Though sometimes they appear to be all bark and no bite, experts say Russian hacktivist groups are in fact having a serious impact on organizations in Ukraine and NATO countries.
Pro-Russian hacktivism has exploded since the beginning of the Ukraine war. Led by the now-infamous KillNet, nationalist hackers have been orchestrating attacks against any government or corporation voicing opposition to Putin’s invasion.
Many of them are empty PR stunts — for example, KillNet’s takedown of the UK royal family’s official website on Sunday — harking back to the days of Anonymous. But experts warn that not only are these groups doing actual harm, they’re also planning bigger and badder things to come.
“Some are nuisance attacks on public-facing websites that just kind of make a statement,” says Michael McPherson, a 24-year FBI veteran, now senior vice president of technical operations at ReliaQuest. “But you see them also target critical infrastructure like hospital systems, which is much more significant, and much more impactful.”
The Landscape of Russian Hacktivist Groups
The distributed denial-of-service (DDoS) attack has played a distinct role in the past decade’s Russia-Ukraine conflict, including in the latest invasion. “DDoS is what kicked the whole thing off, right?” points out Richard Hummel, senior threat intelligence lead at Netscout. “That’s the first thing that hit the media, government, and financial organizations in Ukraine before Russia invaded.”
As the war went on, the buck seemed to pass from known state-sponsored groups to hacktivist outfits. However, McPherson cautions, “the lines are blurring, and attribution is much more challenging than it has been in the past.”
Whoever they are or are affiliated with, these groups will target any organizations or individuals who speak out against the war. For example, “President Biden speaks at the G7 summit — the number one spike in DDoS attacks for that day is against the United States government,” Hummel explains.
Since then, there has been a noticeable evolution in the organization, capabilities, and methods of the groups performing such attacks.
“KillNet comes out and they’re legion-strong,” Hummel says. “And then they start to fracture and splinter into different subcomponents, so you’ve got multiple factions of KillNet supporting different agendas, and different facets of the government. Then you have DDoSia, you have Anonymous Sudan, which we firmly believe is part of KillNet, and you have NoName. So you’ve got all these sort of splinter cells.”
It’s part of the reason for the recent explosion of DDoS activity around the world. In H1 2023 alone, Netscout recorded nearly 7.9 million DDoS attacks — around 44,000 a day, a 31% growth year-over-year.
Russian Hacktivists’ Evolving Tactics
DDoS-focused groups are not only more active today than ever, says Pascal Geenens, director of threat intelligence at Radware, they’re also more sophisticated.
“When the war started back in February 2022, and these new threat actors came to the scene, they were inexperienced. They were not well organized. And now after more than a year-and-a-half of building experience — these people did nothing else, every day, for the last 18 months, you can imagine they became better at what they’re doing,” he says.
Geenens cites NoName, a group Radware covered extensively in its H1 2023 Global Threat Analysis Report, as a good example of a matured hacktivist threat. Where typical DDoS attacks involve simply overloading a target site with garbage traffic, NoName has adopted a different approach.
About a year ago, he explains, the group started employing tools for analyzing Web traffic to targeted websites, “something that sits in the middle of your browser and the website, and records all the variables and all the information that gets passed between. So what they do is: they find the pages that are most impactful for the backend of that website, for example, a feedback form that somebody can fill in, or a page where you have a search box. And they will submit legitimate requests to those forms.”
This more directed approach enables the group to do more with less. “Anonymous Sudan is doing 2-3 million requests per second. That’s not what you’re gonna see from NoName. NoName might come at you with 100,000 to 150,000 requests per second, but they are so narrowed down to those things that impact backend infrastructure that they bring down a lot of sites,” Geenens says.
Whether it’s NoName’s more sophisticated tactics or Anonymous Sudan’s sheer volume of traffic, hacktivist groups are proving themselves able to affect large and important organizations in sometimes meaningful ways.
Hacktivists’ Ambitions Are Growing
“In the beginning of the war, there were a lot of government, hospital, and travel websites, but there was no real impact on the business itself — it was just a website that was down. Now I see them targeting ticketing services for public transport, payment applications, and even third-party APIs that are used by many other applications, and causing more impact,” Geenens says. As just one of many recent examples, last month, a NoName attack against Canada’s Border Services Agency caused significant delays at border checkpoints throughout the country.
Evidence suggests groups like NoName and KillNet will continue to mix empty PR grabs with meaningful attacks, but they may go even further still. Geenens points out how KillNet’s leader, KillMilk, has expressed interest in incorporating wipers into the group’s attacks.
“He even started an idea,” Geenens warns, “where he wanted to create a paramilitary cyber army — a little bit modeled after the Wagner Group, which is a physical army, but he wants to do that for cyber. So building that influence and building a cyber army that will work for the highest bidder and perform destructive cyber attacks.”