Intro: Cyber and physical warfare
On February 24, 2022, Russia launched a so-called “special military operation” in Ukraine. The conflict has become a war of attrition on all fronts.
On the physical front, the Russian army has conducted air strikes, bombings, shellings, and ground operations against cities across the whole territory of Ukraine. Though it was unsuccessful in seizing Ukraine’s two largest cities, Kyiv and Kharkiv, Russia has been able to take territories in Ukraine’s southern and eastern regions under its control, as well as blockade Ukraine’s sea ports. As of August 2022, the Russian army controls roughly 20 percent of Ukraine’s territory.
The kinetic war has also been accompanied by large-scale—albeit mostly unsuccessful—cyberattacks on Ukrainian systems, by both Russian state-affiliated groups and independent groups that declared sympathy with Russia. Hacktivist groups and other threat actors, including the “IT Army of Ukraine,” supported by the Ukrainian government, are conducting cyber operations against Russian targets.
Now, the Russia-Ukraine War is fast approaching the one-year mark. Below is a collection of Flashpoint coverage of Russia’s invasion of Ukraine, from cyber attacks on infrastructure to illicit financing of mercenary groups.
October 2022: Mobilization black market
After Putin’s mobilization order was first announced, Flashpoint observed a growing number of chatter and advertisements on Russian-language illicit communities and social media platforms, offering methods or access to avoid the draft. This includes fake employment certifications, fake illness documentation, manual name removal, and fake education
Russia’s February invasion of Ukraine has led to the emergence of a wide range of pro-Kremlin hacktivist groups. Some of them are enthusiastically supporting the Russian government’s objectives in Ukraine, and they seem to be receiving support from government-linked actors in return. (edited)
September 2022: Conscription, illicit financing
Real-time data from Russian social media platforms and related illicit communities is vital to understanding the domestic public response to Putin’s military mobilization declaration—a significant risk for Russia’s leader that was met with shock and awe.
Russian mercenary groups and private military companies are operating in Ukraine, including the “Russian Imperial Movement” (RIM), “Wagner Group,” and Task Force Rusich. Flashpoint’s intelligence team—which includes support to anti-money laundering (AML), counter-terrorist financing (CTF), and know-your-customer (KYC) compliance programs—has been aware of Task Force Rusich and its illicit funding effort since the beginning of the full-scale invasion of Ukraine. Task Force Rusich is reportedly also affiliated with the Wagner Group, a private, neo-Nazi-affiliated, Russian military mercenary group that has operated since at least 2014, when it assisted the Russian military during the annexation of Crimea.
August 2022: Corruption, Hacktivism, Darknet
Russian authorities arrested Andrey Zayakin, one of the editors of the “Dissernet” investigative project, which had long been a thorn in the side of the Russian political establishment due to its revelations regarding plagiarism committed by various Russian officials. Zayakin was arrested because he made a 1,000-ruble (~US$16) donation to the Anti-Corruption Foundation (FBK), founded by the jailed opposition leader Alexey Navalny.
Some Russian cybercriminal groups have voiced support for Russia in various ways, including its invasion of Ukraine, such as the case with Conti. But this likely and mutually beneficial cooperation between WayAWay—a financially-motivated group—and Killnet—an ideologically motivated group—may be the first of its kind since the invasion began in February, showing us the shape of things to come.
The demise of Hydra predictably resulted in seismic shifts in the Russian-language underground, prompting thousands of vendors and customers who relied on Hydra for their cybercrime operations to congregate on Russian-language forum RuTor.
The increased activity invited competitors to target RuTor, causing it to strike a partnership with the marketplace OMGOMG. This partnership was struck in opposition to WayAWay, which quickly associated itself with Kraken, a planned marketplace that has been advertised as Hydra’s successor. The rivalry between RuTor/OMGOMG and WayAWay/Kraken mirrors the Russia-Ukraine war, with RuTor/OMGOMG viewed as pro-Ukraine and WayAWay/Kraken viewed as pro-Russia—demonstrating how geopolitical concerns have invaded a space formerly viewed as entirely financially motivated.
July 2022: DDoS attack on US Congress, XSS
On July 8, the Russian hacktivist DDoS group “Killnet” claimed responsibility for an attack on the website of US Congress. In a Telegram post boasting of the attack, Killnet wrote “[Congress] has the money to fund weapons across the world, but not enough for its own defenses.”
As Russians leave home in droves, a threat actor operating under the alias “Royal Bank” is advertising alleged immigration services to the US or Canada on Russian-language forum XSS. The service apparently costs $5,000.
June 2022: Killnet and Lithuania
Russian cyber collective Killnet took responsibility for DDoS attacks on the Lithuanian government and private institutions. On its Telegram channel, the group claimed that it would stop the attacks as soon as the Lithuanian government reinstates transit routes with the Russian exclave of Kaliningrad. Killnet made Lithuania its target after the Baltic government closed transit routes to Russia’s Kaliningrad region on June 18.
May 2022: Victory Day, escalation
Even Without a Major Escalation, Cyber Risk Remains a Primary Concern in the Russia-Ukraine War. Here’s Why.
- How might decisions made by Western governments and commercial entities, such as economic sanctions, lead to an escalation in cyberspace and the physical world?
- Which sectors would be targeted and through what types of attacks?
The answers to these questions continue to be of the utmost importance to security teams at organizations across the globe. We laid out several potential escalation scenarios, current to the time of publishing.
All Eyes on Red Square: Why Victory Day on May 9 Could Be a Tipping Point In Russia’s War Against Ukraine
Victory Day, which occurs every year on May 9, was initially intended to commemorate Soviet losses during World War II; this year mark the 77th anniversary. Over the last decade, however, Russian President Vladimir Putin has transformed Victory Day into a nationalistic instrument.
April 2022: Sanctions, cybercrime, and crypto
Russia’s War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here’s How They’re Adapting
Recent sanctions coupled with Russia’s measures to better control the flow of information and activity on the internet, has prompted threat actors to pursue a variety of financial workarounds.
How Russia Is Isolating Its Own Cybercriminals (first published on Dark Reading)
Sanctions imposed by the Biden administration, coupled with Russia’s proposed initiative to cut itself off from the global Internet, is causing cybercriminals to ponder their future.
March 2022: Internet freedoms, KYC, APTs
Russia’s Efforts to Control the Flow of Information at Home Shows the Limits of Censorship in the Digital Age
As its war against Ukraine rages on, Russia is attempting to block, throttle, fine, and/or censor nearly all “Western” social media platforms, as well as other key information sources. These internet blocks and bans affect information going in and out of Russia, which theoretically prevents information about the conflict from reaching its citizens. Millions of Russians, however, especially of a younger generation, continue to access social media and therefore information that is not readily available at home, such as on legacy media like television networks owned or controlled by the government.
Shields Up: Understanding Guidance From the Biden Administration About Possible Russian Cyberattacks
On March 21, the Biden Administration released several statements stressing the importance of cybersecurity, warning the private sector of potential malicious cyber activity from Russia. Biden implored companies to “harden your cyber defenses immediately” and explicitly named CISA’s Shields Up campaign as the best way to do so.
Flashpoint analysts have uncovered 262 cryptocurrency addresses used in advertisements for donations to either Ukrainian or Russian causes related to the war since February 21, 2022. As the Russian invasion of Ukraine draws more need for financial contributions to fund military and humanitarian relief needs, cryptocurrency has become a way for governments to directly source funds and bypass traditional aid processes that delay or restrict the aid they receive.
Understanding Russia’s “Sovereign Internet”: What Happens If Russia Isolates Itself from the Global Internet?
The Russian government ordered state-owned portals to connect to its state-controlled domain name system servers by March 11—and, to switch to Russian hosting providers and localize elements that may not in the future run on the websites. In reaction to sanctions against Russian banks by the US, the EU, and the UK—as well as (as of this publishing, unheeded) calls to the Internet Corporation for Assigned Names and Numbers (ICANN) to disconnect Russian top-level domains—authorities also instructed Russian financial institutions and other companies to replace security certificates that have been or will be withdrawn from them, with Russian certificates.
Below our threat and vulnerability intelligence analysts outline five of the most prolific APT groups, along with two additional high-profile malware groups, with strong ties to Russia.
February 2022: Donbas, social media funding
How Russian and Ukrainian Militias Are Using Social Media and Chat Platforms to Recruit Volunteers in the Donbas and Fund Their Causes
As of this publishing, Russia has amassed 190,000 troops along the Ukrainian border, according to U.S. intelligence, in the Donbas region of Ukraine. Despite varying accounts from the frontlines, and constant posturing in the media from both Russian President Vladimir Putin and U.S. President Biden, the prospect of war remains an imminent possibility and not yet an all-out reality, thankfully.
Get Flashpoint on your side
Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.