Down, Not Out: Russian Hacktivists Claiming DDoS Disruptions – Source: www.databreachtoday.com

Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime

Distributed Denial-of-Service Attacks Decline as Russia-Ukraine War Continues

Mathew J. Schwartz (euroinfosec) •
February 28, 2024    

Russia’s war of conquest against Ukraine grinds onward, but the number of self-proclaimed, pro-Kremlin hacktivists appears to be dwindling as the strategy of temporarily disrupting the availability of high-profile websites has failed to sustain enthusiasm.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Groups such as KillNet have yet to become consistently more dangerous than an online nuisance. Despite the headlines DDoS disruptions generate, attacks launched by KillNet and its peers tend to “generate only shallow impacts lasting short periods of time,” Sandra Joyce, Mandiant’s head of global intelligence, told reporters earlier this month.

While digital volunteers continue to claim responsibility for denial-of-service attacks, website defacements and data leak attacks, typically through social media site Telegram, the number of DDoS claims has gone down over the last months of 2023 and the first weeks of this year.

Cybersecurity firm Kela said claims by five of the most active groups that emerged just before or in the early days of the conflict – KillNet, NoName057(16), Anonymous Russia, Phoenix and People’s Cyber Army – were “significantly lower” during the second half of 2023 and early part of 2024 compared to the first six months of 2023.

Activity has not dwindled to nothing. Last month, NoName057(16), aka NoName, claimed credit for attacking the public-facing websites of multiple Swiss federal agencies, causing the sites to become temporarily unavailable. The Swiss government dismissed the impact of the attacks and said they appeared to have been timed to coincide with Ukrainian President Volodymyr Zelenskyy’s appearance at the annual World Economic Forum meeting in Davos (see: Swiss Government Reports Nuisance-Level DDoS Disruptions).

The problem for hacktivist groups is that their attacks are often easily absorbed. A failure of automated kiosks and electronic gates across Canadian airports last September, perpetrated by KillNet, lasted for about an hour.

Mandiant’s Joyce said the impact of that attack “was not very much.” The strategy behind the attacks is more psychological than kinetic, she said. The intent is to create “some kind of effect that appears to be more than it actually is.”

Attackers use such signaling to “target hearts and minds” of defenders – “to degrade the confidence in governments” – as well as to rally allies of Russian President Vladimir Putin, both at home and abroad, she said.

Are Russian Hacktivists Moscow in Disguise?

One open question is the extent to which self-proclaimed Russian hacktivist groups operate independently of the country’s intelligence services. That includes one of the best-known Russian DDoS groups, KillNet, which Google’s incident response group Mandiant suspects “has ties to Russian government threat actors,” Joyce said.

Another major hacktivist group, the People’s Cyber Army, may be linked to the APT28 hacking team – also tracked as Fancy Bear, Forest Blizzard and Strontium – that Western officials say is run by the Russian military’s Main Intelligence Directorate, known as the GRU.

Why hacktivist groups or the Russian government officials who hold their purse strings might be dialing down their DDoS attacks isn’t clear. Cyberattacks attributable directly to Russian military or intelligence agencies do not appear to have waned. Many of these attacks involve phishing campaigns and spam as part of psychological operations designed to target Ukrainian morale. Google said it has lately seen a surge in phishing and social engineering attacks tied to Russia.

One potential answer is that the Russia is splitting focus. Major elections across the globe are approaching, and cybersecurity watchers expect Moscow to reprise its use of information operations – including phishing attacks, DDoS disruptions and hack-and-leak operations – to try and influence outcomes.

Also, multiple hacktivist groups have publicly pledged allegiance to Hamas and started launching DDoS attacks against targets in Israel or allied countries. “Groups that have been observed claiming attacks include UserSec, Server Killers, Bluenet and Anonymous Sudan,” Kela reported, saying that evidence suggests Anonymous Sudan may have ties to Moscow.

Another group that debuted earlier this month called Ancient Dragon claims to be aligned with Russia as well as “our beloved Muslim brothers.” It promised to launch DDoS attacks against not only Ukraine but also Israel and the U.S., Kela said.