View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 23, 2022updated 19 Apr 2023 11:33pm

Hacktivists working with Russia’s GRU security force in Ukraine war – Google Mandiant

Close links between hacktivists and security forces in Russia have long been suspected by cybersecurity experts.

By Matthew Gooding

Russian hacktivist groups appear to be working with the GRU, Russia’s military intelligence agency, as part of the war in Ukraine, evidence uncovered by researchers at Google-owned security company Mandiant has revealed.

Russian security forces are working closely with hacktivists, a new report suggests (Photo by DZMITRY SCHAKACHYKHIN/Shutterstock)

A new report from Mandiant, which was acquired by Google earlier this month, identifies three hacktivist groups – online vigilantes who seek to disrupt organisations for political purposes – that its analysts believe are actively working with the GRU to attack Ukraine’s allies.

The report, the findings of which were first published in the Wall Street Journal, says the current cybercrime situation in Russia is unprecedented. “We have never previously observed such a volume of cyberattacks, variety of threat actors, and coordination of effort within the same several months,” it says.

Is Russia’s GRU working with hacktivist groups?

Mandiant’s researchers have identified four occasions where cyberattacks carried out by the GRU appear to have been co-ordinated with hacktivist activity.

On each occasion, GRU-linked hackers have installed wiper software on the victim’s systems to disrupt networks and steal information. Within 24 hours of each attack, hacktivist groups were seen leaking data stolen in the attacks online.

The report identifies a trio of pro-Russia hacktivist gangs – XakNat Team, Infoccentr and CyberArmyofRussia_Reborn – as being involved in these incidents.

John Hultquist, vice president of intelligence analysis at Mandiant, said the groups “cannot be taken lightly”. He told the WSJ that their links with the GRU “are hard to ignore and they suggest the relationship isn’t incidental”.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Russia’s war in Ukraine and the return of hacktivism

Cybersecurity experts have suspected Russian hackers of working closely with the government since the war in Ukraine began. Several prominent hacking groups have come out in support of Vladimir Putin’s regime, and analysts say such public declarations of allegiance can help gangs curry favour with the Russian police.

Hacktivists have also been coming to Ukraine’s aid. At the start of the war, Ukraine’s Minister of Digital Transformation Mykhailo Fedorov called on anyone with “digital talents” to join what he described as an “IT army”. A Telegram group set up for the initiative quickly gained more than 34,000 members, and this week it was reported that the IT army had stolen personal details of mercenaries recruited to take part in the war by the Wagner Private Military Company, a Russian organisation.

While these actions can help the war effort, the unpredictability of hacktivists means they can inadvertently undermine other cybersecurity operations. Speaking at the CyberUK conference earlier this year, the NSA’s head of cybersecurity, Rob Joyce, said the IT Army were “trying to do the noble thing” but warned that their actions can be problematic for security services.

Read more: Russia-linked Killnet claims responsibility for Lithuania attack

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.