Reading Time: 3 minutes

Multiple anonymous hacktivists and hacker groups have collectively announced this week that they are launching a cyber proxy war and are getting involved in the conflict between Russia and Ukraine.

Experts are concerned as non-government cybercriminals groups are taking sides as Russia invades Ukraine.

On Thursday, a member of Anonymous took to Twitter and announced that they would be launching attacks against the Russian government. The hackers have also defaced local Russian websites, including RT, a popular Russian news outlet.

On Friday, the group also claimed that they would leak login credentials of the Russian Ministry of Defense website.

These actions on cyberspace came just a few hours after Yegor Aushev, CEO of cybersecurity in Kyiv, told Reuters that he was asked by Ukrainian Defense Ministry officials to took for help from the hacking community and seek help from both offensive and defensive threat actors.

After the request, requests for volunteers started appearing on various hackers forums, as Russia bombed Kyiv. The posts read:

“Ukrainian cybercommunity! It’s time to get involved in the cyber defense of our country.”

Anonymous is not the only group that has confirmed its involvement in the conflict as on Friday, ransomware groups Conti and ComingProject announced that they will be supporting the Russian government.

Conti ransomware group officially announced that they will side with the Russian government. The official message read:

“If any body will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.”

Shortly after sending the message, Conti revised their statement, decreasing their tone saying they would its “full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.”

The message further read that they condemn the ongoing conflict and don’t support any government. That said, they further explained that the “West is known to wage its wars primarily by targeting civilians, we will use our resources in order to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber aggression.”

The announcement from the ransomware community came as Ukraine faced DDoS, wiper malware, phishing attacks, and more. Internet connectivity also remains to be intermittent in the country as reported by Netblocks.

Experts are extremely wary of the hacker groups picking sides in the Russia-Ukraine conflict launching attacks. It further scared the experts as NATO Secretary-General Jens Stoltenberg said that “these cyberattacks can trigger Article 5 of the NATO charter.Article 5 is about the collective defense that binds each member to protect the other.

Researchers at Sophos, a cybersecurity firm, said that ransomware groups like Anonymous and Conti taking sides in this conflict will “increase the risk for everyone, whether involved in this conflict or not.”

“Vigilante attacks in either direction increase the fog of war and generate confusion and uncertainty for everyone,” said Sophos.

Brett Callow, an Emisoft threat analyst, said that the situation is highly volatile considering the statement from Conti. “This is is probably just bluster too [but] it would be a mistake to assume the threat is empty. If your company hasn’t already gone Shields Up, now is the time,” said Callow.

Casey Ellis, Bugcrowd CTO, said one of his concerns is that the recent developments with hacktivists groups taking sides, could lead to actions with intentional “false flag” cyberattacks that could escalate the conflict internationally.

Anonymous group tweeted a video claiming that “if tensions continue to worsen in Ukraine, then we can take hostage industrial control systems.”

Conti’s statement regarding their stance in the current conflict shows that the group is possibly operating under Kremlin or are either operating independently. Chris Morgan of Digital Shadows’ noted that according to their data, Conti was the second most active ransomware group in 2021 with high-profile targets and victims including healthcare institutions in the US, New Zealand, and Ireland.

Morgan says the group should be considered a strong adversary considering its resources and previous attacks.

“Conti’s activities have also recently been bolstered by hiring the developers of the infamous Trickbot trojan, which has also enabled them to control the development of another malware, the BazarBackdoor, which the group now use as their primary initial access tool,” says Morgan.

Allen Liska, Recorded Future expert, told ZDNet that threats from these ransomware groups taking a side in the conflict should be taken seriously as it poses a real concern. Liska said that Conti is perfectly capable of organizing a focused retaliation. “We know when Ryuk decided to retaliate against the US in 2020 they were easily able to do so,” said Liska.

 “More broadly speaking, whether it is ransomware groups, anonymous, or Ukraine calling on ‘Cyber Patriots’ to assist Independent cyber activity is going to be part of any military action going forward. I am not saying it is a good idea, it is just the reality.” – Liska

Similarly, senior analyst at Flashpoint, Andras Toth-Czifra, said that ransomware and hacktivist groups getting involved in an armed conflict are a bad development as Anonymous has targeted governments in the past.

Both Liska and Toth-Czifra are of the view that hacktivists openly picking sides with Russia is very concerning. 

Toth-Czifra further explained that Flashpoint has not observed any patriotic remarks on the dark web communities about the Russian attack on Ukraine. This is very different from the emergence of “patriotic hackers” in 2008 during Russia’s attack on Georgia.

“But while the cyber underground has largely remained neutral so far, one shouldn’t forget that Ukraine has cooperated with Western law enforcement against ransomware gangs in recent years, which may influence the calculations of ransomware collectives. So far Flashpoint has seen another prolific ransomware gang (LockBit) suggesting that they would remain neutral.”

Other Groups

On Friday, BBC reported that a Russian hacker group have attacked Ukrainian servers with DDoS attacks and had emailed the threat of bomb attacks to schools. The hacker group openly boasts about their work and claims to take such plans in the future, including the use of ransomware.

“This is just the beginning….You’ve got to understand that we are being careful and watching what we do at the moment. We could launch ransomware but we haven’t yet,” says the Russian hacker group.

Karen Walsh, CEO of Allegro Solutions said that Conti’s statement would confuse US companies with cyber insurance plans.

“Notably, these changes mentioned cyber operations carried out in the course of the war. As part of risk mitigation, companies should begin reviewing their cyber liability insurance exclusions and make sure that they question their carriers about their position on this issue,” said Walsh.

Companies are already warned to bolster their cybersecurity as new restrictions are imposed on Russia. The UK has warned companies to prepare for potential cyber attacks.

Intense and widespread cyber warfare looms as Russia invades Ukraine. The situation got worse with ransomware groups taking sides in the war.