These claimed hacktivist groups act as if they’re independent operators, seeking donations via their Telegram channels. KillNet has also launched Dark School, a $500 course offering training in “DDoS, carding and social engineering” announced in April; a cryptocurrency service and mixer service announced in May; and a DDoS-for-hire service launched in July; Kela reported. Various KillNet groups have also sold access to targets or stolen data, although it’s not clear if they’re legitimate.
Multiple cybersecurity firms have already cast doubt about Anonymous Sudan’s identity. Swedish cybersecurity firm Truesec concluded in February that Anonymous Sudan is most likely a Russian information operation. Trustwave in March found “a very strong possibility that Anonymous Sudan is a subgroup of the pro-Russian threat actor group Killnet.”
So while hacktivism may seem to be stronger than ever in the form of groups such as KillNet, it’s possible such groups either are run directly by Moscow or receive a stipend from a Russian intelligence cutout. The play would be simple: Make Russia look bigger and mightier than it really is, detract from the stalemated war, and we’ll keep funding you.
There’s no hard evidence this is what’s happening. But the likelihood demands treating these so-called hacktivists’ claims with even greater skepticism. Don’t get played by their provocations.