Pro-Russian Hacktivists Possible Ransomware Ambitions
Are hacktivists looking to upgrade capability to match intent in the cyberspace struggle for dominance during the Russia-Ukraine War? Or are they simply looking to shift into financially motivated cyber-crime?
· Pro-Russian hacktivist groups have mostly conducted DDoS and Doxx attacks against Ukraine and NATO nations. It is possible as they grow in notoriety that hacktivist groups shift to cyber-crime, to create wealth for personal use or to fund further hacktivist campaigns.
· As more groups are created as the war continues it is possible that some groups are seeking more lethal attack vectors, including ransomware.
· As we learn more about the Pro-Russian hacktivist groups we see continued communication and engagement between the groups.
· It is possible that Phantom Dev and AID CryptoLocker are run by RHA and DeadNet.
· AID CryptoLocker is either being setup with a botnet as a RaaS operation or it is being prepared for hacktivist attacks — or both.
· The information about the groups in this report suggests an appetite for nationalist hacktivist campaigns and less about financially motivated cyber-crime.
While monitoring Pro-Russian groups for the creation of the CyberTracker I came across the group — DeadNet, a new group who started their Telegram on June 12 and first posted on June 28.
DeadNet has engaged in DDoS attacks against Ukraine, Norway, United States, Denmark, Cyprus, Turkey, and Austria. DeadNet appears to have a close association to ‘From Russia With Love’ or FRwL, another Pro-Russian group.
DeadNet announced on 7 July that ‘RHA — Red Hackers Alliance Russia’:
This is the point where this gets a little messy. I have created a link analysis — which I will explain below.
DeadNet declared that RHA were active in the cyber campaign in support of Russia. The Telegram page of RHA shares a large amount of content from Phantom Dev. RHA do not directly declare that they control the Phantom Dev account, but the fact it has a small subscription (133) and the fact no other Pro-Russian groups have mentioned them suggests they are connected to RHA in some capacity. — There is considerable content overlap for the majority of the 31 Pro-Russian hacktivist groups I track, so seeing only one share (RHA) information on Phantom Dev suggests they are possibly closely connected.
Phantom Dev has a hand-full of posts and limited subscribers. They appear to have created or developed a Botnet and are actively preparing it for use.
The Phantom Bot from the translated post appears to provide a range of options for use.
They do not confirm if this botnet has been used in the wild as of time of writing.
Phantom Dev also posted the following:
AID Cryptolocker has a very small subscriber list (22) and was created on 1 July.
It is advertised as a RaaS system with one administrator which also advertises its ability to “self-propagation over the network” — which is never ideal for a ransomware, as worming capabilities could be difficult to control once they spread which we have seen in the past.
On 7 July 2022, the AID CryptoLocker page posted that the first build of the ransomware was ready. The most recent update on 11 July shows a user panel that appears to created by ‘Dead Remedy, Inc’ — no further information on this.
The relationship of a botnet and ransomware variant suggest that some form of ransomware campaign is being prepared, whilst both the botnet page and ransomware mention the appetite to promote a RaaS, the close relationship to Pro-Russian hacktivists suggest it could be used in campaigns against Ukraine and other western nations.
It is possible that ransomware could be used as a tool for attacks against Ukraine and western nations who have been targeted by Pro-Russian groups as a means to inflict more damage. If the goal is to inflict damage in support of the ‘special military operation’ of Russia then the destruction of networks could be significant. It could also suggest that the lines between hacktivism and cyber-crime are becoming blurred and possibly these groups are shifting to financially motivated attacks.
The nature of hacktivist groups make them difficult to define and truly understand, in particular the ability to be anonymous on services such as Telegram means that confidence is higher to make bold claims. We see this throughout recent months with endless claims of attacks that have simply not happened at all, or been heavily overstated. The information in this report is accurate at time of production.
For updates: https://twitter.com/Cyberknow20