Russian hacktivist groups appear to be working with the GRU, Russia’s military intelligence agency, as part of the war in Ukraine, evidence uncovered by researchers at Google-owned security company Mandiant has revealed.
A new report from Mandiant, which was acquired by Google earlier this month, identifies three hacktivist groups – online vigilantes who seek to disrupt organisations for political purposes – that its analysts believe are actively working with the GRU to attack Ukraine’s allies.
The report, the findings of which were first published in the Wall Street Journal, says the current cybercrime situation in Russia is unprecedented. “We have never previously observed such a volume of cyberattacks, variety of threat actors, and coordination of effort within the same several months,” it says.
Is Russia’s GRU working with hacktivist groups?
Mandiant’s researchers have identified four occasions where cyberattacks carried out by the GRU appear to have been co-ordinated with hacktivist activity.
On each occasion, GRU-linked hackers have installed wiper software on the victim’s systems to disrupt networks and steal information. Within 24 hours of each attack, hacktivist groups were seen leaking data stolen in the attacks online.
The report identifies a trio of pro-Russia hacktivist gangs – XakNat Team, Infoccentr and CyberArmyofRussia_Reborn – as being involved in these incidents.
John Hultquist, vice president of intelligence analysis at Mandiant, said the groups “cannot be taken lightly”. He told the WSJ that their links with the GRU “are hard to ignore and they suggest the relationship isn’t incidental”.
Russia’s war in Ukraine and the return of hacktivism
Cybersecurity experts have suspected Russian hackers of working closely with the government since the war in Ukraine began. Several prominent hacking groups have come out in support of Vladimir Putin’s regime, and analysts say such public declarations of allegiance can help gangs curry favour with the Russian police.
Hacktivists have also been coming to Ukraine’s aid. At the start of the war, Ukraine’s Minister of Digital Transformation Mykhailo Fedorov called on anyone with “digital talents” to join what he described as an “IT army”. A Telegram group set up for the initiative quickly gained more than 34,000 members, and this week it was reported that the IT army had stolen personal details of mercenaries recruited to take part in the war by the Wagner Private Military Company, a Russian organisation.
While these actions can help the war effort, the unpredictability of hacktivists means they can inadvertently undermine other cybersecurity operations. Speaking at the CyberUK conference earlier this year, the NSA’s head of cybersecurity, Rob Joyce, said the IT Army were “trying to do the noble thing” but warned that their actions can be problematic for security services.