Russian Hackers and the War in Ukraine: Digital Threats and Real-World Consequences 1666935905, 9781666935905

Citation preview

Russian Hackers and the War in Ukraine

Russian Hackers and the War in Ukraine Digital Threats and Real-World Consequences

Julia Sweet

LEXINGTON BOOKS

Lanham • Boulder • New York • London

Published by Lexington Books An imprint of The Rowman & Littlefield Publishing Group, Inc. 4501 Forbes Boulevard, Suite 200, Lanham, Maryland 20706 www​.rowman​.com 86-90 Paul Street, London EC2A 4NE Copyright © 2024 by The Rowman & Littlefield Publishing Group, Inc. All rights reserved. No part of this book may be reproduced in any form or by any electronic or mechanical means, including information storage and retrieval systems, without written permission from the publisher, except by a reviewer who may quote passages in a review. British Library Cataloguing in Publication Information Available Library of Congress Cataloging-in-Publication Data Available Library of Congress Control Number: 2023948747 ISBN 978-1-66693-590-5 (cloth) ISBN 978-1-66693-591-2 (electronic) ∞ ™ The paper used in this publication meets the minimum requirements of American National Standard for Information Sciences—Permanence of Paper for Printed Library Materials, ANSI/NISO Z39.48-1992.

Contents

Foreword vii Acknowledgmentsxvii 1 Hackers’ Attacks on Russia

1

2 Hacker Organizations: Active and Dangerous or Childish and Annoying 51 3 Russian Hackers: Social Media Presence and Brand Building

69

4 Hackers Gather Public Trust and Recognition

125

5 Hackers’ Attacks: Who Is the Main Target—Ukraine, Europe, or the United States?

189

Conclusion219 Index 225 About the Author

229

v

Foreword

Since the beginning of the Russian aggression in Ukraine (February 2022), the world community has become involved in the ongoing cyberwar. Although hackers have become more active on a global scale, the clashes between Russian and Ukrainian “cyber armies” are at their central front line. The research scrutinizes the unique situation where cyber criminals, who usually operate clandestinely, have surfaced and looked for public attention and approval. It is crucial to underline that this book does not cover technical aspects of hacking. Instead, it scrutinizes the public activity of Russian hacker groups, including building their brand, communicating with supporters, their financial situation, and other crucial aspects. The ongoing cyberwar is on the rise, and the range of hacker attacks is widening. This topic is important to study for the future. Although the book focuses on a specific part of the world, it can be transferred onto the global stage. This cyberwar is merely a rehearsal for future cyberwars that our society faces. For that reason, the research begins by clarifying the widely used and crucial term “cyberwar.” In the contemporary world, any military conflict, regardless of its scale and participants, has the possibility of moving to cyberspace, where skillful IT individuals can advance their political stance by crashing adversaries’ digital entities. This has happened because over many decades, technological breakthroughs have transformed every aspect of society, and war, as an undeniable part of human history, has been impacted by innovations, which perpetually have been used not only as tools but as weapons. Communication technologies have developed at a staggering pace and are highly accessible for everyone, not just industry insiders, making cyberspace not only a zone of pleasure but a zone of “war.” vii

viii

Foreword

Since the invention of the Internet, the perception of cyberwar as a security threat has soared, coupled with high concerns for cybersecurity which have come to prevail in the global security discourse. Cyberwars and cybersecurity have become primary priorities for state entities such as the military, law enforcement departments, and intelligence agencies. Weaponization of cyberspace is a matter of fact as digitalization has embraced every private house and governmental facility. Political or commercial cyberespionage, sabotage, and cyberattacks have become ordinary attributes of modern times. Across the globe, people share a common belief that sophisticated cyber operations can be extremely effective in combat. As a result, the term “cyberwar” is widely spread among experts and laypeople. However, to achieve a definitional consensus, its meaning needs to be addressed and clarified for precision in this book. For more than two decades, the topic of cyberwar has discursively appeared in public think tanks. Definitional problems with this term remained acute while scholarly discussion had been underway, with only a few concerned states undertaking attempts to establish relevant institutions to tackle ways to combat cyber aggressions (Liff 2012; Zilincik and Duyvesteyn 2023). In 2011, Lior Tabansky explained the lack of a definition for the novelty of cyberspace and its limited “connectedness with the fundamental concepts of the physical world” (82). Further, in the late 2000s, remarkable cyberattacks on Estonia in 2007, Georgia in 2008, and the Iranian uranium enrichment facility in Natanz invigorated the discussion, accelerating efforts in this regard (Corera 2021; Herzog 2011; Rosenbaum 2012; Shakarian; The 2008 Russian cyber-campaign against Georgia 2011). Referring to aggressive actions within cyberspace, the body of literature contains various descriptive terms such as cyberwar, cyberwarfare, or cyber conflict (Arquilla and Ronfeldt 1993; Carr 2012; Gartzke 2013; Dombrowski and Demchak 2014; Hughes and Colarik 2017; Kaiser 2015; Oakley 2019; Rid 2012; Tabansky 2011). The lack of a singular definition is indicated by Hughes and Colarik (Hughes and Colarik 2017). Their study reveals 56 explicit and 103 implicit meanings of cyberwar circulating within the academic realm (Hughes and Colarik 2017). One of the first attempts to address this new phenomenon was undertaken in 1993. John Arquilla and David Ronfeldt distinguish two categories of war—cyberwar and netwar, underlining that both are about strategic knowledge about adversaries and their defense (Arquilla and Ronfeldt 1993, 27). While cyberwar mainly refers to conflicts between state-owned entities, netwar embraces non-state and state agents. The authors admit an unclear distinction between the categories and as a result, the complexity of upcoming cyber conflagrations: “netwars would be largely non-military, but they could have dimensions that overlap into military war” (Arquilla and Ronfeldt 1993, 28). Even though the existence of

Foreword

ix

the powerful Industroyer malware was not known to John Arquilla and David Ronfeldt in 1993, they emphasize not only the serious defensive but offensive potential of cyberwar, which could be devastating. The authors define a cyberwar as a very powerful innovation which embraces military operations conducted by states in accordance with information-related principles (Arquilla and Ronfeldt 1993, 30). Further, Arquilla revises this definition, stressing that it is “an emergent mode of conflict enabled by and primarily waged with advanced information systems, which are in themselves both tools and targets” (Arquilla 2011). Concentrating on cyber aggression on a state level, Clarke and Knake identify cyberwars as attacks coordinated and conducted by state institutions which attempt “to penetrate another nation’s computers or networks for the purposes of causing damage or disruption” (Clarke and Knake 2011, 6). Another definition, provided by Jeffrey Carr, focuses on a cyberwar’s outcomes, defining it as “the art and science of fighting without fighting; of defeating an opponent without spilling their blood” (Carr 2012, 2). Thomas Rid rejects the term cyberwar, underlining that the term does not have “the essential characteristics to meet the conditions of becoming an act of war; if the use of force in war is violent, instrumental, and political, then there is no cyber offense that meets all three criteria” (Rid 2012, 9). Along with many other researchers, Clarke and Knake consider a cyberwar to be investable and something that has already been launched. Another group of researchers observes cyberwar as a part of traditional military operations. Criticizing this understanding of cyberwarfare as “an enhancement of traditional operations,” Amit Sharma argues that it “is capable of compelling the enemy to do your will by inducing strategic paralysis to achieve desired ends” which can be accomplished with a minimal use of “physical force” (Sharma 2010, 64). Cyberwarfare turns into a strategic doctrine which has to conduct complex cyber operations not only during a ground conflict but in peacetime against potential enemies (Sharma 2010). Cyber security measures refer to protection from cyber aggression and have become invisible and continuous in preparation for war. As a result, the distinction between peacetime and time of war has become vague. In the discussion about cyberwar, the terms “cyberwar” and” cyberwarfare” were sometimes used interchangeably. This study acknowledges a difference between the terms where cyberwar refers to the act of war, and cyberwarfare refers to means such as sabotage, espionage, or distributed denial-of-service (DDoS) attacks. In this research, a cyberwar is a set of continuous cyber actions which are intended to damage adversaries’ digital entities, launched by hacker groups or hacktivists on behalf of a state as direct or indirect assistance for traditional military operations. Indirect assistance implies any politically motivated cyber actions against adversaries’ digital entities.

x

Foreword

Other important terms need to be clarified—“Russian” and “pro-Russian” hackers. In this book, Russian or pro-Russian terms were applied interchangeably to refer to hackers’ political affiliation or the side of the conflict which hackers support rather than their citizenship or nationality. Hacktivism is a relatively new phenomenon but is widely known due to non-traditional ways to make statements which are predominantly political (Choo 2010; Davis 2012; Dahan 2013; Fowler 2016; Illia 2003; Taylor 2001). Various studies have been established to determine the phenomenon of hacktivism, and in some of these studies, hacktivism is considered as a form of digital activism (Coleman 2011; Dahan 2013; George and Leidner 2019; Jordan and Taylor 2004; Karagiannopoulos 2020). In contrast with other forms of digital activity, hacktivism “embodies direct action” to impact a target (George and Leidner 2019), spanning collective protest activities (Coleman 2015; Goode 2015; Jordan and Taylor 2004; Samuel 2004), crashing government websites (Shakarian 2011; Skare 2019), and leaking personal or classified data (Munro 2016). Hacktivists embrace a variety of methods in their arsenal, including sabotage, traffic redirects, DDoS strikes, website defacements, botnet attacks, and social engineering (tricking individuals into disclosing security information). Although there is circulation of extensive studies about hacktivism and hacking groups (Coleman 2015; Gorham 2019; Holt and Bossler 2020; V. Karagiannopoulos 2018), there is not much research on hacking groups who are engaged in actions outside of the law while still managing their publicity in conjunction with their anonymity (Bodó 2014; Gillen 2012). Whereas hacktivists rely on social media mobilization among individuals with little technical savvy, anonymity appears to be, at least, two-dimensional: (1) for hackers and (2) for engaged volunteers (Gillen 2012). It was a gloomy surprise for Anonymous enthusiasts when some of them were detained by the authorities because Anonymous hackers did not attempt to conceal real volunteers’ identities (Olson 2012). Normally, hacktivists operate clandestinely, rigorously maintaining their anonymity in order to avoid legal consequences. To hide their identity and act with impunity, hackers establish secret forums, chats, private groups, and other clandestine entities (T. Holt 2013; Manatova et al. 2022). By now, the list of noteworthy examples of hacktivism is significant. One of the first examples of hacktivism dates back to 1999, when the group named the Electronic Disturbance Theater initiated cyberattacks on the White House, the Pentagon, and other government websites across the globe (Goode 2015). In 2011, hackers from LulzSec, a group affiliated with Anonymous, launched cyber strikes against Fox​.co​m. Ghost Squad conducted powerful DDoS attacks on the Trump Hotel Collection website, which displayed a

Foreword

xi

statement from the hackers for a while. Since the beginning of the war in Ukraine, several Russian groups which launched multiple politically motivated cyber aggressions have to be added to this list of hacktivists. There are various studies about Russian hacking operations against Georgia in 2008, Estonia in 2007, and the Ukrainian infrastructure after the annexation of Crimea. There are also studies from 2022 which scrutinize the relationship between the state and hackers, hackers’ targets, and Russian cybercriminals’ potential for harm. Worth noting is the fact that not all hackers are hacktivists, and not all hacktivists are hackers. This study is an attempt to examine Russian hacktivists at the moment (since the beginning of the war in Ukraine) when they looked for support, recognition, and appreciation from society and even the authorities. Turning into hacktivists, the hackers built their public presence on social media with a certain level of visibility disregarding, to some extent, personal anonymity and secrecy. This empirical study of hacker organizations has mainly relied on detailed scrutiny of case studies, covering the period from February 24, 2022, up to January 1, 2023. The research is based on the data collected from the following hacker organizations: Joker DPR, Beregini, XakNet, From Russia with Love, NoName057(16), KillNet, Anonymous Russia, Zarya, RaHDIt (Russian Angry Hackers did it), and People’s Cyber Army. There is a set of conditions the groups have to meet: (1) a group has to be engaged in hacking activities, (2) the existence of public social media accounts and persistent online presence for at least three months, and (3) pro-Russian political agenda. The analysis presented in this book draws mainly on open sources such as social media entries comprised of texts, videos, images, and chat comments which were collected through daily monitoring of the hacking groups’ activities. The database includes more than 5,000 social media entries from 30 accounts on Telegram, 12 outlets on Twitter, 5 Vkontakte pages, and 2 websites. The research embraces information from federal media (online versions of newspapers such as Russia Today, TASS, Ria News, Vedomosti, Kommersant, Sputnik, RBC), local media outlets (online versions of regional newspapers such as Fontanka, Vest, URA, Sakh Online), TV outlets (such as TV Rain, TV Center), official websites of the Russian and Ukrainian government departments (such as Gosuslugi, Kremlin, Ministry of Defence of Ukraine), social media accounts of financial institutions and officials (such as Sberbank, Banki, the Pskov governor Michael Vedernikov, the former Roscosmos director Dmitry Rogozin), and media sources commenting on cybersecurity (Kaspersky Lab, Tadviser, SecurityMag). In addition, hackers’ interviews with Russian media outlets were found to be useful sources of information. Even though a few groups vigorously looked for publicity and were open to communication, this research does not conduct exclusive

xii

Foreword

interviews with hackers who are members of the scrutinized entities, because it was almost impossible to authenticate interviewees. Focusing on the most active and publicized hacker groups, the study does not claim to be holistic as this study cannot cover every or even a majority of the hacking groups operating within cyberspace. The research acknowledges that many hacking groups remain in the Dark, whereas recognizing that for several hacking organizations, publicity and recognition became a critical adjunct to their brand building. Also, not all aspects of hackers’ activities are fully presented online, especially including key group members, disputes and communications between members, their real names, workplaces, level of education, geographical locations, and other intriguing information. By looking at the war in Ukraine through the lens of online activities, this book undertakes an attempt to shed light on the complexity of the cyberwar and hacktivism phenomenon. The book explores how Russian hackers build and advance their brands and manage their public presence. Given the fact that publicity is something relatively new for the scrutinized hacker entities, the study uses it to examine, as much as possible, hacker groups, their structure, group relationships, background, goals, views, identities, their non-hacking related activities, preparations for attacks, communication with media, and their budget and its sources. In doing so, the research is presented in five chapters. Chapter 1 depicts how the onset of the war in Ukraine in February 2022 complicated Russian media outlets’ online presence both locally and federally (Russia Today, Sputnik, TASS). It also includes a discussion about businesses that encountered multiple cyber challenges which were caused not only by the denial of global corporations to cooperate with Russian entities but also by foreign hacktivists, who launched attacks as revenge for the invasion of Ukraine. Chapter 2 provides the results of the conducted research on every examined hacking organization from its establishment up to the current moment. From different aspects, Chapters 3 and 4 scrutinize how the hacking groups entered and learned about social media marketing and in some cases, advanced their digital online presence up to the creation of a recognizable brand. Doing so, the research worked out a set of brand-building segments based on Kotler’s branding model framework and Aaker’s equity model. Within this framework, the chapters examine hackers’ social media networks and how they maintain credibility for their accounts, hackers’ symbolic culture and political views, cooperation between the hacking groups and their association with the Russian government, communication with followers, and content approach. Chapter 5 explores cyberattacks claimed by Russian hackers against European, Ukrainian, and American digital entities.

Foreword

xiii

REFERENCES Arquilla, J. 2011. “The computer mouse that roared: Cyberwar in the twenty-first century.” The Brown Journal of World Affairs 18 (1): 39–48. https://www​.jstor​.org​ /stable​/pdf​/24590774​.pdf​?refreqid​=excelsior​%3Af​f853​3588​3694​a46e​b906​5077​ 2ee05b9​&ab​_segments=​&origin=​&initiator=​&acceptTC​=1. Arquilla, J., and D. Ronfeldt. 1993. “Cyberwar is coming!” Comparative Strategy 12 (2): 141–165. https://doi​.org​/10​.1080​/01495939308402915. Bodó, Balázs. 2014. “Hacktivism 1-2-3: How privacy enhancing technologies change the face of anonymous hacktivism.” Internet Policy Review 3 (4): 1–13. Accessed January 10, 2023. https://policyreview​.info​/articles​/analysis​/hacktivism​-1​-2​-3​-how​ -privacy​-enhancing​-technologies​-change​-face​-anonymous. Carr, Jeffrey. 2012. Inside cyber warfare: Mapping the cyber underworld. O’Reilly Media. Choo, Kim-Kwang Raymond. 2010. “High tech criminal threats to the national information infrastructure.” Information Security Technical Report 15 (3): 104– 111. Accessed May 20, 2023. https://www​.sciencedirect​.com​/science​/article​/pii​/ S136341270900034X. Clarke, Richard A., and Robert Knake. 2011. Cyber War: The next threat to national security and what to do about It. Ecco. Coleman, Gabriella. 2011. “Hacker politics and publics.” Public Culture 23 (3): 511– 516. Accessed May 20, 2023. https://gabriellacoleman​ .org​ /wp​ -content​ /uploads​ /2012​/08​/Coleman​-hacker​-politics​-publics​.pdf. ———. 2015. Hacker, hoaxer, whistleblower, spy: The many faces of Anonymous. Verso Books. Corera, Gordon. 2021. Iran nuclear attack: Mystery surrounds nuclear sabotage at Natanz. April 12. https://www​.bbc​.com​/news​/world​-middle​-east​-56722181. Dahan, Michael. 2013. “Hacking for the homeland: Patriotic hackers versus hacktivists.” The International Conference on Information Warfare and Security. 51–57. Accessed May 19, 2023. https://www.researchgate.net/publication/290587245_ Hacking_for_the_homeland_Patriotic_hackers_versus_hacktivists. Davis, A. 2012. “Hacktivism.” IT Now 54 (2): 30–31. Accessed May 20, 2023. https://doi​.org​/10​.1093​/itnow​/bws042. Dombrowski, P., and C. C. Demchak. 2014. “Cyber war, cybered conflict, and the maritime domain.” Naval War College Review 67 (2): 70–96. Fowler, Kevvie. 2016. Data breach preparation and response: Breaches are certain, impact is not. Syngress. Accessed May 20, 2023. Gartzke, Erik. 2013. “The myth of cyberwar: Bringing war in cyberspace back down to Earth.” International Security 38 (2): 41–73. https://doi​.org​/10​.1162​/ISEC​_a​_00136. George, Jordana J., and Dorothy E. Leidner. 2019. “From clicktivism to hacktivism: Understanding digital activism.” Information and Organization 29 (3): 1–45. Accessed May 19, 2023. Gillen, Martina. 2012. “Human versus inalienable rights: Is there still a future for online protest in the Anonymous world?” European Journal of Law and Technology 3 (1): 1–19.

xiv

Foreword

Goode, Luke. 2015. “Anonymous and the political ethos of hacktivism.” Popular Communication 13 (1): 74–86. Accessed May 20, 2023. Gorham, Ashley Elizabeth. 2019. Information and democracy: Lessons from the hacktivists. Accessed May 20, 2023. https://repository.upenn.edu/handle/20.500.14332/ 30613. Herzog, S. 2011. “Revisiting the Estonian cyber attacks: Digital threats and multinational responses.” Journal of Strategic Security 4 (2): 49–60. http://www​.jstor​.org​ /stable​/26463926. Holt, T. 2013. “Examining the forces shaping cybercrime markets online.” Social Science Computer Review 31 (2): 165–177. Holt, Thomas J., and Adam M. Bossler. 2020. The Palgrave handbook of international cybercrime and cyberdeviance. Springer International Publishing AG. Hughes, D., and A. Colarik. 2017. “The hierarchy of cyber war definitions.” In Intelligence and security informatics, edited by G. Wang, M. Chau, and H. Chen. Springer. https://doi​.org​/10​.1007​/978​-3​-319​-57463​-9​_2. Illia, L. 2003. “Passage to cyberactivism: How dynamics of activism change.” Journal of Public Affairs 3 (4): 326–337. Accessed May 20, 2023. Jordan, T., and P. Taylor. 2004. Hacktivism and cyberwars: Rebels with a Cause? New York: Routledge. Accessed May 21, 2023. Kaiser, R. 2015. “The birth of cyberwar.” Political Geography 46: 11–20. Karagiannopoulos, V. 2020. “A short history of hacktivism: Its past and present and what can we learn from it.” In Rethinking Cybercrime, edited by T. Owen, and J. Marshall, 63–86. Palgrave Macmillan. Accessed May 20, 2023. https://doi​.org​/10​ .1007​/978​-3​-030​-55841​-3​_4. Karagiannopoulos, Vasileios. 2018. Living with hacktivism: From conflict to symbiosis. Springer. Liff, Adam. 2012. “Cyberwar: A new ‘absolute weapon’? The proliferation of cyberwarfare capabilities and interstate war.” Journal of Strategic Studies 35 (3): 401–428. https://doi​.org​/10​.1080​/01402390​.2012​.663252. Manatova, Dalyapraz, Sagar Samtani, Dewesha Sharma, and L. Jean Camp. 2022. Building and testing a network of social trust in an underground forum: Robust connections and overlapping criminal domains. Accessed May 20, 2023. https:// doi​.org​/10​.1109​/eCrime57793​.2022​.10142120. Munro, Iain. 2016. “Organizational resistance as a vector of deterritorialization: The case of WikiLeaks and secrecy havens.” Organization (SAGE Publications) 23 (4): 567–587. Oakley, Jacob G. Oakley. 2019. Waging cyber war: Technical challenges and operational constraints. Apress. https://doi​.org​/10​.1007​/978​-1​-4842​-4950​-5. Olson, P. 2012. We are anonymous: Inside the hacker world of LulzSec, anonymous, and the global cyber insurgency. New York: Little, Brown and Co. Rid, Thomas. 2012. “Cyber war will not take place.” Journal of Strategic Studies 35 (1): 5–32. https://doi​.org​/10​.1080​/01402390​.2011​.608939. Rosenbaum, R. 2012. Richard Clarke on who was behind the Stuxnet attack. April. Accessed May 21, 2023. https://www​.smithsonianmag​.com​/history​/richard​-clarke​ -on​-who​-was​-behind​-the​-stuxnet​-attack​-160630516/.

Foreword

xv

Samuel, Alexandra Whitney. 2004. Hacktivism and the future of political participation. Harvard University. September. Accessed May 20, 2023. https://www​.alexandrasamuel​.com​/dissertation​/pdfs​/Samuel​-Hacktivism​-entire​.pdf. Shakarian, P. 2011. “The 2008 Russian cyber-campaign against Georgia.” Military Review 1 (1): 63–68. Sharma, A. 2010. “Cyber wars: A paradigm shift from means to ends.” Strategic Analysis 34 (1): 62–73. Skare, E. 2019. “Digital surveillance/militant resistance: Categorizing the ‘Proto-state hacker’.” Television & New Media 20 (7): 670–685. Accessed May 20, 2023. Tabansky, L. 2011. “Basic concepts in cyber warfare.” Military and Strategic Affairs 3 (1): 75–92. https://www​.inss​.org​.il​/wp​-content​/uploads​/sites​/2​/systemfiles/(FILE)1308129610​.pdf​. Taylor, P. 2001. “Hacktivism: In search of lost ethics?” In From Crime and the Internet, edited by David S. Wall, 59–73. Routledge. Accessed May 19, 2023. Zilincik, S., and I. Duyvesteyn. 2023. “Strategic studies and cyber warfare.” Journal of Strategic Studies: 1–22. https://doi​.org​/10​.1080​/01402390​.2023​.2174106.

Acknowledgments

This book could not have been written without the help of many talented people. First, thank you to my publisher, Lexington Books, for taking on this project and providing the professional guidance I needed. Thank you to Jasper Mislak for the continual support throughout. I’d also like to thank Elizabeth Karras for going through this process with me and offering her expertise. I am grateful to my friends and colleagues in Russia who helped me to collect useful data and who would like to remain anonymous due to the current political situation. Last but not least, I would like to thank my husband, Alex, my daughter, Vladiss, Dr. Troy Sterk, and photographer, Nick Frank, for always supporting me and encouraging me in this and in life.

xvii

Chapter 1

Hackers’ Attacks on Russia

Technological breakthroughs have changed every facet of our world, including the ways we conduct war. Along with missiles, tanks, and air jets, digital means have played a significant role, and reliance on them will increase exponentially in contemporary and future conflicts. Since the first day of the invention of the Internet, its militarization was only a matter of time. Nowadays, it is a matter of fact. In 2009, underlining that cyberattacks are essential alongside “boots on the ground,” John Bumgarner, the Chief Technical Officer of the U.S. Cyber Consequences Unit, compares cyberwar with a chess game where “governments, corporations, and citizens are the pawns,” the weakest figurines (Rutherford 2009). In 2012, Leon Panetta, the former Defense Secretary, already underlined the high possibility of a “cyber-Pearl Harbor” attack on state infrastructure that would result in the vast destruction of physical space and even leave people’s lives at risk (Mora 2012). Despite the fact that his concern was addressed to the United States, his warning could be applied to every country across the globe because as modern-day uncertainties reveal, every state has an equal chance to be a target for cyber aggression sooner or later. Targeting critical infrastructure and other sensitive areas, cyberattacks can be very devastating, causing substantial and oftentimes irreparable damages. In 2010, Iranian nuclear enrichment amenities were attacked by the malware “Stuxnet” which was designed to disrupt the work of gas centrifuges until they self-destructed (Lipovsky 2017). On December 23, 2015, the western part of Ukraine went dark, leaving approximately 225,000 people without power, because hackers received remote access to an electric plant system (Temperton 2016). Another attempt to shut down critical Ukrainian energy facilities was undertaken in December 2016, when some areas of the Ukrainian capital Kiev lost power (Cherepanov and Lipovsky 2017). The Ukrainian 1

2

Chapter 1

authorities blamed both attacks on Russian hacker groups. Hackers have presented a serious menace to governmental entities. During the short RussianGeorgian war of 2008, Russians struck down several Georgian governmental websites, banks, and media outlets. According to the report of the non-profit U.S. Cyber Consequences Unit, the Russian individuals who carried out these strikes were civilians, some of whom did not have any computer experience and were recruited via online forums (Meserve 2009). Investigators did not attribute the military or Russian authorities with involvement in these cyberattacks but admitted that if this involvement took place, it was insignificant (Bumgarner 2009). In August 2020, the Norwegian Parliament was knocked down, and attackers gained access to governmental emails, passwords, and usernames belonging to legislators and staffers (Bakken 2020). After an investigation, Ine Eriksen Soreide, the Norwegian Foreign Minister, stated that the Russian Federation was behind this strike and was conducted by the hacker group Fancy Bear, which was linked to GRU, the Russian intelligence service (Bakken 2020; RFERL 2020). In February 2022, Ukrainian digital entities experienced a chain of cyberstrikes. Hence, banks, businesses, government departments, and media outlets have all become common targets for cybercriminals; the number of hackers constantly grows, as well as their skills and appetites. They have formed groups pursuing financial gains or a political agenda. Prior to February 24, 2022, Ukraine survived other serious cyberattacks when the government’s digital network was shut down. In January, along with other websites, the operations of the Ukrainian Ministry of Foreign Affairs, the State Emergency Service, the Ministry of Energy, and the Department of Education were interrupted, whereas in February, hackers terrorized the websites of Ukrainian defense agencies and two banks (Interfax 2022; Lyngaas et  al. 2022). On the defaced websites, the perpetrators placed the following messages: “Ukrainians! All your personal data was uploaded to a public network. All data on the computer is destroyed, it is impossible to restore it. All information about you has become public, be afraid and expect the worst. This is for your past, present, and future. For Volyn, for the OUN1, the UPA2, for Galicia, for Polissia and for historical lands” (Interfax 2022). European countries and the United States immediately offered their assistance to the Ukrainian government in an investigation of the incident and to recover its web resources (Webber 2022). The European Union issued a statement denouncing the cyber aggression toward Ukraine on January 14, 2022 (Council of the EU 2022). Stressing that these actions intended to undercut the stability of Ukraine and disseminate disinformation, the European Union legislators pointed out that cyber strikes threatened the sovereignty of the country and exacerbated an already difficult situation. In addition, the statement included information about forthcoming

Hackers’ Attacks on Russia

3

“direct, technical assistance to Ukraine to remediate this attack” (Council of the EU 2022). Furthermore, in December 2021, the European Union channeled €31 million to the Ukrainian government in order to support not only “military medical units, including field hospitals, engineering, mobility and logistics units,” but also cyber defense (Council of the EU 2021). In the aftermath of these attacks, the United States warned the Russian authorities about its cyber retaliation if Russia continued cyber strikes (The White House 2022). In light of this, at the beginning of February, the U.S. deputy national security advisor, Anne Neuberger, arrived at the European Union, where she had meetings with European and NATO representatives3, and spoke about the Russian cyber threat (Hughes 2022). Hence, after the first wave of cyber aggression in January 2022, the U.S. government and the European Union (EU) diplomats acknowledged the high probability of other cyber aggressions from the Russian Federation and the need for cooperation and preparation for a joined response. They dispatched a tech team and investigators along with money to Ukraine. Remarkably, on the day of the first wave of the cyber strikes, Russian intelligence officers conducted raids in Moscow, Saint-Petersburg, the regions of Moscow, Leningrad, and Lipetsk, and 14 REvil hacker group members were detained (Shustova 2022). Appearing in 2019, REvil, or Sodinokibi, became known for its attacks on global corporations. Russian media dug out two hackers’ names—Roman Myromskyi and Andrey Bessonov, who were arrested in Moscow. The FSB4 claimed its investigators tracked every member, but prior to the FSB operation, the United States shared information about the members of REvil with Russian investigators. As a result, the Russian authorities seized around $1 million and 426 million rubles in cash and cryptocurrencies, and professional equipment such as servers and laptops were confiscated along with twenty luxury cars (Shustova 2022). Furthermore, officials declared that the Russian Federation would extradite only REvil’s members without Russian citizenship, and its members who were Russian citizens would remain under domestic jurisdiction. Worth noting is the fact that in 2021, European intelligence agents identified and detained five REvil members in Poland, South Korea, and Kuwait (Europol 2022). The REvil hackers developed malicious software and conducted highprofile attacks. According to the U.S. investigators, this group hobbled several U.S. and international businesses. In the United States, one of the biggest domestic fuel transporters, Colonial Pipeline, and the U.S. branch of JBS Foods, the JBS USA meat processing firm, were forced to interrupt their normal operational order after REvil’s hacks. As Colonial Pipeline leadership announced, a ransomware attack was waged on May 7, 2021 (Colonial Pipeline 2021). On the next day, this cyber extortion pushed Colonial Pipeline to pay a ransom, which was approximately $4.3 million in Bitcoin currencies

4

Chapter 1

(Sganga and Hymes 2021). Another U.S. company followed its lead. The meat processor, JBS USA, fulfilled the hackers’ condition and transferred $11 million to their accounts for the full restoration of all their systems to return to complete functionality (Bunge 2021). The widely known software vendor Kaseya suffered from a ransomware attack in July 2021. Trying to prevent damage to its customers, the Kaseya administration turned off the company’s servers (CISA 2021). Therefore, the detention of REvil’s members in Russia spelled the end for this hacker entity. Despite the fact that Russia had rarely cooperated in the persecution of cybercriminals, the FSB detained the REvil affiliates in accordance with the United States’ request. This is an especially strange decision on Russia's part, as the country prepared for an intervention. As stated earlier, more than a week before the war, a second wave of cyberattacks resulted in many Ukrainian websites being shut down on February 15, 2022. The coordinated distributed denial-of-service (DDoS) attacks interrupted the activities of two banks (Privatbank5 and Oschadbank) and their mobile applications. Given the type of cyberattack, the impacts were limited and short-lived. Although these financial facilities’ websites did not work for two hours, the digital platform of the Central Bank of Ukraine continued without interruption (Antoniuk 2022). In three days, at a White House briefing, U.S. officials directly pointed to Russia as the mastermind of this cyber aggression. Furthermore, Anne Neuberger elaborated on some evidence acquired by the investigators which connected all the dots: “We have technical information that links the Russian Main Intelligence Directorate or GRU, as a known GRU infrastructure was seen transmitting high volumes of communications to Ukraine-based IP addresses and domains” (The White House 2022). These two waves of cyber offenses came one after the other amid widely circulated news about the growing military presence of the Russian troops near the Russian-Ukrainian borders. The European, U.S., and Ukrainian officials accredited both cyber waves to Kremlin-controlled hackers. However, the Russian authorities denied the allegations. In January 2022, in an interview with CNN, the press secretary of the president, Dmitry Peskov, said that the Russian Federation had nothing to do with this cyber aggression, stressing that Russia opposed all types of cyberextortion (CNN 2022). Later, the Russian Embassy in Washington, DC responded to Anne Neuberger’s statement accusing Russia of the numerous recent cyber strikes on Ukrainian government agencies and banks: “We firmly refuse the accusation and emphasize that Russia has nothing to do with these cyber strikes and, in fact, has never ever carried out and does not conduct malicious actions in cyberspace” (RIA News 2022). In fact, the Russian authorities simply rejected the accusations without providing solid evidence, regardless of the strong language of the Western officials and their warnings of upcoming sanctions against Russia.

Hackers’ Attacks on Russia

5

On February 24, addressing the nation, Russian president Putin declared the beginning of a “special military operation” in Ukraine. This announcement came after a massive evacuation from the rebellious Ukrainian regions; three days later, Russia’s decision to recognize the republics in Donetsk and Lugansk was voiced on February 21, and representatives from Russia and the republics signed mutual treaties. As the Russian Armed Forces entered the Ukrainian territory from different directions, the EU and the United States issued a set of sanctions, aiming to squeeze the financial sector of Russia. On the next day, personal sanctions of the European Union were placed on Vladimir Putin and the Minister of Foreign Affairs, Sergei Lavrov (Council of the EU 2022). With the beginning of the war in Ukraine, cyberspace turned into a combat zone. When politicians were busy unfolding new sanctions on various sectors of Russian society and its business and political circles, Anonymous, one of the most notorious hacker groups, declared war on the Russian government (Anonymous 2022). It pledged to launch digital attacks in retaliation for the Russian aggression in Ukraine. However, Anonymous was not alone and decided to team up with other hackers either working in groups or alone, within the Russian-speaking segment of the Internet from Ukraine, the United States, Georgia, Poland, and other countries. Ghostsec,6 AgainstTheWest (ATW),7 SHDWSec,8 Belarusian Cyber Partisans,9 IT army of Ukraine,10 NB65,11 GNG,12 and other hacking organizations sided with Ukraine and declared their war against the Russian government. Reportedly, some hackers were experienced, whereas others were novices. For instance, a highranking Ukrainian official in cyber security, Victor Zhora, distanced this group from the government, stating: “Volunteers continue their operations, and we believe that some of these operations can be offensive . . . it’s their own initiative, so this activity isn’t coordinated by the government” (Marks 2022). In 2022, many new hacking groups emerged, and like the Russian hackers, many of them created social media accounts to announce their successful hacks. It is pertinent to note that a significant percentage of Russian citizens castigated the “special military operation,” and the Ukrainian government provided them a real chance to help the sovereign nation while remaining anonymous. On February 28, 2022, the Ukrainian State Service of specialcommunications and Information Protection posted an encouraging postinvitation on its Twitter account: “Cyber front is now open! If you possess any information regarding vulnerabilities in Russian cyber defenses (bugs, backdoors, credentials), please report it via the chatbot @stop_russian_war_ bot. Ukrainian cyber experts will use your information to fight against the occupant” (SSSCIP Ukraine 2022). It was not disclosed how many Russian citizens provided information about passwords and other details about cyber

6

Chapter 1

vulnerabilities to Ukraine, but following the post, there were at least two serious cyber strikes where Russian investigators suspected an “inside job.” In March 2022, a data breach occurred on the Yandex delivery service, and in May of the same year, the Russian YouTube copycat Rutube was hacked with devastating consequences. Before the invasion, cyberattacks occurred on a daily basis, but starting from February 24 hackers began to launch diverse types of strikes on an hourly basis, where virtually every digital entity from small rural newspapers and local craft shops to vast federal corporations and governmental departments became a target. Usually, there is a multitude of motives why hackers break into a victim’s network. Although some groups focused on data breach, looking for financial benefits, others conducted cyberattacks in accordance with their political stance, and many hackers merely shaped their skills, launching strikes for fun. In cyberattacks against Russia, a significant number of strikes were motivated by the political agenda which they adhere to and follow, as the Anonymous team stated in its declaration. Their potential targets are easy to calculate. Along with hacktivists, there are many hackers who look to increase their finances. As the results of the Positive Technologies’ inquiry of 2022 showed, professional hackers, who focused on a specific economic sector, carried out only 30% of all attacks on the government’s websites and 10% of strikes against industrial, financial, and energy sectors (Nefedova 2023). Therefore, cyberattacks became a common nightmare for small business owners, anchors, bloggers, politicians, doctors, real estate agents, and many other Russian citizens. Russia’s cyberspace became an unspoken training ground where pure pragmatic concerns can hide behind a political agenda.

ATTACKS ON RUSSIAN MEDIA It has been a common practice during a confrontation to pay close attention to the enemy’s propaganda channels. Cyberattacks on digital resources of news portals, media agencies, blogs, and other media outlets are very predictable and expected; unresponsive and slow websites, which previously worked without problems, can confuse and disorient the population, who check the news on a regular basis. Since the outset of the war in Ukraine, hackers repeatedly launched strikes on federal and local news sources, including rural ones with a small audience. Nonetheless, for Russian media sources, especially federal ones, various sorts of cyberattacks are not uncommon. In 2017, Sputnik Armenia curtailed a severe DDoS attack, while its affiliate, Sputnik Belarus, successfully withstood a strike in November 2021 (Rambler 2017; Sputnik Georgia 2021). The Russia Today company reported

Hackers’ Attacks on Russia

7

numerous hackers’ actions against its digital entities in 2012, 2014, and 2016 (RT 2016). Just like the international news agencies RT and Sputnik, the Kommersant website, which serves a domestic audience, frequently experienced cyber offensives in 2008, 2011, 2012, and 2018 (Meduza 2018). Other domestic media portals also had a history of cyber incidents conducted not only by local hackers but foreign ones too. Since February 24, a cyberwar against Russia started with Anonymous’s declaration, which was interpreted by many hackers and their groups as a signal to join. Worth mentioning is the fact that once a news channel became a victim of hackers, the hackers would return several times to finish their devastating work. Given the rising number of cyber criminals, it was not necessarily the same hacker group or lone cyber “enthusiast” that returned. As a result, among other targets, online Russian media outlets were the third most attacked digital sectors in the Russian Federation (Yoachimik 2022). In October 2022, the head of the Department of Security Problems, Sergei Boyko, emphasized the unparalleled growth of foreign hacker activity and cyber offensives against domestic media resources (Boyko 2022). Given this unprecedented surge, the study focuses selectively on the most popular media outlets in 2021, according to the rating of the company Mediaologia.13 The term media outlet refers to online newspapers (e.g., Kommersant​.​ru), journals (Forbes​.​ru), and agencies (the Russian News Agency, TASS). To highlight the ongoing cyber anarchy within small rural news outlets, the study selected entities in accordance with their status, audience, and geographical location, the last being crucial to show the range of cyber aggression. Furthermore, as the presented conditions were met, the study sorted out entities within both categories which reported, announced, or publicized their cyber issues in accordance with the study’s time frame. Several hours after Putin’s announcement about the “special operation,” the National Computer Incident Coordination Center issued a warning for Russian media resources (NCCC 2022). Underlining that the situation was critical, the Center required Russian informational platforms as well as objects of critical infrastructure across the state to be ready for a high level of cyber offensives on their entities in light of the beginning of the conflict in Ukraine. The FSB department expected cyber strikes from hacktivists, who would be driven by political motivation to inflict reputational damage. Given the political instability, every insignificant disruption of operational systems must be considered by Russian media teams as an attack (NCCC 2022). The warning did not provide instructions that could help digital entities to protect themselves from an attack. Remarkably, by the time this warning aired, many media websites were already fighting against these strikes.

8

Chapter 1

Russia Today and Sputnik Cyberattacks on Russian media outlets began with DDoS attacks on a symbolic victim – Russia Today and later, RT. Established in 2005, it branched out and embraced TV in several languages and numerous social media outlets. Its operation has been fully funded by the Russian budget. Indeed, in 2014, the RT company received $445 million (Tadviser 2022). In 2022, the government channeled 29 billion rubles to RT, the largest amount of money to be sent to any Russian media company (Meduza 2021). The international pressure on RT began in 2017, when the chief executive of Alphabet, Google’s parent company, Eric Schmidt, said that measures against state-sponsored RT, Sputnik, and other media sources were underway (Hern 2017). Its German affiliate (RT DE) was opened in December 2021, but the authorities moved quickly against the so-called Kremlin mouthpiece, taking down the channel from the satellite network in one week. For a few months, RT DE was accessible via the RT mobile app and online (DW 2022). The invasion of Ukraine changed a lot for the RT company. Several hours after the beginning of the war, YouTube blocked the RT channels in the Ukrainian territories as the Ukrainian government requested (Voanews 2022). A similar request made Google remove the RT mobile application, which became inaccessible for downloading in Ukraine, and later, Apple blocked the application in its store (Faulconbridge 2022; Mack 2022). The situation was getting worse every hour: the global social media giants—Meta, YouTube, and Tik-Tok, implemented a ban on RT outlets for the European Union (Darcy 2022). Simultaneously, the Roku company made RT unattainable for its European customers (Darcy 2022). In the United Kingdom, RT’s days were numbered. In a letter to the British TV regulator Ofcom, Nadine Dorries, Culture Secretary, referred to the RT outlet as “demonstrably part of Russia's global disinformation campaign” (Heffer 2022). She argued that Vladimir Putin “must not be allowed to exploit our open and free media to spread poisonous propaganda into British homes” (Wheeler 2022). Consequently, as the armed conflict broke out, RT’s coverage was drastically curtailed, given the significant pressure from political circles. When hackers entered the game, the RT company was caught between a rock and a hard place. Shortly after their declaration of war on the “Russian government,” Anonymous hackers conducted several cyberattacks on prominent cyber entities such as the Ministry of Defense, the Russian government, and the Kremlin. The RT administration confirmed Anonymous’s strikes on RT websites, which started at 5 p.m. local time and continued for at least 6 hours. Five hours after beginning the DDoS attacks, some RT websites were shut down, and a few of them slowed down significantly. Avoiding the disclosure of any

Hackers’ Attacks on Russia

9

details, the RT administration only emphasized that approximately 27% of IP addresses involved in the attacks were in the United States (RT 2022). As many RT visitors mentioned, its pages on some foreign and Russian websites became very slow or did not open whatsoever (RT 2022). Another serious strike was initiated in less than two weeks on RT’s Russian website (RT 2022). Another symbolic and broadly known victim was the Sputnik news company, which along with RT was named a “critical element in Russia’s disinformation and propaganda ecosystem” (U.S. Department of State 2022). In 2017, Sputnik’s network not only included several websites in different languages, including languages from the post-Soviet region, but also a radio broadcasting platform, social media outlets, and an application (Tadviser 2017). In the wake of the invasion, the United States, the European Union, and global tech corporations crashed the Sputnik network, closing down its branches almost simultaneously. Even personal sanctions were imposed on at least one of Sputnik’s anchors, the popular Armen Gasparian. He was sanctioned in March 2022, and was accused of continuous dissemination of “narratives in line with the Kremlin’s propaganda.” Also, he referred to “logical fallacies to explain international affairs, denied Ukrainian sovereignty over Crimea, and defended Russia’s actions in the Kerch Strait when it captured a Ukrainian ship” (Opensanctions 2022). As of February 26, the Sputnik administration noticed hackers’ attention to its network when they tried to shut down its international platform within Poland and The Czech Republic (Sputnik International 2022). In one hour, the Czech Sputnik website went down under pressure from the hackers. During the first wave of DDoS attacks, few branches were attacked, but the second wave, which intensified on March 3, 2022, became a serious impediment. Hackers, supposedly from the Anonymous group, launched longlasting DDoS attacks on thirty of Sputnik’s digital branches at once (Sputnik News 2022). As a result, Sputnik employees could not reach their websites in many Sputnik branches, and in light of this, its public relations department was forced to inform the public about ongoing and successful attacks. Given the technical issues caused by the DDoS blitz, its staffers temporarily aired news on Telegram outlets. Despite hackers’ efforts, corporate IT specialists reinstated Sputnik’s network in several days. However, these hackers returned well prepared and motivated for another attack in August 2022 (Sputnik News 2022). They concurrently unleashed a stream of major attacks on Sputnik and RIA News when both companies’ staffers got back home. The troublesome digital blitz originated from thousands of IP addresses in Thailand, Ukraine, the United States, the United Kingdom, and even Russia. According to a corporate IT representative, the cyber criminals utilized the same pattern of attack as the websites

10

Chapter 1

experienced in February–March 2022, but they acted with a high level of confidence: “They learned the previous lesson and jumped on our resources fully prepared. Their main goal was to knock the entire network of our company offline including its external and internal servers and systems” (Sputnik News 2022). In 24 hours, the IT team eliminated the threat, stabilizing the work of the online entities and allegedly successfully preventing a data leak. However, this incident was not generally attributed to Anonymous hackers supporting Ukraine, therefore the involvement of Anonymous in the cyber strikes on these media companies is highly questionable. Adjusting to the new bellicose reality, Sputnik and RIA News14 reinforced and increased the number of their cyber security professionals, who were on 24-hour duty. Both news outlets became a difficult but attractive target for hackers. TASS, Izvestia, RIA, and Other Media Sources It is essential to mention cyber troubles that occurred with other popular Russian media outlets such as RBC, Lenta, TASS, Kommersant, Izvestia, Fontanka, Forbes, Such Things, Mel, and other news outlets. On February 24, 2022, malicious parties carried out coordinated attacks on their media websites, and as a result, many websites were defaced and further, shut down. The same anti-war message was almost simultaneously aired on various Russian news media channels. For several hours, audiences observed a post placed by hackers, which was an indicator that widely known Russian media entities were compromised. On Kommersant’s and other outlets’ front pages, their audience discovered the following anti-war message: Dear citizens! We are asking you to stop this madness. Do not send your husbands and sons to die there. Putin forces us to lie and puts us in danger. We are isolated from the rest of the world. Nobody wants to purchase our oil and gas. In several years, we will look like North Korea. What do we need it for? To write about Putin in a textbook? This is not our war, let’s stop it! Our message will be deleted. Some of us will be fired or even placed behind bars. But we cannot take it anymore. (Krymr 2022)

Under the post, hackers inserted the Anonymous logo, and moreover, this defacement message was signed by Russian journalists. In light of this, the hacked news resources tried to inform society about experiencing cyber difficulties with their digital entities. Along with Kommersant, Izvestia, and Forbes, the TASS agency did damage control, disseminating the following update: “Our official website was attacked by unknown malicious actors who breached our cyber security. The perpetrators posted information on our website, but it is false information. Our agency has nothing to do with it” (TASS 2022). Similarly, to clarify the controversial

Hackers’ Attacks on Russia

11

situation with the anti-war message, the Kommersant administration admitted that it lost control over the website, which was manipulated by attackers. Given the uploaded anti-war post, Kommersant also warned its audience about the high possibility of an appearance of other similar publications, stressing that the news portal did not do political statements (Kommersant 2022). The cyber offensive against this website was initiated on February 24, 2022, when perpetrators tried to disrupt Kommersant media coverage. Kommersant’s IT security team was not able to regain control of the website for several days, and on February 28, it was still offline. RIA news agency is one of the most popular news organizations in the Russian Federation; in light of this, it was not a surprise when hackers launched a DDoS avalanche trying to undermine its website. The RIA website became slow on February 25, and, eventually, went unresponsive the next day, meaning that the strike lasted several hours (Realnoe Vremya 2022). To placate its audience, RIA news immediately announced ongoing attacks on its digital platform: “RIA News is trying to survive due to a massive DDoS attack in the aftermath of Anonymous’s pledge to wage a cyber war against Russia and in light of the unfolding sanctions” (RIA News 2022). On February 27, the agency restored the website, which worked as usual, and if there were other issues, such as stolen data, they were not announced. Unidentified hackers continued their cyberextortion, and on April 4, 2022, RIA’s customer database was detected on the Internet (Leaks 2022). Some of the around 665,577 records contained information about registered users, their email addresses, logins, associated social media accounts, and other details. Administrators of the Leaks outlet randomly checked several records and found them authentic and workable (Leaks 2022). Some victims of this massive defacement blitz did not disclose details, while other victims were as transparent as they could be. For instance, one of the targets of the defacement operation was the RBC news portal, which was established in 2003 and maintained cooperation with CNN and CNBC (Shakhova 2022). According to the RBC representative, Anna Abramova, the website was flooded with delinquent traffic, with around 2.5 million requests per minute being dispatched; this traffic was generated via a malicious website, where hackers placed a request on particular Russian media entities in several languages. This request asked the news company to stop spreading disinformation within Russian-speaking cyberspace (Yasakova and Stogova 2022). Some RBC visitors reported that this post was visible on the RBC website, sending complaints to its administration. In response, RBC IT professionals turned off several outside servers, trying to minimize the damage (Voropaeva 2022). To monitor the website’s functionality and prevent potential attacks, the RBC team changed its work schedule, heeding the cyber emergency. Despite

12

Chapter 1

undertaken measures, on March 1, the portal was hit successfully by a remote DDoS attack. As the CEO of the RBC group, Nikolay Molibog reassured users that this attack appeared to have impacted only the RBC digital entity, which experienced insignificant difficulties, while its mobile application worked smoothly (RBC 2022). However, in a couple of days, some online users could not reach the portal for several hours: “Today, in the morning, I could not open Rbc​.r​u. Instead, on its front page was the following note: 502 Error. Bad gateway. The website is not responding. Try to open it later or call the RBC administration” (Dzen blog 2022). In examining Russian digital platforms in terms of making an immediate political impact on society, hacktivists could not pass on TV channels. The federal TV channel, TV Center, established in 1996, was rocked by DDoS attacks on February 26, 2022 (TV Center 2022). Its two websites—tvc​.​ru and nastroenie​.t​v, were impacted as customers contacted TV Center’s administration, reporting technical issues on the sites. In less than 2 hours, the channel issued an official statement, blaming unidentified hackers for the attacks, who sent more than 400,000 requests per minute on its websites (TV Center 2022). While news, commercial, and state digital entities suffered from cyberextortions, Anonymous was claiming successful strikes against TV channels such as “the Russian streaming services Wink and Ivi (like Netflix) and live TV channels Russia 24, Channel One, Moscow 24” (Anonymous 2022). In fact, two online TV platforms (Ivi​.​tv and Wink​.​ru) were hacked, and the hackers replaced broadcasting of Russia 24, Moscow 24, and Chanel One with an anti-war video message; it purportedly demonstrated the Russian bombing of the Ukrainian city Kharkov and a screen of one of the hacked outlets with the message: “We are Russian citizens. We are against the war in Ukraine. Russians and the Russian Federation are against the war! Putin’s authoritarian and criminal government started this war on behalf of the Russian citizens. Russians! Stand up against genocide in Ukraine!” (Anonymous 2022). According to the portal SecurityLab​.r​u, this hack did not last long, but authorities and TV channel representatives did not give immediate comments (SecurityLab 2022). Other symbolic cyberattacks on MTS15, Rostelecom, and NTV-Plus satellite stations were conducted on May 9, 2022, when Russian citizens celebrated the national holiday, Victory Day (Maryanenko 2022). Hacktivists changed TV channels and program descriptions, replacing them with their political appeal. As a result, broadcasting was interrupted on these three stations. According to MTS-Siberia representatives, their technical team repaired the station, removing the damage caused by the hack (Maryanenko 2022). By the end of the same day; however, broadcasting had not fully resumed, because customers from Tatarstan were still not able to watch TV.

Hackers’ Attacks on Russia

13

Since the 1990s, Russian society has been celebrating Russia Day every year on June 12. In 2022, this national holiday was almost ruined by hacktivists. Referring to Russian journalist Andrey Shipilov’s Facebook post, Ukrainian media sources spread news about a hacking incident with three Russian TV channels—Channel One, NTV, and Russia—1 on June 12, 2022 (Kravchyk 2022; Mediasat 2022). Supporting his post with multiple screenshots, Shipilov wrote: “Right now, 12:30 p.m., I am recording a TV broadcasting. I do not know what is going on with the federal channels in your region, but here, the TV channels were hacked by kind individuals as the channels are presenting truth” (Shipilov 2022). There was information about the huge human loss of the Russian Armed Forces, widely practiced corruption among high-ranking army officials, acute economic problems, a decline of availability in gas and oil, and other messages, which were qualified as extremist in VGTRK’s statement. A statement was issued several hours later, where the VGTRK16 administration announced ongoing technical difficulties due to the launched cyber aggression toward its digital TV platform “Smotrim” and news portal “Vesti​.​ru” (Smotrim 2022). Nowadays, every region in the Russian Federation manages its own TV station, which in contrast with the federal outlets have lower budgets and seemingly, worse cyber defense systems. Since February 2022, several effective strikes disrupted live broadcasts on the federal channels where cyber security could not protect the outlets. Local TV companies were the easiest target. According to Ukrainian media resources, on August 20, 2022, IT army of Ukraine hacktivists got into Crimean TV and replaced its broadcast with Zelensky’s speech (Kalitventseva 2022; Ponomarenko 2022). In December 2022, the XXII hacking group allegedly hacked the Smart TV service in Ulan-Ude. Its customers were surprised with a video of Alexander Nevzorov, who was forced to escape Russia shortly after the beginning of the war in 2022. However, the Russian outlet named “War with fake information” rejected this hack, stressing that this hacking group could be fake and that its footage demonstrating the cyber strike was poorly concocted (Warwithfakes 2022).

LOCAL SMALL MEDIA’S CYBER DISASTER Unfortunately, hackers targeted not only state-known media entities but also local small news sources. Since February 24, 2022, a new period began where cyber offensives became a common reality. On a daily basis, every region of the Russian Federation had several strikes on local news outlets, which resulted in many digital entities shutting down. Media websites were popular targets among activists, who looked to advance their political agenda,

14

Chapter 1

interrupt the news publishing process, and impact public opinion. So, for hacktivists, even small rural newspapers were worth spending time on. Prior to February 2022, local media outlets did not often experience cyber strikes because hackers’ motives were predominantly driven by financial advantage rather than political agenda. Consequently, the cyber mess of 2022 became a gloomy and unexpected phenomenon for the majority of small Russian news portals. One such event on February 25, 2022, involved the theft of access to an official email address of a small local newspaper, called Kommuna (2022). This rural newspaper has served a small community in the Dedivichevsky region of the Pskov oblast. While its confused staffers tried to figure out how to open their email, perpetrators sent numerous messages about the conflict in Ukraine. Giving up attempts to regain control over the email, Kommuna’s staffers published an announcement about the incident on its social media accounts (Kommuna 2022). In this statement, rejecting the authenticity of the emails, the newspaper’s administration stressed that the “perpetrators dispersed emails with false information about the Russian Armed Forces” under its name (Kommuna 2022). It is believed that pro-Ukrainian hackers involved in the attack were acting on behalf of Ukraine. According to some local sources, hackers successfully breached several official emails belonging to other rural Pskov newspapers, whose names were not revealed to the public (Vedernikov 2022). Apparently, the governor’s office and its departments received dozens if not thousands of hacker messages. Confused local officials began to observe these hacks as a very serious issue and paid close attention to their cyber security and anchors’ digital literacy. Soon, they organized a media conference to discuss cyber threats and the new role of the local media representatives during the unfolding military conflict and the activation of patriotic hackers (Vedernikov 2022). In Novorossiysk, the local news portal named “Our Newspaper” had technical problems on February 26, 2022 (Bloknot 2022). Its administration was denied access to its own website, being blocked by hackers. Instead, they began to publish many new articles under the same title—Putin’s war, where articles underlined human losses, the many defectors in the Russian Army, worldwide support for Zelensky and Ukraine, the ban on Russian sportsmen, and other events. In two days, Our Newspaper’s editor Michael Astrakhanzev admitted the successful hack against the media portal in an interview, offering its audience the opinion to check news on Our Newspaper’s affiliated social media channels on Instagram, Vkontakte, and Telegram (Bloknot 2022). Further, the editor contacted Roskomnadzor to report the ongoing problems, where he was informed about the numerous cyberattacks against local news outlets across the Russian Federation on the same day.

Hackers’ Attacks on Russia

15

In Yekaterinburg, hackers shut down the branch of the same media portal (KubNews 2022). Its staffers admitted the lack of success in their attempts to get the website back under control. As it became known, the server of Our Newspaper was the same one for the Novorossiysk and Yekaterinburg branches. With full access to the main server, hackers unloaded more than fifty articles, which appeared on both portals concurrently (Bloknot 2022). Trying to take back control over the websites, IT specialists turned off this server, and the editor was informed about the extremely weak possibility of returning control any time soon. The hopeless situation with the Our Newspaper network forced its administration to go to the police department. Apparently, police investigators could not find the cybercriminals, but at least the administration could protect its staffers from potential prosecution for disinformation. Apparently, the majority of the attacks carried out during February 2022 were prepared and coordinated, and it seems like malicious agents were monitoring the Yekaterinburg region, shaking up local media websites repeatedly (Bogatyrev 2022). However, hacktivists remained adaptable to the situation. They were able to change their plans when needed to spread a specific political message via a hack. The Yekaterinburg regional media portal “Oblastnaya Gazeta,” which was under the management of the local government, decided to change the appearance of one of its letters in its title, underlining its support for the ongoing war in Ukraine (Sergeev 2022). As a result, its website could not survive a cyberattack, which started on March 3, 2022 (Pervo​.in​fo 2022). As the portal was defaced, for several hours, there was a picture of a crying eye in the Ukrainian flag’s colors with the sign “Stop War” (Pervo​.in​ fo 2022). Digital aggressions carried out in February 2022 were just the beginning of the cyberwar, which showed that cyberattacks would continue and intensify. In May 2022, the Vologda region reported a DDoS avalanche on local media websites. While many digital resources became slow but continued to work, serious damage occurred on two local media portals: Vysota 102 and the Island of Freedom. However, not all hacker strikes were successful. In the Kaluga region, the media team of one of the local news outlets detected unusual online activity on its website (Vest 2022). Hackers caused insignificant complications which did not disrupt the overall operation of the Vest website. Supposedly, in light of the continuous cyberattacks on popular media outlets, the Kaluga media company undertook indispensable measures to prevent or at least reduce damage from malicious cyber activities. More unfortunate hacking activities were detected in Crimea. With the announcement of the Russian invasion of Ukraine, hackers deployed three DDoS attacks on a local media outlet, named Crimea Inform (Interfax 2022). On February 28, its chief,

16

Chapter 1

Maxim Nikolaenko, stated that the media portal was still a near-daily victim of cyber criminals, where attacks were carried out every twelve hours and lasted around two hours; so far, the third strike has not had any impact on the website (Interfax 2022). During 2022, hacktivists, who predominantly launched defacement strikes on a daily basis, infused fear in local and rural small media resources. The frequency of cyber incidents was so high, it was impossible to define the cycle of strikes. Until May 2022, this issue remained exclusively a local problem, and even Russian IT analytical agencies began to include local media sources in their reports since the end of spring 2022. In May and June 2022, more than 200 local media websites were under the close attention of hacktivists in 46 cities in Crimea, Kalyga, Vologda, Lipetsk, Penza, and other regions (Crimea-news 2022). For instance, in May 2022, many Russian regions experienced long-lasting DDoS strikes on their media outlets. Two major news agencies of the Primorsky Krai, GTRK Vladivostok, and OTV-prim, stopped working due to a twelve-hour DDoS attack (Vesti Primorie 2022). According to Roskomnadzor, hackers launched cyber offensives from Ukraine. Later, on May 29, 2022, unknown hackers were able to turn off Sakh​.onlin​e, a media portal of Sakhalin, whose audience was approximately 500,000 people (Sakh Online 2022). A dispatched IT team could not reinstate the portal for several hours. In contrast, in July 2022, pressure from hackers was not as strong as it was in May and June. The Russian company Storm Wall detected that its media resources were slowed down and further, stopped working for several hours by hacktivists from July 20 to July 30, 2022 (Iks Media 2022). Overall, in July 2022, there were more than seventy local news outlets that were attacked, located in fourteen Russian cities such as Pskov, Bryansk, Omsk, Sochi, Chelyabinsk, and others. The intensity of DDoS strikes was lower than the attacks on the government’s websites: more than 18,000 requests per second, and the average duration of a strike was twenty hours (Iks Media 2022). IT specialists warned that hackers’ activities would strengthen in the fall of 2022 and asked the authorities to protect local media websites (Security Media 2022). This forecast came true, as hacker activities were reported in the regions of Krasnodar, Yekaterinburg, Crimea, Kaluga, Tatarstan, and others. With the onset of the “special military operation” in Ukraine, Russian media sources experienced extraordinary cyber hits from malicious agents whose IP addresses were from various countries. Hacking groups targeting media channels across the Russian Federation tried to make a political statement and stop Russian anchors and their audience from supporting the invasion. Several popular media outlets became victims of the huge defacement attack, coordinated apparently by one hacker group, allegedly, Anonymous. The attack lasted several days; every target had serious issues with their

Hackers’ Attacks on Russia

17

websites, and eventually, they lost control over the digital platforms despite the fact that many victims did not provide details or revealed very limited information about ongoing technical difficulties. However, with the appearance of the anti-war post on their websites, the administrations of the hacked media outlets were forced to make public statements, realizing that this post could cause significant reputational damage which would last long after the removal of the hackers’ post. However, these clarifications were made in several hours and even a couple of days after the appearance of the post, making their audience bewildered. Moreover, given the intensity of the defacement attack, it is possible to suggest that some data was lost or ended up in hackers’ hands. However, the media channels kept silent about it. The small rural media outlets also experienced cyber issues which their administrations rarely reported. In general, apart from a few cases, their cyber security and the level of staffers’ digital literacy were weak or nonexistent. Local authorities and concerned media representatives tried to avoid publicity from cyber incidents, and as a result, it is impossible to depict this problem’s full scale. Hacking groups successfully turned off the overwhelming majority of local media websites, because their administrations did not install professional software for cyber security. Thus, the consequences of cyber incidents were more devastating. Their future in light of continuous cyberattacks is not very promising. Given a limited budget, poor cyber security (or its absence), and growing attention from hackers, many local media resources will be forced to look for extra financing from local or federal authorities, reduce their staffers, or even close down their news outlets.

CYBERATTACKS ON THE RUSSIAN GOVERNMENT Even though Russian media resources experienced a large surge of cyberattacks, their number and intensity were not even close to the potential of the powerful hackers who targeted Russian government websites. In May 2022, President Putin pointed out the growing number of cyber strikes on digital state resources (Kremlin 2022). In 2022, the Russian Federation was in fourth place among the most targeted for DDoS strikes on government and business websites according to the StormWall report (CisoClub 2023). In contrast with 2021, the number of cyber aggressions toward the government’s digital platforms increased up to two to three times in 2022. The main reason for this surge was a significant number of hacktivists whose incentives were based on their political agenda, which they used as a guide to pick their next targets. According to Russian IT agencies’ figures, data breach incidents on government entities in 2022 jumped by at least 1.5 times in comparison with the statistics of 2021. Since the onset of the cyberwar in February 2022, there

18

Chapter 1

have been more than twenty databases belonging to the Russian governmental departments circulating on the Internet. Like many other digital resources of the Russian Federation, for the government’s digital entities, the Russian cyber space became a true hell as the quantity of waged cyber aggressions was staggeringly high since the outbreak of the war. Anonymous and online volunteers from various countries entered the battle. Scrutinizing the cyber anarchy, Lotem Finkelstein, head of the threat intelligence department for Check Point Software Technologies, stressed that “for the first time in history anyone can join a war . . . the entire cyber community is involved, where many groups and individuals have taken a side, either Russia or Ukraine” (Pitrelli 2022). Undoubtedly, as Russia became a so-called legitimate target, the number of cyber perpetrators began to increase exponentially. Various websites belonging to the Russian government became the primary, symbolic victims of the hackers. As mentioned previously, Anonymous successfully jumped at several websites on the first day of the war. On February 26, the group reassured netizens of its willingness to wage a cyberwar: “Anonymous has ongoing operations to keep .ru government websites offline, and to push information to the Russian people so they can be free of Putin's state censorship machine. We also have ongoing operations to keep the Ukrainian people online as best we can” (Anonymous 2022). Anonymous not only was eager to deploy attacks on Russia, but it welcomed unaffiliated hackers to carry out actions: “Hackers all around the world: target Russia in the name of #Anonymous and let them know we do not forgive, we do not forget. Anonymous owns fascists, always” (Anonymous 2022). According to government reports and domestic media, as of the second day of the war, Anonymous or another hacking group disrupted operations for at least eight government websites such as Kremlin​ .r​ u, the Russian government (government​.​ru), the Russian Duma (duma​.gov​​.ru), Federation Council (council​ .gov​​ .ru), Ministry of Defense, Roskomnadzor, Portal of public services (gosuslugi​.​ru), and Ministry of Internal Affairs. However, officials denied DDoS attacks on the federal websites. For instance, on February 25, Anonymous claimed a successful breach of the Russian Ministry of Defense’s inner data with the personal information of its employees, which was posted online with public access (Anonymous 2022). The reaction of the Ministry was immediate and expected: its representative rejected the data leak, insisting that its database remained intact and unreachable for Anonymous and other hackers because this information could not be stored on any digital platforms in accordance with Russian laws (Lezhepekova 2022). While General Vladimir Kolokoltzev, Minister of Inner Affairs, kept silent on the damage caused by hackers to police networks across the country, local media was alarmed that the federal police website was compromised on

Hackers’ Attacks on Russia

19

February 25 and eventually, shut down in two days (Inkazan 2022). Along with the major police platform, there were unavailable regional police websites in the following seven regions: Tatarstan, Udmurtia, Nizhny Novgorod, Novosibirsk, Volgograd, Belgorod, and Krasnoyarsk. Obviously, many other digital branches faced serious cyber damage from hackers’ strikes. The Russian media heavily cited the response of Peskov, the Press ­secretary of the president, who said that the Kremlin website was functioning on F ­ ebruary 24 (The Village 2022). But RBC anchors conducted their own investigation, asking residents of other countries to check the website. Soon they received many complaints from visitors of the Kremlin portal who resided in Belorussia, Germany, Georgia, and Kazakhstan, who could not open Kremlin​.​ru (Stogova and Gromova 2022). Some irregularities were detected. For instance, several visitors from Germany, the United Kingdom, and the Czech Republic did not notice problems with the website. Apparently, IT professionals launched cyber security measures, trying to protect and minimize the malicious attack’s impact. On February 26, Peskov, responding to media requests, admitted not only ongoing DDoS attacks on the government’s entities but also pointed out they had disrupted normal operations (Ren.Tv 2022). While the authorities unwillingly discussed cyber offensives on the federal resources, the Ukrainian official, Vadim Denisenko, clarified the situation: “Yesterday, we and “Kiborg-spam of Ukraine” conducted an operation and shut down the Kremlin website. We published . . . the Kremlin’s phone information of its staffers and journalists” (KUN 2022). Nowadays, phones and emails of Kremlin employees can be found on the Internet and on a Telegram channel which was created for user convenience. In Russia, one of the most visited federal digital entities is the Portal of public services, where Russian citizens, businesses, and foreigners can receive a wide range of services, including fine payments, professional certification, business licenses, and so on. In 2020, its daily audience was on average approximately four million online users, and in 2021, more than ninety-four million Russian citizens, or 64% of the population of the Russian Federation, have a verified account on this portal (Alekseevsky 2022; RIA 2021). So, its popularity and massive user base made it a top target for hacktivists, who tried to derail the state service portal starting from February 24, 2022. Their persistent attacks forced the Ministry of Digital Development to warn its users about upcoming technical problems on the Portal. The Ministry of Digital Development is encountering an unprecedented scale of cyberattacks. As of February 26, more than 50 DDoS attacks with a capacity of more than 1 TB were detected, as well as a number of professional targeted attacks on the Portal. Specialists of our Security center successfully rebuffed every cyber attack, underlined the Ministry of Digital Development. (PRIME 2022)

20

Chapter 1

In the Sakhalin and Vologda regions, many people complained about being unable to reach the Portal, while in the Primorsky Krai, residents stressed that the website functioned without interruption (Novosti Volgograda 2022; Sakh Online 2022). Serious concern about the data breach arose from many of its registered users, because prior to this DDoS avalanche, in December 2021, unknown hackers, who used its Penza city branch to penetrate the main website, published the Portal’s critical technical information (Sergeev 2021). However, in 2021 and February 2022, officials assured users that the personal database was protected, and hackers could not reach it (PRIME 2022). However, in October 2022, Ukrainian hackers published more than 27,000 records on Telegram, stolen ostensibly from the Portal (Leaks 2022; Tadtaev 2022). The database contained emails, usernames, phones, and passport numbers, as well as other essential personal information, gathered between December 2015 and January 2021. There were three parts of the Portal’s data that were released separately in the same month. According to Telegram admins, who posted this information, they contacted random individuals whose personal information was found in the leak, and only a few people answered and confirmed their emails or phones (Leaks 2022). When its first piece was leaked on the Internet, the authorities dispatched a team of Rostelecom investigators to scrutinize the data. After checking the records of every leak, the investigators concluded the database did not meet the Portal’s parameters, but the data most likely was stolen from the national postal operator, Russian Post (pochta​.​ru) (Balashova, Plamenev, and Chebakova 2022). Ten million Russian Post customers had their personal data scraped from, exposed, and circulated on the Internet, in particular, on Telegram, since July 2022 (Savkin 2022). The freshest records from this leak were created in June 2022. An investigation was continuing, but the national postal operator confirmed this leak on July 29, 2022 (Russian Postal 2022). Russian Post had reason to believe that the stolen database was related to the Post’s contractor, underlining that customers’ bank records remained secured. Returning to the second month of the cyberwar, the beginning of March 2022 was also turbulent and chaotic in terms of hacker activities, which Russian society became more accustomed to every single day. Hence, the unfolding cyber anarchy became the new normal. The Kremlin, the Ministry of International Affairs, and other federal resources continued their struggle with various cybercriminals, whereas the Ukrainian IT Army tried to shut down the FSB website. As a result, the website was turned off by FSB IT specialists to combat these powerful strikes (IT army of Ukraine 2022; Izvestia 2022).

Hackers’ Attacks on Russia

21

In light of the enormous surge of cyber offensives on Russian digital entities, the Russian authorities undertook measures to break this alarming tendency and apparently, curb reliance on foreign Internet services. Since February 24 and the first DDoS avalanche, the FSB Center for Computer Incidents began to run a base with IP addresses used by malicious actors. There were IP addresses from Belarus, Georgia, Ukraine, Russia, the United States, Latvia, Germany, and other EU states; also, this litany included IP addresses from the FBI and CIA as well as USA Today and the Ukrainian site korrespondent​.n​et (Cyberscoop 2022; ITsec 2022). In March, after a massive defacement attack on Russian courts, the Ministry of Digital Development used this list to filter foreign Internet traffic to protect federal sites (Dulneva 2022). Interestingly, its initial part of the list was published on March 2, and given the fact that its last update was issued in May 2022, apparently IT specialists realized the ineffectiveness of this effort as hackers could hijack domains and continue posting misleading information (NCCC 2022). Together with this list, NCCC specialists worked out several recommendations on how to ward off cyberattacks, which ranged from password control and the enhancement of employees’ digital literacy to the removal of foreign external plugins and usage of a domestic DNS system (NCCC 2022). Yet, on February 28, 2022, government departments received a warning about the usage of foreign software and Anonymous’s activities: “Supposedly, computer attacks are planned to be carried out through foreign software updates. The distribution of updates with malicious attachments can be carried out through developers’ official sites” (Ministry of Education 2022). Further, the document recommended that employees stop updates from U.S. and European developers, delete unnecessary web services and applications, and warn every staffer about the spy activities of Anonymous and other foreign hacking groups, who looked for defectors via social media platforms (Ministry of Education 2022). Despite their efforts, the newly undertaken measures were not enough to prevent or even minimize cyber aggression toward government websites. As the situation deteriorated, on March 6, 2022, Andrey Chernenko, the deputy director of the Ministry of Digital Development, instructed federal and local government branches to relocate their online domain names and servers to a domestic system, leave every foreign web hosting service, remove JavaScript, which was generated by Western corporations, and reinforce password management. The government departments received only five days, up until March 11, to fulfill these instructions (Tichina et al. 2022). Further, the Ministry of Digital Development emphasized: There are no plans to disconnect Russia from the global Internet network . . . We are preparing for different scenarios to make sure that Russian resources will

22

Chapter 1

be available to our citizens. The document outlines a set of basic cyber hygiene instructions that will organize work more effectively, protect our resources from malicious activities, keep services operating, and hold control over domain names. (Tichina et al. 2022)

Nevertheless, this initiative became widely known worldwide, which triggered a discussion and rumors within Russian and foreign media sources (Djess 2022; Giannelis 2022; NYT 2022; Parsons 2022; Shome 2022). Following the Ministry of Digital Development, Russian officials tried to persuade scared citizens that everything was fine, and the Internet would not be turned off. On March 7, 2022, Andrey Lugovoy, the deputy head of the State Duma Committee on Security, stated the war in Ukraine was not a good reason to shut down the Internet for Russia, because the West would not be able to manipulate Russian citizens without the global network, which was a very powerful tool for an informational war (Bylkina 2022). “The Russian segment on the Internet was too huge to block it and any attempts to disconnect the state from the global network would result in global Internet slowdown,” suggested Anton Gorelkin, a State Duma deputy, and Chairman of the Committee of the State Duma on information policy (Litvinov 2022). However, in September 2022, the representative of the FSB coordination Center for computer incidents, Aleksey Novikov, described a different situation, occurring in March 2022. He confessed that starting from February 24, Russia could barely keep control over failing cyber security, and the government was seriously considering disconnecting the state from the global network (Kommersant 2022). Since the beginning of the war in Ukraine, Roscosmos, the State Space Corporation, became a common target for hackers. Its first report about a DDoS attack was sent to Roskomnadzor on February 26, when roscosmos​ .​ru was down for several hours. Then, its press service reported malicious cyber activities launched against the corporation in March, April, June, and August. For Russian society, which observed failed government and media digital resources, a declared successful attack on Roscosmos became another unpleasant surprise. Allegedly, the hacker team NB65 received access to the Corporation’s Control Center and control over satellites. On Twitter, its post consisted of an image of the so-called satellite “vehicle monitoring system” and the following text: The Russian Space Agency sure does love their satellite imaging. Better yet they sure do love their Vehicle Monitoring System. The WSO2 was deleted, credentials were rotated, and the server is shut down. Network Battalion isn’t going to give you the IP, that would be too easy, now wouldn’t it? Have a nice Monday fixing your spying tech. Glory to Ukraine. We won’t stop until you stop dropping bombs, killing civilians, and trying to invade. (NB65 2022)

Hackers’ Attacks on Russia

23

Responding to this claim, Dmitry Rogozin, head of Roscosmos, admitted the cyberattacks against the corporation had been ongoing for several days, stressing that Roscosmos’s defense mechanism nullified every malignant attempt (Vesti 2022). According to Rogozin’s social media accounts, he checked Anonymous’s reposts about the hack. “The information of these scammers and petty swindlers is not true. All our space activity control centers are operating normally,” added Rogozin in English on his Twitter account (Rogozin, It is fake! 2022). For the Russian-speaking audience, Roscosmos’s official elaborated on NB65’s claims, explaining that the hackers mentioned the IP address belonged to a city transportation department which was never part of a control system for satellites in Roscosmos (Rogozin 2022). According to Roscosmos, coordinated DDoS attacks on the corporation were conducted from Ukraine along with a few other countries, but their level waned significantly with military strikes launched by the Russian Armed Forces on March 2, 2022, which targeted strategic Ukrainian devices (Moscow 24 2022). Another DDoS attack was initiated on June 29, 2022, just before the resignation of Dmitry Rogozin. As a result, the Roscosmos site was shut down for several hours (Fontanka 2022). According to Russian media and Roscosmos, the attack was retaliation for the publication of images of several NATO centers, located in various member-states (Nyrieva 2022). The corporation’s resource-P space satellite made these images. On the same day, it became known that the DDoS attack was not an action of Ukrainian hackers, instead, it originated in Yekaterinburg, Russia. As one of the Russian IT experts suggested, it could be a lone-wolf hacker with several computers who did not intend to cause significant damage to roscosmos​.​ru (Moscow 24, 2022). In August 2022, Roscosmos along with two other state corporations, Rosatom (rosatom​.​ru) and Rostec (rostec​.​ru), became targets for the hackers, who tried to penetrate the corporation via twenty video-conference services— Videomost, iMind, TrueConf, and Webinar​.r​u, which they used for inner communication. Trying to destroy these services, a massive DDoS blitz with 180,000 requests per second started on August 12 and lasted around 30 hours (Bilyk 2022). As of August 29, the DDoS blitz continued; however, the corporations insisted on the lack of serious damage or data leaks, stressing only minor disruptions of their inner communication (Bilyk 2022). While the NB65 hackers, who were supposedly affiliated with Anonymous, focused on Roscosmos, Anonymous prepared another notable hack. On March 3, 2022, Anonymous hackers impressed Twitter users with a successful action on the Russian federal agency, Roskomnadzor. This agency, established in 2008, is the main censorship organ which monitors mass media and online media content. Allegedly, a malicious entrance was made via its Bashkiria branch, where hackers stole more than 360,000 files or more than

24

Chapter 1

800 GB, some of which were very recent, issued in March 2022 (Varlamov 2022). Roskomnadzor representatives did not comment on this hack, simply ignoring the circulating news and its documents on the Internet. However, at least two investigations based on documents from this leak were published. They contained screenshots of actual documents and revealed many interesting details about Roskomnadzor’s recent activity inside the country (Dmitriev 2022; Marmeladova 2022). Keeping consistent with the declared discourse for cutting IT dependency from the West, in May 2022, a new order prevented government facilities from using cyber defense systems produced in unfriendly states starting from January 1, 2025 (Kremlin 2022). In March 2022, a government network of cyber centers was created to protect and monitor cyber incidents in particular areas. The order from May 1 encouraged the government departments and organizations to speed up their creation, stressing that local officials oftentimes disregarded this crucial initiative (Kremlin 2022). In a month, 99% of eighty-five Russian federal subjects17 had a functioning cyber defense unit, and in 85% of the government departments, these new units began to fulfill their main goals (Kapranov 2022). Ongoing cyberattacks on various domestic websites could not continue without explanation or clarification about the reasons for the strikes, undertaken measures, actual damage, and so on. The official narrative was shaped by the statement issued by the Ministry of International Affairs on March 29, 2022. Trying to draw international attention to the cyber anarchy, Russia blamed the Ukrainian authorities for the creation of a cyber army formed by foreign and domestic hackers, who waged a war against digital Russian resources (Ministry of International Affairs 2022). As the statement highlighted, domestic digital platforms experienced hundreds of thousands of cyber strikes per day, which was an indication of heavy involvement from NATO: These attacks and their close coordination clearly indicate that the cyberwar waged against Russia by Ukrainian special ICT operations centers trained by the U.S. and other NATO experts is being reinforced with anonymous hackers and trolls acting on orders from the Kiev regime’s Western mentors. In fact, this cyberwar is being waged by an army of cyber mercenaries who have been given concrete combat tasks that often border on terrorism. (Ministry of International Affairs 2022)

Later, in the Security Council meeting, Putin repeated the main propositions of the Ministry’s statement from March 29 about the staggering number of cyber strikes, the unfolding cyberwar against Russia, and coordinated cyber offensives:

Hackers’ Attacks on Russia

25

The number of cyberattacks, including high-level ones, has jumped up several times .  .  . Attacks have been carried out from foreign states, and at the same time, the attacks are clearly coordinated. In fact, state structures are behind these attacks and we know that the armies of some countries already include cyber armies. (Kremlin 2022)

Further, he stressed that Russia needed to bolster cyber security measures by developing domestic technologies and diminishing the usage of foreign IT innovations. Interestingly, Russian holidays were a common time for hacktivists to carry out their cyber offensives, when the majority of offices and departments were closed. International Women’s Day on March 8, which is a widely celebrated event in Russia, saw a serious chain of DDoS attacks in 2022, when pro-Ukrainian hacktivists targeted eleven government websites, such as the Ministry of Culture (culture​.gov​​.ru), Ministry of Internal Affairs, Ministry of Energy (minenergo​.gov​​.ru), Federal Agency for Youth Affairs (fadm​.gov​​.ru), Federal Bailiff Service, and Federal Agency for Rail Transport (Data Leaks 2022; 5 TV Chanel 2022). Simultaneously, on all these digital entities, hackers placed the same image of Russian and Ukrainian flags, tanks, and escaping Russian soldiers. Given the concurrence of these defacement attacks, there was a suggestion that by exploiting security vulnerabilities, the malicious actors received unauthorized access to only one website, gosmonitor​.r​u, which displayed featured content directly on the majority of the government’s websites (Data Leaks 2022). In several hours, the message was removed, but this massive defacement incident raised concerns about the stored data and the quality of cyber security not only on the government’s entities but in general, on Russian digital platforms. Also, even though the actual damage was minimal, the hacktivists demonstrated their threatening abilities to Russian citizens, undermining the reputation of the government and the military. This defacement nightmare repeated on a smaller scale with new victims on March 16, 2022, when two central departments—the Ministry of Emergency Situations and Russian Arbitration Courts, were compromised and defaced. As media sources reported, around 5 p.m. by local time, eighty Russian arbitration court websites in Khabarovsk, Moscow, Primorsky Krai, Crimea, Buryatia, Kamchatka, and many other regions stopped working and instead of a common front page, every court website showed a new post: “Putin is terrorist #1! The Hague Court waits for all of you! Freedom for political prisoners!” (ZaTelekom 2022). In more than one hour, this hacker’s message was deleted, whereas the court websites remained off for several hours. There was especially serious damage to local court websites, which could not serve people for several days. The worst situation was in the Volgograd region, whose website did not work for fourteen days. To clarify the

26

Chapter 1

incident, the court representative from the Primorsky Krai, Inga Sorokina, underlined that the attack was fortunate for hackers because the entire court network was based on the same server located in Moscow (Lisitsyna 2022). While the arbitration courts waited for IT professionals to restore access to their main server, some alleged Ukrainian hacking groups hacked the main and regional websites of the Ministry of Emergency Situations, defaced, and made its federal and many regional platforms non-functional for several days. From various regions including Kemerovo and Saint-Petersburg, concerned individuals indicated that local websites remained shut down. Instead of the Ministry’s usual official website front page, the attackers uploaded a new front page, which was an imitation of the official one but with changed content. The website showed a few links with the following titles: “Do not believe the Russian media—they are lying,” “Full information about the war in Ukraine” and “Russia's defeat is around the corner.” Also, the hackers placed a message: “The Ministry of Emergency Situations informs that more than 13,000 soldiers died in Ukraine” (Denisyuk 2022). This new front page disappeared in less than one hour, and instead a normal announcement appeared: “Please excuse us for the inconvenience. The website encountered an unexpected error, and it will be offline temporarily” (Fontanka 2022). Along with the defacement and disruption of the Ministry’s network, its official phone number was altered to a Ukrainian number. However, in April, hackers returned to the Ministry of Emergency Situations, targeting its media portal mchsmedia​.r​u. Defacing the portal and humiliating the Ministry, hackers posted several new articles about Ukraine and Russia (Ministry of Emergency Situations 2022). Worth noting is the fact that Internet users expressed their disappointment that the government could not defend its websites from hackers, stressing that the government tried to save some money on cyber security, thus, it was ineffective and weak (Fontanka 2022; Nikitin 2022). As Roskomnadzor announced Twitter slowing down in Russia on March 10, two hours later the largest Internet provider, Rostelekom, detected operational problems which led to serious issues on several government digital portals (Tvrain​.​tv 2022). So, another wave of cyberattacks on government websites began. Around 12 p.m. local time, the Kremlin, the Russian government, and the State Duma websites became unresponsive (Kapital 2022). Many foreign and domestic sources connected the Roskomnadzor issues with Twitter to the technical issues on government digital resources. However, Andrey Poliakov, the representative of Roskomnadzor, rejected the connection between these two events, emphasizing that “the investigation of the Internet’s problems is under way, and we are checking the details and scale of the disruption” (Kapital 2022). Nevertheless, during this wave of cyberattacks, hacker activities were detected on websites of the Ministry of Inner Affairs, Ministry of Culture, the FCIN (the Federal Penitentiary Service),

Hackers’ Attacks on Russia

27

and the Federal State Statistics Service (Rosstat). Many government websites did not recover from the previous attacks while new strikes were launched. Going forward in its retaliation for the invasion in Ukraine, politically motivated Anonymous hackers compromised many security cameras in the Russian Federation in March 2022. There were more than 400 hacked cameras, and Anonymous released live feeds from CCTV sources on a dedicated site (Anonymous 2022). Under a post about the camera hack, Anonymous made an announcement for a new action they planned to take: “We have already been working on our next camera dump which will contain cameras from Belarus and Ukraine, mostly combat zones which will be more useful for recon than these. This is strictly anti-propaganda for the Russian people” (Anonymous 2022). On April 6, 2022, Anonymous revealed that a hacking group (@Thblckrbbtworld) which joined Anonymous’s vendetta against Russia, was successful in gaining access to “the Kremlin CCTV system” (Anonymous 2022). To prove this statement, Anonymous placed footage from the ostensible Kremlin camera under the post. Worth noting is that the scenes from this footage are impossible to verify. In response to this statement and looking to calm concerned Russian media, Dmitry Peskov underlined that Anonymous could not get access to the Kremlin CCTV system because this system was isolated (AIF 2022). On the night of June 5, the Ministry of Construction, Housing, and Communal Services experienced a serious data breach and defacement attack from dumpForums​.c​om demanding a ransom of 0.5 Bitcoin (Akinshina 2022). Threatening to publish hacked personal data, the hackers gave the Ministry two days to transfer the amount in Bitcoin. Also, the Ministry lost control over its official website, where the cybercriminals uploaded a message in the Ukrainian language with their crypto wallet (Novaya Gazeta 2022). Soon, the department website displayed the Ministry’s announcement about the existing technical problems. After each successful hack, nearly all the victims, in this case, different government departments, tried to assure the public about intact inner data, and this Ministry did not change this tradition, stressing that personal data was protected from malicious agents. As Darknet monitoring revealed, more than 100,000 personal records from the Ministry’s server, containing emails, users’ real names, and logins, were dispersed via the Internet. However, it is impossible to determine when this data file was stolen (Zsrf​.​ru 2022). It was not revealed if the Ministry paid the ransom to the cybercriminals. From June 15 to 18, the St. Petersburg International Economic Forum was held in Russia, which is considered one of the most high-profile events related to the economy. On June 17, in the Forum’s schedule, President Vladimir Putin promised to do a presentation. Considering the ongoing cyberwar, the Forum’s organizers applied serious security measures to protect the event,

28

Chapter 1

but the Forum infrastructure experienced an attack on the day of the scheduled presidential speech. It was a powerful DDoS attack with more than 140 GB per second, which caused major technical disruptions to the Forum’s entrance system and base of participants (Smotrim 2022). As a result, Putin’s speech was rescheduled for one hour later. Early on in Putin’s message for the Security Council, the president underlined that the Russian Internet segment and IT professionals successfully dealt with non-stop cyber offensives. However, the situation with cyber incidents was going from bad to worse. The reputation of every government has been inextricably connected to how it handles cyber risk. Since February 24, Russian society repetitively observed cyber fiascos on one state website after another, so citizens would barely be surprised by another defacement attack or data leak. However, they expected that at least their president would be protected by highly skillful IT professionals. This attack and further the rescheduling of the presidential speech made society acknowledge that the continuing cyber anarchy would be long-lasting and persistent. After several months of the conflict, it became obvious that hacking groups would take every important event in Russia as an opportunity to launch offensives. In September 2022, Russian people elected their representatives for local and regional governments, including fourteen regions which voted for their governors. However, continuous cyberattacks on the Central Election Commission and its regional branches started in June 2022, and by September 9, there were 28,000 prevented strikes, including 90 massive cyberattacks (Kuban24 2022). So, election officials in more than eighty regions were prepared for intensive malicious activities between September 9 and 11. In particular, cybercriminals tried to overturn Moscow’s online voting platform. The head of the public headquarters for monitoring elections, Vadim Kovalev, reported that for three days of the municipal elections, more than 10,000 DDoS attacks were recorded on the online voting system in Moscow (Izvestia 2022). In total, there were 35,000 attempts to compromise the elections, where hacking groups looked for vulnerabilities in the election network, employees’ accounts, and other targets (Fomag 2022).

ATTACKS ON LOCAL AUTHORITIES While the federal administrative branches struggled daily with cyberattacks, local authorities also faced intensive activities from malicious agents trying to breach their digital platforms. However, local governments were more vulnerable to digital threats due to many regional officials failing to maintain strong cyber defense and not having IT professionals on their payroll. After

Hackers’ Attacks on Russia

29

February 24, 2022, websites of mayors’ offices, governors, regional legislatures, power plants, and other systems were hit by hackers. If other local governments hoped that hacktivists would miss them, there were two locations which would most certainly be the hackers’ principal targets: Crimea and Sevastopol. For two days, February 24 and 25, patriot hacking groups conducted immense DDoS strikes on the Crimean government websites. According to the Minister of Internal Policy, Information and Communications, Michael Afanasiev, IT professionals successfully blocked every digital attack which tried to undermine not only government networks but other critical infrastructure as well. “The DDoS attack started at 8:27 p.m.  .  .  . The main hit focused on the portal of the Crimean government, which received an incredible number of requests from IP addresses located in India, South America, and the United States,” stressed Afanasiev, underlining that the Crimean government expected these actions (RBC 2022). Although the attack seemingly had stopped on the 25, on February 28, the hacking activities resumed their onslaught on government websites. However, despite the hackers’ efforts, who launched HTTP flood attacks, the targeted websites continued to work without interruption (Interfax 2022). A similar situation occurred in Sevastopol, where hacking groups tried to shut down city authorities’ digital government entities (Shuvainikov 2022). After one day of cyber aggression toward the Sevastopol websites, the city’s governor, Michael Razvozhaev, said that the city was going through a difficult time due to endless strikes, which caused technical problems on several websites. To add insult to injury, on February 25, the hackers disabled the operation of the Sevastopol city government’s website in a cyberattack, causing a complete loss of control over the entity. Since February 24, city authorities in Chelyabinsk, Kursk, Volgograd, Kazan, Chita, Khabarovsk, Saint-Petersburg, and many other cities across the Russian Federation were repeatedly struck by massive DDoS attacks, causing a loss of data and control over their digital platforms. For instance, between February and September 2022, the Volgograd authorities indicated four waves of DDoS attacks on their digital resources, which stopped working after every strike. In light of these damaging attacks, the governor, Evgeny Kharichkin, initiated the creation of a local cyber center, which began to operate in October 2022 (Petrov 2022). In less than one month after opening this cyber center, the next strike disrupted the city administration’s website, which ran very slowly and did not show regular columns for several hours (Chutnekorzhok 2022). In April 2022, unknown hackers defaced the Pskov government website, where the 76th Guards Air Assault Division is located (Inform Pskov 2022). Its troopers participated in the conflict in the Donbas region in 2014, and in 2022, the Russian government sent the division’s soldiers to Ukraine again.

30

Chapter 1

On the defaced website, the perpetrators placed a message about huge human losses in the Division. Also, on one of the website’s columns, a post about an ongoing fundraising campaign for the Russian Armed Forces was inserted. Along with politically driven hackers, there were cyber hooligans who simply vandalized online resources. In May 2022, the Samara city platform was hacked by cyber hooligans on the weekend; instead of the regular front page, they posted pornography (63 SamaraOnline 2022). City government officials did not notice the hack until infuriated city dwellers sent complaints. Providing services and pursuing effective cyber security measures, local authorities have implemented more and more complicated new technologies, giving cyber criminals more opportunities to reach them. Prior to the war in Ukraine, regional Russian authorities became targets for hacking groups, who defaced their websites and stole their data. However, the recent spurt in cyber aggression revealed their cyber incompetence and unpreparedness, even in terms of hiring IT specialists. As the annual report of the Novosibirsk oblast shows, its government sites survived more than 1,000 DDoS attacks (Grachev 2022). Between January and March 2022, hackers conducted 1253 strikes on regional authorities and an industrial sector in the Krasnodar region (KubanAif 2022). In total, the Southern Federal District, which embraces Krasnodar, Volgograd, Rostov, and Astrakhan regions, Kalmykia, Adygea, Crimea, and the city Sevastopol, experienced approximately 30,000 cyberextortion attempts in 2022 (Newkuban 2023).

CYBERATTACKS ON FINANCIAL INSTITUTIONS AND BUSINESSES The largest Russian banks—Sberbank, VTB18, Gazprombank, Alfa-Bank, and Russian Agricultural Bank, along with a few others, were under endless onslaughts by hackers trying to interrupt their operations and reach customers’ data. In February 2022, the executive of the Solar JSOC at RostelecomSolar, Vladimir Dryukov, stated that there were many DDoS attacks whose capacity was up to 750 GB (Tyunyaeva and Narayeva 2022). For ten days, between March 1 and March 10, 2022, unknown hacking groups conducted more than 1,100 cyber strikes on the Russian commercial sector; of 1,100 cyberattacks, more than 450 strikes solely targeted banks (Vasyutchenko 2022). The Kaspersky Lab confirmed that the hit of cyber aggression shifted from digital state entities to the financial field in March 2022 (Iliyna 2022). Given the surge of cyber aggressions, the Russian government began to cooperate with banks, providing them assistance for DDoS defense. Every concerned bank should send a request with a list of endangered operational

Hackers’ Attacks on Russia

31

systems to the center bank, and the Ministry of Digital Development would sort out the banks’ Internet traffic (Banki 2022). Since the onset of the war, Sberbank experienced daily cyberattacks from multiple malicious agents who initiated various types of attacks, including DDoS. One of the most powerful attacks, with 450 GB per second, was carried out on May 6, 2022 (Securitylab 2022). A member of the bank’s Board, Stanislav Kuznetsov, stressed that approximately 27,000 devices participated in this cyber offensive, but the perpetrators did not reach Sberbank’s data (NTV 2022). In less than two weeks, Anonymous claimed a successful hack on Sberbank, which was rejected by Sberbank as false information (Ren TV 2022). Early in March 2022, Sberbank denied the breach of its application, from which bank customers allegedly experienced unauthorized withdrawals (Sberbank 2022). Interestingly, at the International Economic Forum held in 2022 from June 15 to 17, the same official, Stanislav Kuznetsov, concluded that in total, sixty-five million customer records were compromised and more than thirteen million bank cards were hacked since the beginning of “the special military operation” (Tairov 2022). However, he did not articulate Sberbank’s share in this leak. The second part of 2022 was a hectic time when malicious agents attacked relentlessly. In September 2022, hacktivists tried to undermine the operation of the Russian payment system, MIR, which became a national payment system due to the fact that foreign debit and credit cards such as Visa, Mastercard, and others joined sanctions in March 2022. A massive DDoS strike targeted the MIR system and its operator, the National Payment Card System (Isakova and Byilov 2022). While IT specialists underlined that the domestic payment system maintained a high level of defense, the authorities denied commenting on the attack. In October, Sberbank reported another DDoS blitz, conducted by foreign hackers. Fortunately, the bank’s cyber defense system was able to repel the DDoS strike that hit its system from more than 30,000 devices (TASS 2022). At the beginning of December 2022, VTB customers were unable to conduct financial transactions on the VTB website. As a bank representative confirmed, a hacking group hit the VTB website, causing operational issues (Koshkina and Pashkova 2022). Every year banks and other financial organizations increase their budgets for cyber protection measures, but the wave of cyber offensives in 2022 was quite different. Bank representatives considered it not as cyber incident but as an ongoing cyberwar, where onslaughts were carried out more intensively and subtly. There were a huge number of participants. As a result, Russian banks boosted spending on their cyber technologies and staff to a higher degree. The Russian business sector also became a target for numerous hackers. Awkwardly, a significant number of small business owners were not ready

32

Chapter 1

for hackers’ attention. According to a survey conducted shortly after the onset of the war, around 70% of small business owners expected cyberattacks on their websites, whereas 28% of respondents argued that hacking groups would be more interested in big and lucrative businesses rather than wasting their time on small firms (Dailybest 2022). Traditionally, online retail businesses have been a favorite object for cybercriminals. The unfolding war and the surge of politically motivated hacktivism just exacerbated the situation. One of the largest online marketplaces in Russia, Wildberries,19 failed to protect its website and mobile application from a cyberattack on March 14, 2022. On this day, many customers from various parts of the Russian Federation could not login to their accounts, purchase goods, or conduct any operations on Wildberries (Habr 2022). Delivery service was stopped. Its administration confirmed technical issues, but it insisted that no customer data was accessed as it was not a cyberattack. However, as several anonymous sources stated, on March 15, the Russian retailer became a victim of hackers, and the attack was conducted by the known and dangerous hacking group, OldGremlin (Securitylab 2022). Numerous gloomy rumors circulated via the Russian cyberspace, stating that the retailer’s administration lost not only inner data but even control over the platform (Securitylab 2022). However, the retailer insisted that customer data remained intact, and the incident was reported to police. On March 19, the website still experienced technical problems, but delivery and online purchases began to resume (Romanova 2022). The mobilization, announced by the Russian government in September 2022, triggered a wave of cyber strikes on online shops such as Rusarmyshop, Voenrus, Gorsing, and other brands. Located in Moscow, Saint-Petersburg, Kazan, Murmansk, and Voronezh, they sold military uniforms, boots, and other army attire (Ixbt 2022). The cyber offensives were launched during a very inconvenient time, when store sales jumped drastically due to high demand driven by the “partial mobilization.” It could be possible the DDoS wave, with 100,000 requests per second, was organized by the IT army of Ukraine, whose activists called users to conduct attacks on Telegram. The lack of adequate cyber defense resulted in the shutting down of more than seventy online shops; some of them were offline for several hours; and others stopped working for several days. In 2022, regardless of their size and profitability, Russian businesses, including restaurants, shops, fitness centers, and others, continued to lose sensitive data due to massive cyber offensives. During the months of spring, hackers released 73 pieces of information that were stolen from Russian firms, and between June and September 2022, 140 databases floated around the Internet (Lykov 2022).

Hackers’ Attacks on Russia

33

To conclude, prior to the onset of the full-scale invasion of Ukraine, private and state digital Russian entities were directly or indirectly familiar with hackers’ attacks, which were perceived as an unavoidable evil for every user of the Internet. Since February 24, 2022, the Russian cyber environment has begun looking like a sea full of sharks, and everybody who enters it will be eaten sooner or later. Anonymous’ declaration of war on Russia served not only as an invitation for other hackers to conduct cyber offensives on any Russian website but as legitimization that any action toward Russian digital entities could be justified by revenge for the “special military operation.” The lack of negative public reaction from officials or concerned citizens on global and domestic levels encouraged hackers. It is important to underline the difference between protection from Russian hackers’ adversary actions on European, Ukrainian, and U.S. websites and launching cyber offensives by independent hacking groups, operating from unidentified locations and driven by their own uncontrollable goals. According to preliminary calculations, there were around 400,000 international hackers that entered this cyberwar (Pitrelli 2022). The content of the cyberwar participants was diverse and can be divided into two major categories: hacktivists and hackers. The activity of hacktivists was on the rise and very rigorous when it came to targeting entertainment, news portals, and state digital entities, but priority was given to the economic sector to maximize financial losses. They mainly utilized DDoS extortion. In contrast with 2021, the number of DDoS attacks increased by 60 to 70% (Frolova 2023). According to Kaspersky Lab and other IT companies, the landscape of cyberattacks was versatile, while strikes became more intensive, powerful, and long-lasting. In 2022, state statistics and IT analysts agreed that the number of cyber strikes jumped drastically. On January 19, 2022, the representative of the Ministry of Digital Development, Dmitry Chernyshenko, emphasized that 50,000 very professional attacks were prevented, which was an unprecedented record for Russia, and he called the situation a cyber “invasion” (Business Gazeta 2023). The record size of personal data leaks, around 2.8 TG, was published on the Internet or placed for sale on the Darknet (Trukhachev 2022). This cyber anarchy began with the invasion of Ukraine, turning the Russian digital realm into a global training ground for hackers. Russian IT specialists have developed new cyber protection solutions, and in isolation, sooner or later, the Russian Federation will find an acceptable solution which will help to get this cyber mess under control. What will these well-trained hackers do? Who and what websites will be their next target?

34

Chapter 1

NOTES 1. OUN is a political organization of Ukrainian nationalists, which was established in 1929. 2. UPA is the Ukrainian Insurgent Army, which was active during World War II. 3. NATO is the North Atlantic Treaty Organization. 4. The Federal Security Service of the Russian Federation (FSB) is established in 1995. It is a federal excusive institution with more than 70 local branches in regional centers. 5. Privatbank is one of largest financial institutions in Ukraine. Before 2016, the bank was a private enterprise, led by two owners Kolomoisky and Boholyubov. In 2016, it was nationalized, and the government began to control its financial operations. 6. GhostSec or Ghost Security became known since 2015 with attacks on ISIS digital entities in the wake of the Charlie Hebdo shooting in January 2015. Its team members cooperate with Anonymous. The group has been active on social media. Its stands against police brutality, government corruption, and so on. 7. ATW or AgainstTheWest is a hacking group, created in September 2021. Its team announced the appearance with data breaches of the Bank of China and Ministry of Public Security at the same year. In 2022, the group declared its support for Ukraine and began multiple attacks on Russian government websites. At the first part of 2022, ATW managed its Twitter account. 8. SHDWSec is a hacker group, which has cooperated with Anonymous and ATW. The team established its Twitter account as the group announced its open support for Ukraine in the conflict with Russia. 9. Belarusian Cyber Partisans is a politically motivated hacking organization, which appeared in 2019 protesting the Belarussian President Lukashenko. It conducted successful hacks on Belarussian government websites, which extensively advertised via its YouTube, Telegram, and Twitter accounts. 10. IT army of Ukraine is a Ukrainian volunteer group, which conducts cyber attacks on Russian digital entities. It appeared shortly after the onset of the Russian war in Ukraine on February 24, 2022. 11. NB65 is affiliated with Anonymous. In February 2022, the group declared its support for Ukraine on its Twitter account. In March 2022, NB65 announced a cyber strike on Roscosmos. 12. GNG is a hacker group from Georgia. In February 2022, its team claimed successful attacks on the Chechen government website and a media portal Alt-Info. On Twitter, Anonymous called this group as its affiliate. 13. Mediologia is a Russian company which conducts an automatic monitoring and analysis of media and social media channels in real time. 14. RIA is the leading Russian news agency, which was established back in 1941. 15. MTS, or Mobile TeleSystems, is the largest mobile network operator in the Russian Federation. 16. VGTRK is the all-Russian State television and radio broadcasting company, which network includes several TV channels and radio stations.

Hackers’ Attacks on Russia

35

17. In the Russian Federation, there are eighty-five federal subjects in 2022. According to the Constitution, the category of the federal subjects includes the following entities: a region, a republic, a territory, a city with a special status, an autonomous district and region. 18. VTB is one of the largest and most popular financial institutions in the Russian Federation. 19. Wildberries is the Moscow-based online retailer, created in 2004. Tatyana Bakalchuk is its founder. Prior to the war in Ukraine, Bakalchuk began to establish its international branches in the European Union.

REFERENCES 5 TV Chanel. 2022. Government’s websites are under attacks. March 8. Accessed January 3, 2023. https://t.me/tv5ru/23419. 63 SamaraOnline. 2022. A city portal shows porno videos. May 14. Accessed December 23, 2022. https://63​.ru​/text​/politics​/2022​/05​/14​/71330045/. AIF. 2022. Peskov: Hackers could not hack the Kremlin’s video surveillance system. April 6. Accessed February 11, 2023. https://aif​.ru​/society​/web​/peskov​_ne​_schitaet​ _chto​_hakery​_mogli​_vzlomat​_sistemu​_videonablyudeniya​_kremlya. Akinshina, T. 2022. Hackers hacked the website of the Ministry of Construction of Russia. June 5. Accessed December 13, 2022. https://www​.kommersant​.ru​/doc​ /5391938. Alekseevsky, A. 2022. Almost two-thirds of the population of Russia have registered on the federal portal. February 2. Accessed January 3, 2023. https://www​.gazeta​ .ru​/tech​/news​/2022​/02​/02​/17229241​.shtml. Anonymous. 2022. Anonymous hacked Russian TV channels. March 6. Accessed December 13, 2022. https://twitter​.com​/YourAnonNews​/status​/1500613013510008836​ ?ref​_src​=twsrc​%5Etfw​%7Ctwcamp​%5Etweetembed​%7Ctwterm​%5E1​5006​1301​ 3510​ 0 08836​ % 7Ctwgr ​ % 5Ee ​ e a00 ​ 7 29c ​ 8 d34 ​ a 872 ​ 6 de1 ​ 7 014 ​ 0 5d5 ​ 0 801 ​ b b2d8b5​ %7Ctwcon​%5Es1_​&ref​_url​=https​%3A​%2F​%2Fwww​.rferl​.org​%2Fa​%2Frussian​ -tv​-hacke. ———. 2022. Join our fight! February 25. Accessed February 5, 2023. https://twitter​ .com​/youranonnews​/status​/1497298554381119491. ———. 2022. Russian security cameras are hacked! March 7. Accessed February 11, 2023. https://twitter​.com​/DepaixPorteur​/status​/1500943962860924936​?ref​ _src​=twsrc​%5Etfw​%7Ctwcamp​%5Etweetembed​%7Ctwterm​%5E1​5009​4396​2860​ 924936​%7Ctwgr​%5E6​59c8​c17a​6018​60a1​594f​f381​04e5​40ba​1ccc39d​%7Ctwcon​ %5Es1_​&ref​_url​=https​%3A​%2F​%2Fwww​.bla​ckha​teth​ical​hacking​.com​%2Far. ———. 2022. Our next action against Russia. March 7. Accessed February 11, 2023. https://twitter​.com​/DepaixPorteur​/status​/1500944050605772805. ———. 2022. Our next goal is the Kremlin CCTV system. April 6. Accessed February 11, 2023. https://twitter​.com​/YourAnonTV​/status​/1511656225687154688​ ?ref ​ _ src ​ = twsrc ​ % 5Etfw ​ % 7Ctwcamp ​ % 5Etweetembed ​ % 7Ctwterm ​ % 5E1 ​ 5 116​

36

Chapter 1

5622​5687​154688​%7Ctwgr​%5E2​7c34​615d​d1af​67c0​c18f​83a8​7b91​cecd​6b2a16a​ %7Ctwcon​% 5Es1_​& ref​_ url​= https​% 3A​% 2F​% 2Ftechno​. nv​. ua​% 2Fit​- industry​ %2Fhakery​-an. ———. 2022. We are at war against the Russian government. February 24. Accessed January 3, 2023. https://twitter​.com​/YourAnonOne​/status​/1496965766435926039. ———. 2022. We continue turning down Russian websites. February 26. Accessed January 3, 2023. https://twitter​.com​/YourAnonNews​/status​/1497574730282541060​ ?s​=20​&t​=gCu​sSYY​qmzj​JQOg​tIOKjaw. ———. 2022. We hacked the Russian Ministry of Defense. February 25. Accessed February 3, 2023. https://twitter​.com​/YourAnonOne​/status​/1497299847350833157​ ?ref ​ _ src ​ = twsrc ​ % 5Etfw ​ % 7Ctwcamp ​ % 5Etweetembed ​ % 7Ctwterm ​ % 5E1 ​ 4 974​ 0656​9469​952002​%7Ctwgr​%5E8​18bd​feca​28c1​dcdf​5ac7​3256​b110​1296​28f462c​ %7Ctwcon​%5Es3_​&ref​_url​=https​%3A​%2F​%2Fwww​.ladbible​.com​%2Fnews​ %2Fanonymous​-c. Antoniuk, Daryna. 2022. DDoS attacks hit Ukrainian government websites. February 15. Accessed January 2, 2023. https://therecord​.media​/ddos​-attacks​-hit​-websites​-of​ -ukraines​-state​-banks​-defense​-ministry​-and​-armed​-forces/. Bakken, A. 2020. The data breach against the Storting has been investigated. December 8. Accessed February 3, 2023. https://www​.pst​.no​/alle​-artikler​/pressemeldinger​ /datainnbruddet​-mot​-stortinget​-er​-ferdig​-etterforsket/. Balashova, A., I. Plamenev, and D. Chebakova. 2022. Rostelecom argues the leak of users’ data from Gosuslug a fake. October 18. Accessed December 23, 2022. https://www​.rbc​.ru​/technology​_and​_media​/18​/10​/2022​/634​edc8​49a7​9474​ 2bbe6c773. Banki. 2022. The Ministry of Digital Development proposes to protect banks from DDoS attacks from abroad. March 17. Accessed December 1, 2022. https://www​ .banki​.ru​/news​/lenta/​?id​=10966167. Beregini. 2022. Zaluzhnyi’s reaction on the Joker’s breach. November 4. Accessed November 24, 2022. https://t.me/hackberegini/1095. Bilyk, K. 2022. Hackers massively attacked video conferencing systems. August 29. Accessed January 12, 2023. https://rb​.ru​/news​/hackers​-attacks​-services/​?ysclid​ =lew2956ky7832598484. Bloknot. 2022. Interview with Michael Astrakhanzev about the hack of his media portal. February 28. Accessed January 2, 2023. https://t.me/bloknot_nvrsk/3261. Bogatyrev, I. 2022. In Ekaterinburg, the site of a popular city news agency was hacked. February 28. Accessed 3 January, 2023. https://fedpress​.ru​/news​/66​/policy​ /2948681​#bounce. Boyko, S. 2022. International cuber threats in 2022. October 16. Accessed January 2, 2023. https://interaffairs​.ru​/news​/show​/37430. Bumgarner, J. 2009. Overview by the US-CCU of the cyber campaign against Georgia in August of 2008. August. Accessed February 1, 2023. https://www​.projectcyw​-d​.org​/resources​/items​/show​/138. Bunge, Jacob. 2021. JBS paid $11 million to resolve ransomware attack. June 9. Accessed January 1, 2023. https://www​.wsj​.com​/articles​/jbs​-paid​-11​-million​-to​ -resolve​-ransomware​-attack​-11623280781.

Hackers’ Attacks on Russia

37

Business Gazeta. 2023. Cyber realm in Russia: Results for 2022. January 19. Accessed January 20, 2023. https://www​.business​-gazeta​.ru​/news​/580456. Butusov, Y. 2022. Delta hacking incident. November 1. https://www​.facebook​.com​ /butusov​.yuriy. Bylkina, E. 2022. Russia will be disconnected from the Internet? March 8. Accessed January 11, 2023. https://www​.pravda​.ru​/news​/society​/1688628​-otkljuchenie​_ interneta​_sankcii​_specoperacija​_na​_ukraine/. Cherepanov, A., and R. Lipovsky. 2017. Industroyer: Biggest threat to industrial control systems since Stuxnet. June 12. Accessed January 2, 2023. https://www​ .welivesecurity​.com​/2017​/06​/12​/industroyer​-biggest​-threat​-industrial​-control​-systems​-since​-stuxnet/. Chutnekorzhok, D. 2022. Hackers carried out a strike on the city website. November 16. Accessed December 23, 2022. https://v1​.ru​/text​/gorod​/2022​/11​/16​ /71820617/. CISA. 2021. Kaseya ransomware attack: Guidance for affected MSPs and their customers. July. Accessed January 2, 2023. https://www​.cisa​.gov​/uscert​/kaseya​ -ransomware​-attack. CisoClub. 2023. StormWall: The global share of DDoS attacks on organizations from Russia in 2022 was 8.4%. January 17. Accessed January 19, 2023. https:// cisoclub​.ru​/stormwall​-mirovaya​-dolya​-ddos​-atak​-na​-organizaczii​-iz​-rossii​-v​-222​ -godu​-sostavila​-84/. CNN. 2022. An interview with D.Peskov. January 15. Accessed January 2, 2023. https://twitter​.com​/thehill​/status​/1482510662106497024. Colonial Pipeline. 2021. Media statement update: Colonial pipeline system disruption. May 8. Accessed January 1, 2023. https://www​ .colpipe​ .com​ /news​ /press​ -releases​/media​-statement​-colonial​-pipeline​-system​-disruption. Council of the EU. 2021. European peace facility: Council adopts assistance measures for Georgia, the Republic of Moldova, Ukraine and the Republic of Mali. December 2. Accessed January 3, 2023. https://www​ .consilium​ .europa​ .eu​ /en​ / press​/press​-releases​/2021​/12​/02​/european​-peace​-facility​-council​-adopts​-assistance​ -measures​-for​-georgia​-the​-republic​-of​-moldova​-ukraine​-and​-the​-republic​-of​-mali/. ———. 2022. Russia’s military aggression against Ukraine: EU imposes sanctions against President Putin and Foreign Minister Lavrov and adopts wide ranging individual and economic sanctions. February 25. Accessed January 2, 2023. https://www​.consilium​.europa​.eu​/en​/press​/press​-releases​/2022​/02​/25​/russia​-s​ -military​-aggression​-against​-ukraine​-eu​-imposes​-sanctions​-against​-president​-putin​ -and​-foreign​-minister​-lavrov​-and​-adopts​-wide​-ranging​-individual​-and​-economic​ -sanctions/. ———. 2022. Ukraine: Declaration by the high representative on behalf of the European Union on the cyberattack against Ukraine. January 14. Accessed January 1, 2023. https://www​.consilium​.europa​.eu​/en​/press​/press​-releases​/2022​/01​/14​ /ukraine​-declaration​-by​-the​-high​-representative​-on​-behalf​-of​-the​-european​-union​ -on​-the​-cyberattack​-against​-ukraine/. Crimea-news. 2022. Crimea newspaper stopped working. June 28. Accessed January 3, 2023. https://crimea​-news​.com​/incident​/2022​/06​/28​/938816​.html.

38

Chapter 1

Cyberscoop. 2022. Putin’s government lists IPs and domains allegedly aiming DDoS traffic at Russia. March 3. Accessed January 12, 2023. https://cyberscoop​.com​/ russian​-internet​-ddos​-incidents​-ip​-domain​-list/. Dailybest. 2022. Russian business and hackers. March 16. Accessed December 23, 2022. https://dailybest​.me​/rossijskij​-malyj​-i​-srednij​-biznes​-gotovitsya​-k​-atakam​ -hakerov​.html. Darcy, O. 2022. RT sees its influence diminish as TV providers and tech companies take action against the Russia-backed outlet. March 1. Accessed January 3, 2023. https://www​.cnn​.com​/2022​/02​/28​/media​/rt​-tv​-carriers​-facebook​-tiktok​-youtube​/ index​.html. Data Leaks. 2022. Several government’s websites were defaced by hackers. March 8. Accessed January 6, 2023. https://t.me/dataleak/2531. Denisyuk, V. 2022. Hackers hacked into the website of the Russian Emergencies Ministry and published the truth about the war there. March 16. Accessed January 11, 2023. https://safe​.novyny​.live​/ru​/khakery​-vzlomali​-sait​-mchs​-rossii​-i​-opublikovali​ -tam​-pravdu​-o​-voine​-foto​-43073​.html. Djess, L. 2022. Experts review the possibility of Russian isolation from the Internet. March 7. Accessed January 11, 2023. https://forklog​.com​/exclusive​/eksperty​-otsenili​-veroyatnost​-otklyucheniya​-rossii​-ot​-interneta. Dmitriev, D. 2022. The hunt for ‘antimilitarism’ leaked documents indicate that Russia’s federal censor has been monitoring the Internet for peace activism since at least 2020. April 13. Accessed January 4, 2023. https://meduza​.io​/en​/feature​/2022​ /04​/13​/the​-hunt​-for​-antimilitarism. Dulneva, M. 2022. The government began to filter foreign traffic due to attacks on government websites. March 17. Accessed 11 January, 2023. https://www​.forbes​ .ru​/tekhnologii​/459333​-mincifry​-nacalo​-fil​-trovat​-zarubeznyj​-trafik​-iz​-za​-atak​-na​ -pravitel​-stvennye​-sajty. DW. 2022. Russia’s RT blocked by German regulators. February 2. Accessed January 3, 2023. https://www​.dw​.com​/en​/russias​-rt​-channel​-blocked​-by​-german​-regulators​ /a​-60635397. Dzen blog. 2022. My favorite site does not work. March 3. Accessed January 2, 2023. https://dzen​.ru​/b​/YiCL0Sf​_gz4ewEIM. Europol. 2022. Five affiliates to Sodinokibi/REvil unplugged. November 8. Accessed January 2, 2023. https://www​.europol​.europa​.eu​/media​-press​/newsroom​/news​/five​ -affiliates​-to​-sodinokibi​/revil​-unplugged. Faulconbridge, G. 2022. Google blocks Russia’s RT app downloads on Ukrainian territory. February 27. Accessed January 2, 2023. https://www​.metro​.us​/google​ -blocks​-russias​-rt/. Fedorov, M. 2022. Address of Vice Prime Minister and Minister of Digital Transformation @FedorovMykhailo. October 25. Accessed October 26, 2022. https://media​ .act​.nato​.int​/record/​~8f1e0a7d7d. Fedotova, D. 2022. Hackers reported about an attack on the Delta system. November 1. Accessed November 9. https://www​.mk​.ru​/politics​/2022​/11​/01​/vzlom​-sistemy​ -upravleniya​-voyskami​-na​-ukraine​-vyyavil​-slabye​-mesta​-vsu​.html.

Hackers’ Attacks on Russia

39

———. 2022. Interview with A. Leonkov. November 2. Accessed November 11, 2022. https://www​.mk​.ru​/politics​/2022​/11​/02​/shtaty​-nachali​-testirovat​-na​-ukraine​ -novuyu​-sistemu​-upravleniya​-vsu​-konvergenciya​.html. Finance Rambler. 2023. The Ministry of Digital Development has identified 195 specialties that give the right to a deferment from partial mobilization. September 27. Accessed January 2, 2023. https://finance​.rambler​.ru​/realty​/49414951​-mintsifry​-opredelilo​-195​-spetsialnostey​-dayuschih​-pravo​-na​-otsrochku​-ot​-chastichnoy​ -mobilizatsii/. Fomag. 2022. Cyber aggression was expected. September 11. Accessed December 23, 2022. https://fomag​.ru​/news​-streem​/na​-infrastrukturu​-deg​-bylo​-soversheno​ -bolee​-35​-tys​-kiberatak​-zamglavy​-mintsifry/. Fontanka. 2022. Roskosmos announced a DDoS attack after the publication of NATO’s images. June 29. Accessed February 12, 2023. https://www​.fontanka​.ru​ /2022​/06​/29​/71447390/. ———. 2022. The website of the Ministry of Emergency Situations was hacked and posted messages about the situation in Ukraine. March 16. Accessed January 11, 2023. https://www​.fontanka​.ru​/2022​/03​/16​/70513238/. Frolova, M. 2023. Cyber results for 2022. January 23. Accessed January 23, 2023. https://iz​.ru​/1457182​/mariia​-frolova​/ddos​-i​-nyne​-tam​-rossiia​-stala​-odnoi​-iz​ -samykh​-kiberatakuemykh​-stran​-mira. FRWL. 2022. Hackers! We have to work! September 21. Accessed December 12, 2022. https://t.me/frwl_team/269. Giannelis, M. 2022. Russia may disconnect from the global internet on March 11. March 10. Accessed January 11, 2023. https://www​ .techbusinessnews​ .com​ .au​ / news​/russia​-may​-disconnect​-from​-the​-global​-internet​-on​-march​-11/. Grachev, N. 2022. Ministry of Digital Development: The Novosibirsk Region and cyber attacks. December 29. Accessed January 3, 2023. https://nsk​.rbc​.ru​/nsk​/29​ /12​/2022​/63a​b778​39a7​9477​008a4f191. Habr. 2022. Wildberries confirmed the fact of the incident, contacted law enforcement agencies and denied hacking by hackers. March 16. Accessed November 21, 2022. https://habr​.com​/ru​/news​/t​/655929/. Halchynskyi, S. 2021. The unit is dissolved. January 13. Accessed October 22, 2022. https://www​.facebook​.com​/imPtah. Heffer, G. 2022. Ukraine crisis: Ofcom urged to review Russia Today as broadcaster branded Vladimir Putin’s ‘propaganda tool’. February 23. Accessed January 3, 2023. https://news​.sky​.com​/story​/ukraine​-crisis​-ofcom​-urged​-to​-review​-russia​ -today​-as​-broadcaster​-branded​-vladimir​-putins​-propaganda​-tool​-12549591. Hern, A. 2017. Google plans to ‘de-rank’ Russia Today and Sputnik to combat misinformation. November 21. Accessed January 3, 2023. https://www​.theguardian​ .com​/technology​/2017​/nov​/21​/google​-de​-rank​-russia​-today​-sputnik​-combat​-misinformation​-alphabet​-chief​-executive​-eric​-schmidt. Hughes, Clyde. 2022. White House cyber expert to travel to Europe over Russian threat. February 1. Accessed January 2, 2023. https://www​.upi​.com​/Top​_News​ /US​/2022​/02​/01​/cyber​-Anne​-Neuberger​-Europe​-NATO​-Russia​/8761643722422/.

40

Chapter 1

Iks Media. 2022. Websites of regional Russian publications were subjected to DDoS attacks. August 23. Accessed January 11, 2023. https://www​.iksmedia​.ru​/news​ /5900227​-V​-iyule​-2022​-goda​-sajty​-regionalnyx​.html. Iliyna, N. 2022. Cyber attacks are in March 2022. April 1. Accessed December 2, 2022. https://iz​.ru​/1313624​/natalia​-ilina​/udarnaia​-volna​-chislo​-ddos​-atak​-na​-rossiiskie​-kompanii​-vyroslo​-v​-8​-raz. Inform Pskov. 2022. A city administration platform was hacked, and false information was posted. April 27. Accessed December 23, 2022. https://informpskov​.ru​/ news​/387926​.html​?ysclid​=lf3h588zt228282006. Inkazan. 2022. Police network was targeted by hackers. February 27. Accessed January 12, 2023. https://inkazan​.ru​/news​/2022​-02​-27​/v​-rossii​-legli​-sayty​-mvd​-i​ -regionalnyh​-vedomstv​-1459093​?ysclid​=let66wthy7861975792. Interfax. 2022. DDoS attacks on the government websites was recorded in Crimea. February 28. Accessed January 5, 2023. https://www​.interfax​-russia​.ru​/south​-and​ -north​-caucasus​/main​/hakery​-prodolzhayut​-ataku​-it​-infrastruktury​-kryma​-vlasti. ———. 2022. Ukraine sees hacker attack on govt websites at night. January 14. Accessed January 2, 2023. https://en​.interfax​.com​.ua​/news​/general​/791472​.html​ ?mid​=1​#cid​=241671. Isakova, T., and M. Byilov. 2022. Ukrainian IT activists are conducting a DDoS attack on the Russian payment system Mir. September 23. Accessed November 23, 2022. https://www​.kommersant​.ru​/doc​/5580653​?from​=top​_main​_1. IT-Army of Ukraine. 2022. We attack the FSB website. March 2. Accessed January 3, 2023. https://t.me/itarmyofukraine2022/102. ITsec. 2022. Russia has published a list of IP addresses and domains attacking its infrastructure using DDoS attacks. March 9. Accessed January 12, 2023. https:// www​.itsec​.ru​/news​/rossiya​-obnarodavala​-spisok​-ip​-adresov​-i​-domenov​-atakuyushih​-eio​-infrastrukuru​-s​-pmoshiyu​-ddos​-atak. Ivanova, O. 2022. Joker tells about Delta hacking. November 1. Accessed November 9, 2022. https://vz​.ru​/news​/2022​/11​/1​/1184878​.html. Ixbt. 2022. Hackers attacked army online stores in Russia. October 17. Accessed December 12, 2022. https://www​.ixbt​.com​/news​/2022​/10​/17​/hakery​-atakovali​ -armejskie​-internetmagaziny​-v​-rossii​.html. Izvestia. 2022. The Ministry of Digital Development called the number of cyber attacks on the electronic voting system. September 11. Accessed December 23, 2022. https://iz​.ru​/1393881​/2022​-09​-11​/v​-mintcifry​-nazvali​-kolichestvo​-kiberatak​ -na​-infrastrukturu​-elektronnogo​-golosovaniia. ———. 2022. The Ministry of Foreign Affairs of the Russian Federation announced unprecedented cyber attacks on the agency's website. March 3. Accessed February 12, 2023. https://iz​.ru​/1300117​/2022​-03​-03​/mid​-rf​-soobshchil​-o​-bespretcedentnykh​-kiberatakakh​-na​-sait​-vedomstva. Joker DPR. 2022. Butusov’s statement. Vol. (F). no. 4. November 2. ———. 2022. Claim about hacking. Vol. F. no. 2. November 1. https://t.me/ JokerDPR/208. ———. 2022. My response to Y.Butusov. November 3. https://t.me/JokerDPR/226.

Hackers’ Attacks on Russia

41

———. 2022. “Telegram post.” Video about the Delta. Vol. F. no. (C)1. October 31. https://t.me/JokerDPR/207. ———. 2022. Zaluzhnyi’s Instagram account is hacked! November 3. Accessed November 24, 2022. https://t.me/JokerDPR/231. Kalitventseva, E. 2022. In Crimea, hackers hacked local television. August 20. Accessed January 1, 2023. https://www​.unn​.com​.ua​/ru​/news​/1990847​-v​-krimu​ -khakeri​-zlamali​-mistseve​-telebachennya​-ta​-vklyuchili​-zvernennya​-zelenskogo. Kapital. 2022. Federal websites have technical issues. March 10. Accessed February 4, 2023. https://kapital​-rus​.ru​/articles​/article​/saity​_kremlya​_gosdumy​_i​_pravitelstva​_obrushilis​_eto​_mojet​_byt​_svyazano​_s​_za/. Kapranov, O. 2022. Cybersecurity headquarters established in 99% of regions. June 1. Accessed December 14, 2022. https://rg​.ru​/2022​/06​/01​/mincifry​-shtaby​-po​ -kiberbezopasnosti​-sozdany​-v​-99​-regionov​.html. Kommersant. 2022. Ongoing mobilization in Russia. September 24. Accessed January 3, 2023. https://www​.kommersant​.ru​/doc​/5581064​?query=​%D0​%BF​%D1​%80​ %D0​%BE​%D1​%82​%D0​%B8​%D0​%B2​%20​%D1​%87​%D0​%B0​%D1​%81​%D1​ %82​%D0​%B8​%D1​%87​%D0​%BD​%D0​%BE​%D0​%B9​%20​%D0​%BC​%D0​%BE​ %D0​%B1​%D0​%B8​%D0​%BB​%D0​%B8​%D0​%B7​%D0​%B0​%D1​%86​%D0​%B8​ %D0​%B8. ———. 2022. Should Russia be isolated from the Internet? September 21. Accessed January 11, 2023. https://www​.kommersant​.ru​/doc​/5571153. ———. 2022. We continue to deliver news. February. Accessed January 2, 2023. https://t.me/kommersantvrn/4144. Kommuna. 2022. Our email was hacked. February 27. Accessed January 2, 2023. https://vk​.com​/wall​-183813231​_20197. Komsomolskaya Pravda. 2022. Putin announced the partial mobilization. September 21. Accessed January 2, 2023. https://www​.youtube​.com​/watch​?v​=zKmuCHvGvhQ​&t​=28s. Koshkina, Y., and L. Pashkova. 2022. Hackers tried the VTB bank cyber system. December 6. Accessed December 11, 2022. https://www​ .rbc​ .ru​ /finances​ /06​ /12​ /2022​/638​eed1​59a7​9472​c176add86. Kravchyk, A. 2022. Russian federal channels show truth! June 12. Accessed December 23, 2022. https://news​.obozrevatel​.com​/show​/lite​/hakeryi​-vzlomali​-rossijskie​ -telekanalyi​-i​-pokazali​-pravdu​-o​-vojne​-v​-ukraine​.htm. Kremlin. 2022. Order #250. May 1. Accessed December 12, 2022. http://static​ .kremlin​.ru​/media​/events​/files​/ru​/51D​UJhH​HAb0​tNBB​bC6x​WgbD​o1Fu9znRO​ .pdf. ———. 2022. Vladimir Putin speaks on the Security Council meeting. May. Accessed November 12, 2022. http://www​.kremlin​.ru​/events​/security​-council​/68451. Krymr. 2022. Hackers placed an anti-war message on Russian news portals. February 28. Accessed January 2, 2023. https://ru​.krymr​.com​/a​/news​-rossiya​-smi​-soobshchenie​-hakerov​/31728103​.html. Kuban24. 2022. Our elections are verified as a target for hackers. September 9. Accessed December 23, 2022. https://kuban24​.tv​/item​/sajty​-tsik​-i​-regionalnyh​ -izbirkomov​-podverglis​-massirovannym​-kiberatakam.

42

Chapter 1

KubanAif. 2022. In 2022, the number of hacker attacks in the Krasnodar oblast increased. June 6. Accessed December 23, 2022. https://kuban​ .aif​ .ru​/incidents​ /v​_2022​_godu​_chislo​_hakerskih​_atak​_v​_krasnodarskom​_krae​_vyroslo​_v​_5​_raz. KubNews. 2022. The Our Newspaper portal was breached. February 28. Accessed 2 January, 2023. https://kubnews​.ru​/obshchestvo​/2022​/02​/27​/sayt​-gazety​-nashey​ -gazety​-novorossiyska​-podvergsya​-khakerskoy​-atake/. KUN. 2022. Hackers hacked into the Kremlin’s website and posted the phone database. February 28. Accessed February 5, 2023. https://kun​.uz​/ru​/23065274​?ysclid​ =let8kj7yrg191632579. Leaks. 2022. Data from the Portal of Public Service, Russia. October 18. Accessed January 15, 2023. https://t.me/dataleak/2784. ———. 2022. RIA news customer dase was released on the Internet. April 16. Accessed December 6, 2022. https://t.me/dataleak/2574. Lenta. 2022. Putin declared a mobilization. September 21. Accessed January 2, 2023. https://lenta​.ru​/brief​/2022​/09​/21​/putin/. Lezhepekova, A. 2022. Officials rejected the data leak. February 25. Accessed February 2, 2023. https://www​.gazeta​.ru​/army​/news​/2022​/02​/26​/17347999​.shtml. Lipovsky, R. 2017. Seven years after Stuxnet: Industrial systems security once again in the spotlight. June 16. Accessed January 2, 2023. https://www​.welivesecurity​ .com​/2017​/06​/16​/seven​-years​-stuxnet​-industrial​-systems​-security​-spotlight/. Lisitsyna, M. 2022. Websites of Russian arbitration courts were hacked. March 16. Accessed February 3, 2023. https://www​.rbc​.ru​/politics​/16​/03​/2022​/623​1569​79a7​ 9472​d4014351c​?ysclid​=lf0f1n4uka791195956. Litvinov, A. 2022. Interview with Anton Gorelkin. May 17. Accessed January 11, 2023. https://www​.pnp​.ru​/economics​/anton​-gorelkin​-otklyuchit​-rossiyu​-ot​-interneta​-ne​-poluchitsya​.html. Lykov, V. 2022. Hackers became twice as likely to publish personal data of Russians. September 7. Accessed December 2, 2022. Hackers became twice as likely to publish personal data of Russians. Lyngaas, S., A. Graham-Yooll, T. Lister, and M. Chance. 2022. Ukraine cyberattack is largest of its kind in country’s history, says official. February 16. Accessed January 2, 2023. https://www​.cnn​.com​/2022​/02​/16​/europe​/ukraine​-cyber​-attack​-denial​ -service​-intl​/index​.html. Mack, Z. 2022. Apple is banning iPhone users from doing this, effective immediately. March 3. Accessed January 3, 2023. https://bestlifeonline​.com​/news​-apple​-rt​-sputnik​-apps/. Marks, J. 2022. Cyber conflict in Ukraine is growing more complex by the day. March 16. Accessed November 21, 2022. https://www​.washingtonpost​.com​/politics​/2022​ /03​/16​/cyber​-conflict​-ukraine​-is​-growing​-more​-complex​-by​-day/. Marmeladova, P. 2022. Roskomnadzor’s leak. September 23. Accessed January 4, 2023. https://aussiedlerbote​.de​/2022​/09​/utechka​-arxiva​-roskomnadzora/​?ysclid​ =leuifs0van359008350. Maryanenko, R. 2022. Several TV stations were hacked today. May 9. Accessed December 23, 2022. https://45​.ru​/text​/politics​/2022​/05​/09​/71316998/.

Hackers’ Attacks on Russia

43

Mediasat. 2022. 3 Russian TV channels displayed truth about the war. June 13. Accessed December 23, 2022. https://mediasat​.info​/ru​/2022​/06​/13​/xakery​-atakovali​-telekanaly​-rossiya​-ntv​-i​-pervyj​-kanal/. Meduza. 2018. Kommensant stopped working due to a cyber attack. May 30. Accessed January 2, 2023. https://meduza​.io​/news​/2018​/05​/30​/sayt​-kommersanta​ -podvergsya​-hakerskoy​-atake. ———. 2021. RT budget for 2022. December 23. Accessed January 2, 2023. https:// meduza​.io​/news​/2021​/12​/23​/rt​-ostalsya​-liderom​-po​-ob​-emam​-gosfinansirovaniya​ -sredi​-smi​-v​-2022​-godu​-kanal​-poluchit​-pochti​-29​-milliardov​-rubley. Meserve, Jeanne. 2009. Study warns of cyberwarfare during military conflicts. August 17. Accessed February 2, 2023. https://www​.cnn​.com​/2009​/US​/08​/17​/ cyber​.warfare​/index​.html. Ministry of Education. 2022. A warning about upcoming cyber attacks. March 3. Accessed January 11, 2023. https://t.me/zatelecom/21030. Ministry of Emergency Situations. 2022. Our media portal was hacked. April 19. Accessed January 11, 2023. https://vk​.com​/wall​-26699943​_13854. Ministry of International Affairs. 2022. Ongoing cyber aggression against Russia wages by the “collective West”. March 29. Accessed January 13, 2023. https:// www​.mid​.ru​/ru​/foreign​_policy​/news​/1806906/. Mora, Edwin. 2012. Panetta warns of cyber Pearl Harbor: The capability to paralyze this country is there now. June 13. Accessed January 2, 2023. https://www​ .cnsnews​.com​/news​/article​/panetta​-warns​-cyber​-pearl​-harbor​-capability​-paralyze​ -country​-there​-now. Moscow 24. 2022. Attack on Roscosmos website could have been carried out by a hacker from Yekaterinburg. June 29. Accessed February 11, 2023. https://www​ .m24​.ru​/news​/tehnologii​/29062022​/476245​?utm​_source​=CopyBuf. ———. 2022. Hackers continue their strikes against Roscosmos. March 4. Accessed January 13, 2023. https://www​.m24​.ru​/news​/tehnologii​/04032022​/436985. NB65. 2022. We hacked Roscosmos. March 1. Accessed January 3, 2023. https://twitter​.com​/xxNB65​/status​/1498563301525102594​/photo​/1. NCCC. 2022. An updated list of IP addresses used in DDoS attacks. May 23. Accessed January 12, 2023. https://safe​-surf​.ru​/specialists​/news​/679458/. ———. 2022. Recommendations for protecting information resources from computer attacks. March 2. Accessed January 12, 2023. https://safe​-surf​.ru​/specialists​/news​ /676114/​?sphrase​_id​=45864. ———. 2022. Russian digital entities would be a target. February 24. Accessed January 2, 2023. https://safe​-surf​.ru​/specialists​/news​/675925/​?sphrase​_id​=45628. Nefedova, M. 2023. More than 50% of attacks in 2022 were carried out by skilled hackers. January 16. Accessed January 12, 2023. https://xakep​.ru​/2023​/01​/16​/2022​ -hacks/. Newkuban. 2023. Hackers tried to destabilize the region. February 3. Accessed February 5, 2023. https://newkuban​.ru​/news​/160260691/. Nikitin, A. 2022. Hackers hacked the official website of the Russian Emergencies Ministry. March 16. Accessed January 12, 2023. https://vz​ .ru​ /news​ /2022​ /3​ /16​ /1148955​.html.

44

Chapter 1

Novaya Gazeta. 2022. The website of the Ministry of Construction of Russia was subjected to a hacker attack. June 6. Accessed December 13, 2022. https:// novayagazeta​.eu​/articles​/2022​/06​/06​/sait​-minstroia​-rossii​-podvergsia​-khakerskoi​ -atake​-news. Novosti Volgograda. 2022. Volgograd residents are warned about problems with access to the State Services portal. February 27. Accessed January 4, 2023. https:// novostivolgograda​.ru​/news​/2022​-02​-27​/volgogradtsev​-preduprezhdayut​-o​-problemah​-s​-dostupom​-na​-portal​-gosuslugi​-1567585. NTV. 2022. Hackers attacked Sberbank: Comments. May 13. Accessed December 2, 2022. https://www​.ntv​.ru​/novosti​/2705522/. Nyrieva, S. 2022. Roskosmos showed the coordinates of the NATO decision centers. June 28. Accessed February 11, 2023. https://www​.gazeta​.ru​/army​/news​/2022​/06​ /28​/18023804​.shtml. NYT. 2022. Russia, blocked from the global Internet, plunges into digital isolation. March 7. Accessed January 12, 2023. https://www​.nytimes​.com​/2022​/03​/07​/technology​/russia​-ukraine​-internet​-isolation​.html. Opensanctions. 2022. Gsaparyan Armen Sumbatovich is subject to sanctions. May 9. Accessed January 3, 2023. https://www​.opensanctions​.org​/entities​/NK​-EBK​tYNT​ SfYD​jbvm​6dkzV5a/. Parsons, J. 2022. Russians to be disconnected from global internet from Friday. March 7. Accessed February 11, 2023. https://metro​.co​.uk​/2022​/03​/07​/russia​-preparing​-to​-disconnect​-from​-global​-internet​-on​-march​-11​-16230918/. People’s Cyber Army. 2022. Dagestan protests were organized on Telegram. September 26. Accessed November 30, 2022. https://t.me/ CyberArmyofRussia_Reborn/1232. ———. 2022. Many liberals rejected the mobilization. September 21. Accessed January 2, 2023. https://t.me/CyberArmyofRussia_Reborn/1189. ———.. 2022. Putin’s mobilization order. September 21. Accessed January 2, 2023. https://t.me/CyberArmyofRussia_Reborn/1187. ———. 2022. We attack the Vesna website. September 21. Accessed January 1, 2023. https://t.me/CyberArmyofRussia_Reborn/1191. Pervo​.inf​o. 2022. Hackers retaliated at the regional newspaper for the Z symbol. March 3. Accessed January 3, 2023. https://pervo​.info​/sajt​-sverdlovskoj​-oblastnoj​ -gazety​-vzlomali/. Petrov, A. 2022. New cyber unit will be open soon in our region. September 29. Accessed December 15, 2022. https://v1​.ru​/text​/gorod​/2022​/09​/29​/71695028/. Pisar iz Shtaba. 2022. Response to Joker DPR. November 1. https://t.me/ killnet_mirror/2600. Pitrelli, M. 2022. For the first time in history anyone can join a war’: Volunteers join Russia-Ukraine cyber fight. March 14. Accessed January 1, 2023. https://www​ .cnbc​.com​/2022​/03​/14​/volunteers​-sign​-up​-to​-help​-in​-cyberwars​-between​-russia​ -and​-ukraine-​.html. Ponomarenko, D. 2022. Ukrainian hackers got into Crimean TV. August 20. Accessed January 1, 2023. https://www​.unian​.net​/world​/ukrainskie​-hakery​-vzlomali​-televidenie​-v​-krymu​-i​-napomnili​-chey​-poluostrov​-video​-novosti​-mira​-11948184​.html.

Hackers’ Attacks on Russia

45

PRIME. 2022. The Ministry of Digital Development warned about possible problems with the website of public services. February 27. Accessed January 2, 2023. https://1prime​.ru​/telecommunications​_and​_technologies​/20220227​/836187597​.html. Rambler. 2017. Hackers launched a strike on Sputnik Armenia. September 29. Accessed January 2, 2023. https://news​.rambler​.ru​/other​/44927889​-sayt​-sputnik​ -armeniya​-podvergsya​-ddos​-atake/​?ysclid​=leks9lek2t7042902. RBC. 2022. Another DDoS attack on our website. March 1. Accessed January 3, 2023. https://www​.rbc​.ru​/technology​_and​_media​/01​/03​/2022​/621​e60e​b9a7​9472​ 468275c1b. ———. 2022. Digital resources of Sevastopol are under DDoS attacks. February 25. Accessed January 3, 2023. https://www​.rbc​.ru​/rbcfreenews​/621​89ec​39a7​9479​ 35087336c​?from​=materials​_on​_subject. Realnoe Vremya. 2022. Many websites including Kremlin, RIA news, and others became very slow. February 23. Accessed January 3, 2023. https://realnoevremya​ .ru​/news​/242311​-v​-rabote​-saytov​-kremlya​-i​-agentstva​-ria​-novosti​-proizoshli​-sboi. Ren TV. 2022. Sberbank denied the hacking of the bank by Anonymous. May 18. Accessed December 25, 2022. https://ren​.tv​/news​/v​-rossii​/976717​-v​-sbere​-oprovergli​-informatsiiu​-o​-vzlome​-banka​-khakerami​-anonymous. Ren.Tv. 2022. Peskov: Attacks on the Kremlin's website are continuous. February 26. Accessed February 26, 2023. https://ren​.tv​/news​/v​-rossii​/944423​-peskov​-ataki​-na​ -sait​-kremlia​-idut​-postoianno. RFERL. 2020. Russian hacker group ‘fancy bear’ accused of cyberattack on Norwegian Parliament. December 8. Accessed 2 February 2023. https://www​.rferl​.org​ /a​/russian​-hacker​-group​-fancy​-bear​-accused​-of​-cyberattack​-on​-norwegian​-parliament​/30990725​.html. RIA News. 2022. Our websites are under DDoS attacks. February 26. Accessed January 4, 2023. https://t.me/rian_ru/149067. ———. 2022. The hacker explains how he attacked Delta. November 1. Accessed Novemebr 7, 2022. https://ria​.ru​/20221101​/vzlom​-1828420857​.html. RIA News. 2022. Russian embassy denies Russian involvement in cyberattacks against Ukraine. February 19. Accessed January 2, 2023. https://ria​.ru​/20220219​/ kiberataki​-1773717034​.html. ———. 2021. The number of users of the state services portal has grown to 56 million people. May 12. Accessed January 4, 2023. https://ria​.ru​/20210512​/gosuslugi​ -1732000791​.html. Rogozin, D. 2022. It is fake! March 2. Accessed January 6, 2023. https://twitter​.com​/ Rogozin​/status​/1498903566135832577​?s​=20​&t​=eiII9​_RnjQk53Xic2lxIDA. ———. 2022. Roscosmos operates in a normal way. March 2. Accessed January 12, 2023. https://t.me/rogozin_do/1793. Romanova, T. 2022. Wildberries resumes its operation. March 19. Accessed November 21, 2022. https://www​.forbes​.ru​/biznes​/459557​-kiberataka​-ili​-insajder​-pocemu​ -proizosel​-sboj​-v​-rabote​-wildberries. RT. 2016. Our website was attacked by cybercriminals. August 9. Accessed January 3, 2023. https://russian​.rt​.com​/article​/315963​-cait​-rt​-podvergsya​-massirovanoi​ -ddos​-atake​?ysclid​=lekszgr5mi764230647.

46

Chapter 1

———. 2022. Ongoing DDoS attacks on Russia Today. February 24. Accessed January 3, 2023. https://russian​.rt​.com​/russia​/news​/967429​-rt​-ddos​-ataka​-situaciya. ———. 2022. Russian website is under hackers’ attack. March 6. Accessed January 4, 2023. https://russian​.rt​.com​/nopolitics​/news​/972333​-ddos​-ataka​-rt​-ssha. Russia Today. 2022. The hacker told about the Delta attack. November 1. Accessed November 7, 2022. https://russian​.rt​.com​/ussr​/news​/1068755​-haker​-dzhoker​ -ukraina. Russian Postal. 2022. The recent data leak. July 29. Accessed December 12, 2022. https://t.me/napochte/323. Rutherford, M. 2009. Report: Russian mob aided cyberattacks on Georgia. August 19. Accessed February 1, 2023. https://www​.cnet​.com​/science​/report​-russian​-mob​ -aided​-cyberattacks​-on​-georgia/. Sakh Online. 2022. Sakh website survived a cyber strike and works without interruption. May 30. Accessed January 12, 2023. https://sakh​.online​/news​/18​/2022​-05​-30​ /sakh​-online​-podvergsya​-atake​-hakerov​-no​-snova​-stabilno​-rabotaet​-338689. Sakh online. 2022. Sakhalin residents cannot access State Services. February 27. Accessed January 4, 2023. https://sakh​.online​/news​/18​/2022​-02​-27​/sahalintsy​-ne​ -mogut​-zayti​-na​-gosuslugi​-prichiny​-332018. Savkin, I. 2022. Russian Post: The leak is confirmed. July 30. Accessed December 23, 2022. https://kod​.ru​/6344. Sberbank. 2022. Be careful: Fake! March 4. Accessed November 23, 2022. https://t. me/sberbank/1779. Security Media. 2022. Regional media outlets try to protect themselves from hackers. August 23. Accessed January 13, 2023. https://securitymedia​.org​/news​/v​-iyule​ -2022​-goda​-sayty​-regionalnykh​-rossiyskikh​-izdaniy​-podverglis​-ddos​-atakam​ -khaktivistov​.html. SecurityLab. 2022. Anonymous hacked several Russian TV channels. March 7. Accessed December 12, 2022. https://www​.securitylab​.ru​/news​/530466​.php. Securitylab. 2022. OldGremlin attacked Wildberries. March 15. Accessed November 21, 2022. https://www​.securitylab​.ru​/news​/530579​.php . ———. 2022. Sberbank spoke about the most powerful DDoS attack. May 19. Accessed December 2, 2022. https://www​.securitylab​.ru​/news​/531766​.php. Sergeev. 2021. The source code of “Gosuslug” was leaked to the Internet. December 27. Accessed November 11, 2022. https://kod​.ru​/sliv​-iskhodnikov​-gosuslug. Sergeev, I. 2022. The regional newspaper changed its name. March 3. Accessed January 3, 2023. https://ura​.news​/news​/1052536219. Sganga, N., and C. Hymes. 2021. U.S. recovers $2.3 million in ransom paid to Colonial Pipeline hackers. June 8. Accessed January 2, 2023. https://www​.cbsnews​ .com​/news​/colonial​-pipeline​-ransom​-payments​-hackers​-seized​-united​-states/. Shakhova, A. 2022. Hackers attacked several media platforms. February 28. Accessed January 3, 2023. https://secretmag​.ru​/news​/khakery​-vzlomali​-saity​-tass​ -kommersanta​-i​-drugikh​-rossiiskikh​-smi​-28​-02​-2022​.htm. Shipilov, A. 2022. Our TV was hacked! June 12. Accessed December 23, 2022. https://www​.facebook​.com​/100001819122230​/posts​/pfb​id03​2sBp​Ns69​ZHBE​ hmLc​kw6P​MNK1​6LMy​zJPw​cajp​FYzE​4sk8​BovA​sa34​65RF​eVTePhhbl/.

Hackers’ Attacks on Russia

47

Shome, A. 2022. Is Russia disconnecting from the global Internet? March 7. Accessed February 11, 2023. https://www​.financemagnates​.com​/fintech​/news​/is​ -russia​-disconnecting​-from​-the​-global​-internet/. Shustova, M. 2022. FSB operatives arrested REvil hackers. January 14. Accessed January 3, 2023. https://www​.gazeta​.ru​/social​/2022​/01​/14​/14419411​.shtml​?updated. Shuvainikov, P. 2022. Hackers attack the official websites of the Sevastopol authorities. February 25. Accessed January 5, 2023. https://www​.sevastopol​.kp​.ru​/online​ /news​/4644051/. Smotrim. 2022. A powerful DDoS attack on the Forum. June 18. Accessed January 11, 2023. https://smotrim​.ru​/article​/2803846​?ysclid​=lexsfzinc5509962435. ———. 2022. The company is fighting back hackers’ attack. June 12. Accessed December 24, 2022. https://t.me/smotrim_ru/9010. Sputnik Georgia. 2021. Sputnik Belarus is under a cyber attack. November 22. Accessed January 2, 2023. https://sputnik​-georgia​.ru​/20211122​/sayt​-sputnik​ -belarus​-podvergsya​-ddos​-atake​-262290197​.html. Sputnik International. 2022. Sputnik International, Czech & Polish Sputnik websites under mass DDoS attacks. February 26. Accessed January 2, 2023. https://sputniknews​.com​/20220226​/sputnik​-international​-sputnik​-czech​-republic​-face​-mass​ -ddos​-attacks​-1093400122​.html​?ysclid​=lekvseuyx502426298. Sputnik News. 2022. Hackers attack the Sputnik network. March 3. Accessed January 2, 2023. https://lv​.sputniknews​.ru​/20220303​/sayty​-sputnik​-po​-vsemu​-miru​ -podvergayutsya​-ddos​-atake​-20729275​.html. ———. 2022. Sputnik is under a cyber attack again. August 26. Accessed January 2, 2023. https://lv​.sputniknews​.ru​/20220826​/sputnik​-i​-ria​-novosti​-otrazili​-moschnuyu​-ddos​-ataku​-iz​-zarubezhnykh​-stran​-22597768​.html. SSSCIP Ukraine. 2022. Cyber front is open!February 28. Accessed November 21, 2022. https://twitter​.com​/dsszzi​/status​/1498245709031776258​?ref​_src​=twsrc​ %5Etfw​%7Ctwcamp​%5Etweetembed​%7Ctwterm​%5E1​4982​4570​9031​776258​ %7Ctwgr​%5E1​5366​a736​09da​9e59​ad6a​b11b​c110​9eae​3fe4559​%7Ctwcon​%5Es1_​ &ref​_url​=https​%3A​%2F​%2Fwww​.reuters​.com​%2Fworld​%2Feurope​%2Fukraini. St.Peterburg Prosecutor Office. 2022. Actions against the Vesna movement. September 30. Accessed January 1, 2023. https://t.me/procspb/2661. Stogova, E., and V. Gromova. 2022. In Russia, the Kremlin and other government’s websites do not work. February 26. Accessed February 5, 2023. https://www​.rbc​.ru​ /politics​/26​/02​/2022​/621​a414​a9a7​9472​a02b93cdd. Tadtaev, Georgy. 2022. Gosuslugi: Leaked data does not belong to our department. October 11. Accessed December 23, 2022. https://www​ .rbc​ .ru​ /technology​ _and​ _media​/11​/10​/2022​/634​5414​39a7​9470​e3efb1ef5. Tadviser. 2017. Sputnik: Some information about the company. Accessed January 2, 2023. https://www​.tadviser​.ru​/index​.php/​%D0​%9A​%D0​%BE​%D0​%BC​%D0​ %BF​%D0​%B0​%D0​%BD​%D0​%B8​%D1​%8F​:Sputnik_-_​%D0​%BD​%D0​%BE​ %D0​%B2​%D0​%BE​%D1​%81​%D1​%82​%D0​%BD​%D0​%BE​%D0​%B5_​%D0​%B0​ %D0​%B3​%D0​%B5​%D0​%BD​%D1​%82​%D1​%81​%D1​%82​%D0​%B2​%D0​%BE_ (%D1%80%D0%B0%D0%BD%D0%B5%D0%B5_%D0%93%D0%BE%D0%B B%D.

48

Chapter 1

———. 2022. Russia Today: About the company. Accessed January 3, 2023. https:// www​.tadviser​.ru​/index​.php/​%D0​%9A​%D0​%BE​%D0​%BC​%D0​%BF​%D0​%B0​ %D0​%BD​%D0​%B8​%D1​%8F​:RT​_TV_(Russia_Today). Tairov, R. 2022. Sberbank announced huge data leaks. June 16. Accessed December 2, 2022. https://www​.forbes​.ru​/tekhnologii​/468879​-sberbank​-zaavil​-ob​-utecke​ -dannyh​-65​-mln​-rossian​-s​-24​-fevrala. TASS. 2022. Our website does not work. February 28. Accessed January 2, 2023. https://t.me/tass_agency/114323. ———. 2022. Sberbank survived a massive DDoS strike in October 7th, 2022. October 25. Accessed December 3, 2022. https://tass​.ru​/ekonomika​/16146055. Temperton, J. 2016. Hackers were behind Ukraine power outage. February 26. Accessed January 2, 2023. https://www​.wired​.co​.uk​/article​/ukrainian​-power​-station​-cyber​-attack. The Ministry of Defence of Ukraine. 2022. MIP membership. July 12. Accessed November 6, 2022. https://www​.mil​.gov​.ua​/news​/2022​/07​/12​/ukraina​-stala​-asoczijovanim​-chlenom​-programi​-tehnologichnogo​-spivrobitnicztva​-zbrojnih​-sil​-krain​ -nato​-oleksij​-reznikov/. The Ministry of Defense of Ukraine. 2022. Russian propaganda attacks the IT system of situational awareness of the Armed Forces of Ukraine. November 1. Accessed November 6, 2022. https://www​.mil​.gov​.ua​/en​/news​/2022​/11​/01​/russian​ -propaganda​-attacks​-the​-it​-system​-of​-situational​-awareness​-of​-the​-armed​-forces ​ -of​-ukraine/. The Village. 2022. Peskov: Kremlin​.​ru works. February 24. Accessed February 5, 2023. https://www​.the​-village​.ru​/shorts​/sayty​-kremlya​-pravitelstva​-rossii​-i​-gosdumy​-ne​-otkryvayutsya. The White House. 2022. Remarks by President Biden in Press Conference. January 19. Accessed January 2, 2023. https://www​ .whitehouse​ .gov​ /briefing​ -room​ /speeches​-remarks​/2022​/01​/19​/remarks​-by​-president-​ biden​-in​-press​-conference​ -6/. ———. 2022. White House Daily Briefing. February 19. Accessed January 2, 2023. https://www​.c​-span​.org​/video/​?518044​-1​/white​-house​-officials​-reporters​-russian​ -cyberattacks​-ukraine. Tichina, Y., A. Gavrilyuk, V. Petrova, and N. Korolyov. 2022. The government is preparing measures to protect state sites from shutdown. March 6. Accessed February 11, 2023. https://www​.kommersant​.ru​/doc​/5249500. Trukhachev, S. 2022. Phishing in 2022 and what scammers used to catch their victims. December 30. Accessed January 1, 2023. https://savepearlharbor​.com/​?p​ =343364. TV Center. 2022. Our websites have serious issues. February 26. Accessed December 12, 2022. https://www​.tvc​.ru​/news​/show​/id​/234097. ———. 2022. Powerful DDoS attacks are launched on two TV center’s platforms. February 26. Accessed December 23, 2022. https://t.me/tvctvc/27352. Tvrain​.t​v. 2022. Roskomnadzor announced the slowdown of Twitter. March 10. Accessed February 1, 2023. https://tvrain​.tv​/news​/roskomnadzor​_zajavil​_o​_zamedlenii​_raboty​_twitter​-526001/.

Hackers’ Attacks on Russia

49

Tyunyaeva, M., and A. Narayeva. 2022. Russia hit by unprecedented cyberattacks. February 28. Accessed December 1, 2022. https://www​.vedomosti​.ru​/technology​/ articles​/2022​/02​/28​/911177​-rossiya​-podverglas​-kiberatakam. Tzaryov, Oleg. 2022. The Delta platform was hacked. November 1. Accessed November 11, 2022. https://vk​.com​/oleg​.tsarov​?w​=wall170184267​_241274. U.S. Department of State. 2022. Report: RT and Sputnik’s role in Russia’s disinformation and propaganda ecosystem. January 20. Accessed January 2, 2023. https:// www​.state​.gov​/report​-rt​-and​-sputniks​-role​-in​-russias​-disinformation​-and​-propaganda​-ecosystem/. Urbanska, Tatiana. 2022. Interview with Yaroslav Gonchar. October 10. Accessed October 23, 2022. https://www​.unian​.ua​/war​/aerorozvidka​-v​-ukrajini​-yak​-pracyuyut​ -operatori​-droniv​-na​-viyni​-interv​-yu​-z​-yaroslavom​-goncharom​-12010002​.html. Valagin, A. 2022. The allied forces hacked the command and control system of Ukraine. November 1. Accessed November 1, 2022. https://rg​.ru​/2022​/11​/01​/soiuznye​-sily​-vzlomali​-sistemu​-upravleniia​-vojskami​-vsu​.html. Varlamov, M. 2022. Hackers hacked Roskomnadzor and “leaked” more than 800 gigabytes of information. March 10. Accessed February 1, 2023. https://rozetked​.me​/news​/22398​-hakery​-vzlomali​-roskomnadzor​-i​-slili​-bolee​-800​-gigabayt​ -informacii. Vasyutchenko, Z. 2022. A sharp increase in the number of DDoS attacks on businesses. March 11. Accessed December 2, 2022. https://www​.banki​.ru​/news​/lenta/​ ?id​=10962630. Vedernikov, M. 2022. Media conference in the Pskov region. November 27. Accessed January 2, 2023. https://t.me/MV_007_Pskov/1743. Vesna. 2022. Occupy streets! Protest against the mobilization! September 21. Accessed October 1, 2022. https://t.me/vesna_democrat/3630. Vest. 2022. A hacker strike was prevented by our IT specialists. February 28. Accessed January 4, 2023. https://m​.vest​-news​.ru​/news​/175275​?ysclid​ =lerp5cq4jr546073407. Vesti Primorie. 2022. Two central news outlets do not work. May 20. Accessed January 2, 2023. https://t.me/vestiprimorye. Vesti. 2022. Rogozin: Roscosmos is protected. March 2. Accessed January 3, 2023. https://www​.vesti​.ru​/article​/2683841. Voanews. 2022. YouTube Blocks RT, other Russian channels from earning Ad dollars. February 26. Accessed January 2, 2023. https://www​.voanews​.com​/a​/youtube​ -blocks​-rt​-other​-russian​-channels​-from​-earning​-ad​-dollars-​/6461195​.html. Voropaeva, E. 2022. Anonymous attacked TASS, RBC, and other news agencies. February 28. Accessed January 2, 2023. https://www​.rbc​.ru​/politics​/28​/02​/2022​ /621​cae4​a9a7​9476​7075f75f1. Warwithfakes. 2022. Fake: The XII hacker group hacked Smart TV. December 19. Accessed January 1, 2023. https://xn-​-80aaenqccitej3b1b​.xn-​-p1ai​/civil​/fejk​ -gruppa​-hakerov​-xxii​-vzlomala​-servis​-smart​-tv​-v​-ulan​-udje/. Wasserman, A. 2022. NATO conducts tests on Ukrainians. November 7. Accessed November 11, 2022. https://ren​.tv​/blog​/anatolii​-vasserman​/1042905​-nato​-provodit​ -testy​-na​-ukraintsakh.

50

Chapter 1

We are KillNet. 2022. Do not listen our enemies! September 21. Accessed January 2, 2023. https://t.me/killnet_reservs/2749. ———. 2022. Utro Dagestan: A full report. September 27. Accessed January 13, 2023. https://telegra​.ph​/Kto​-ustraivaet​-besporyadki​-v​-Dagestane​-09​-27. ———. 2022. Vesna. September 21. Accessed December 2, 2022. https://t.me/ killnet_reservs/2750. ———. 2023. A survey about a mobilization. September 13. Accessed January 2, 2023. https://t.me/killnet_reservs/2636. Webber, C. 2022. U.S. offers Ukraine ‘whatever support it needs’ to recover from cyberattack. January 14. Accessed January 2, 2023. https://www​ .reuters​ .com​ / world​/europe​/us​-offers​-ukraine​-support​-needed​-recover​-cyberattack​-2022​-01​-14/. Wheeler, R. 2022. Dorries: RT must never again be allowed to broadcast poisonous propaganda in UK. March 3. Accessed January 3, 2023. https://www​.standard​.co​ .uk​/news​/uk​/nadine​-dorries​-ofcom​-culture​-secretary​-meta​-kremlin​-b985819​.html. Writer from the Center. 2022. Is mobilization coming?! September 12. Accessed January 2, 2023. https://t.me/killnet_mirror/2207. XakNet. 2022. Be careful of false mobilization chats! September 27. Accessed January 2, 2023. https://t.me/xaknet_team/373. Yasakova, E., and E. Stogova. 2022. RBC and other media sites were attacked by hackers. February 25. Accessed January 3, 2023. https://www​.rbc​.ru​/technology​ _and​_media​/25​/02​/2022​/621​8ebc​79a7​947b​fb3a3bd6d. Yoachimik, O. 2022. DDoS attack trends for 2022 Q2. July 6. Accessed January 3, 2023. https://blog​.cloudflare​.com​/ddos​-attack​-trends​-for​-2022​-q2/. ZaTelekom. 2022. Russian courts did not work anymore! March 16. Accessed January 12, 2023. https://t.me/zatelecom/21279. Zsrf​.r​u. 2022. Internet demons attacked Ministry of Construction. June 6. Accessed December 13, 2022. https://zsrf​.ru​/news​/2022​/06​/06​/internet​-demony​-napali​-na​ -minstroj.

Chapter 2

Hacker Organizations Active and Dangerous or Childish and Annoying

For Russian society, it has become an unexpected and detrimental revelation that the war in Ukraine has spilled into cyberspace and is close to reaching every local digital website, including websites for rural newspapers, farms, artisans, grocery stores, and so on. On one hand, government and private online entities have improved defenses and hired IT) specialists to repair damage and prevent hacking in the future. On the other hand, social media users have begun to detect public outlets established by hacker groups, where some of them declared a cyberwar on Russia and others loudly promised to fight on behalf of Russian society. Both hacking entities left common people scared and perplexed. Prior to the outbreak of war, there were two long-operating hacker groups—Beregini and Joker of The Donetsk People’s Republic (Joker DPR)—which worked meticulously but without making headlines. Stories about their accomplishments got lost and dwindled due to lack of public attention. Before February 24, 2022, for Russian society, Ukraine and the Donbas region were not a primary concern. The unrelenting pandemic, restrictions on Russian sports, mass school shootings in Kazan and Perm, and other events were the main themes to discuss and be concerned with. The war turned everything upside down. At this critical moment, the KillNet group, a well-known hacker brand, left the shadows of the Darknet. Fortunate timing pits the group on the top of Russian-speaking cyberspace and further, on national headlines. Frankly, timing has an incredibly potent effect, but it is not the only thing behind KillNet’s growth; the reality is more complex, and other crucial aspects facilitated its success. Commonly, hackers operate in a clandestine way without creating open channels and without a straightforward introduction as hackers. To grab public attention, the KillNet group widely declared its patriotism for Russia and 51

52

Chapter 2

its chosen side in the expanding conflict. Meanwhile, in contrast with KillNet, Beregini and Joker DPR were pro-Donbas rather than flamboyantly pro-Russian. Adapting to the idea of the ongoing bloody war, Russian society looked for clearcut allies. KillNet fits this narrative. Suddenly, common citizens who observed hackers as an inherent part of the criminal world learned the other side of hackers. They were not only criminals who targeted their bank accounts, but also people who could be patriotic and altruistic. Despite the fact that Joker DPR and Beregini did not look for financial benefits from their hacking, KillNet masterfully positioned its brand unselfishly and devoted itself to Russia. KillNet has promoted itself as a cyber fighter protecting the state on the Internet. Hence, this organization introduced a new behavioral pattern for hackers, promoting them and their activities in a positive and socially acceptable way. By the end of 2022, several other hacker organizations surfaced. Some of them joined the KillNet brand, others disappeared or worked independently. These hacker groups presented themselves as a Russian nongovernment cyber front or an army of patriotic volunteers. It should be stated that not all Russian hackers followed suit; many of them decided to relocate abroad, remain in the shadows, or stay away from unprofitable patriotic actions. This segment of the hacker community is not part of this study. This research focused on the most active and publicized hacker groups: Joker DPR, Beregini, XakNet, From Russia with Love (FRWL), NoName057(16), KillNet, Zarya, Anonymous Russia, Russian Angry Hackers did it (RaHDIt), and People’s Cyber Army. Furthermore, a summary of every hacking group is presented, including their time of creation and operation, agenda, targets, background, prominent members, members’ nicknames, social media presence, and other crucial facts about the hacking groups.

JOKER DPR As previously mentioned, the Joker DPR appeared and operated prior to the beginning of the Russian intervention in Ukraine in February 2022. The number of individuals hiding behind this name is not known. After Joker’s announcement about the hacking of the Ukrainian Delta system, the Russian IT expert, Andrey Masalovich,1 gave interviews with several Russian news sources, which asked him to clarify the situation with the Delta platform (Batman and Zakharov 2022; Radio of Russia 2022). In these interviews, Masalovich contradicted himself. Indeed, initially, he claimed that Joker DPR was a skillful individual who left Russia for the so-called Donetsk People’s Republic years ago (Batman and Zakharov 2022). Later, Andrey Masalovich changed the

Hacker Organizations

53

story, underlining that the hacker Joker DPR is a team because the complicated attack on the Delta interactive system had to be a result of teamwork rather than an individual’s efforts (Radio of Russia 2022). Therefore, it is reasonable to suspect that the Russian expert voiced his speculation about the hacker’s identity based on his own experience instead of facts. The brand name, Joker DPR, can hide a team of motivated IT professionals or a single person. In the fall of 2019, the Joker DPR channel was established on Telegram and began publishing one controversial post after another. Its activities instantly drew the attention of the Ukrainians and separatists. On November 2, 2019, Boris Rozhin2 warned his Telegram audience: The new military outlet is airing on this platform. At first glance, it looks very attractive because there are many Ukrainian leaks of information which seem believable. If this outlet works for us, everything is fine .  .  . Remember, our enemy is cunning! Among true, but useless information, the enemy can insert very dangerous misinformation. (Rozhin 2019)

The outlet creator was inspired by the famous Hollywood movie, Joker, whose face and name became symbols for the hacker’s brand. To articulate this symbolic meaning, at the end of almost every post, the author has placed ha-ha-ha, Joker’s distinctive laugh. In addition, the channels’ posts contain the following phrases: “I am an idea,” “I am the essence of Chaos,” and other phrases from the movie. Since the establishment of the Joker DPR channel in 2019, the same person has controlled the brand. This conclusion is driven by the fact that Joker’s positioning persists from the channel’s first posts on Telegram. Apparently, whoever is hiding behind this brand meticulously worked out the brand’s positioning prior to its emergence on social media; so, many initial posts with internal information leak, and authors’ introductions were prepared for a dazzling start. The preparations were not in vain. In December 2019, Joker DPR gave two interviews to Yulya Vitiazeva of the News​-Front​.i​nfo and Natalya Makeeva of the Riafan​.​ru (JokerDPR 2019; Polykazakova 2019). Joker DPR rejected Ukraine as a sovereign state, underlining that this entity does not have a future, especially with this government (JokerDPR 2019). His outstanding misanthropy was coupled with respect and admiration toward the oppositional Ukrainian politician Anatoly Anatoliyevich Shariy (Joker DPR 2019). Joker DPR argued that he and this politician have a lot in common: both are rebels against the system. In 2022, the hacker’s political preferences did not change much. Even though Anatoly Shariy aired a negative analysis about the hacking of Valery Zaluzhnyi’s Instagram, calling it a senseless action, Joker DPR provided a link to Shariy’s post and praised his intelligence and audacity (Joker DPR 2022, Shariy 2022).

54

Chapter 2

It should be emphasized that in these interviews, the hacker used symbolic Joker phrases heavily, and to shun inconvenient questions, he paraphrased the movie or invented a narrative similar to the movie storyline. For instance, when the reporter Vitiazeva asked him about his personal enemy or an individual who infuriates him, he responded: I will tell you a story. Then I worked in a circus. I liked making the public laugh. I had my own clown band. We traveled across the world . . . My team had a disagreement, which led to our split. Some clowns betrayed me and ran away . . .One of them became a president, others became deputies and generals. It hurts my mind, my soul. I wandered the world like a beaten dog. But I soon realized that I needed a goal. . . Now, revenge and hatred keep me alive. No, I am not crazy! I am totally normal. I search for my former clowns to punish them for their betrayal. They tried to kill me . . . But their hitmen began to serve me. They could not kill me because I don’t have body and blood, I’m an idea!. (Joker DPR 2019)

The channel has published many significant inner documents about the Ukrainian Army, such as weapons, and maps. The validity of the leaked information begs the question of how Joker DPR acquires it. There were some guesses which circulated on Russian TV. In 2019, the Russian anchor Yuriy Kot assumed that Joker DPR was an ethnic Russian man with military education in his 40s or 50s (Polykazakova 2019). After the dissolution of the Soviet Union, the hacker remained to serve the Ukrainian Forces; to receive this level of data, he should have a rank no lower than a lieutenant colonel (Polykazakova 2019). However, the reporter of Week Arguments, Sergey Sreda, argued that Joker DPR is a young man (around thirty years old), who has managed his chain of informants within various Ukrainian government departments (Polykazakova 2019). In the interviews, Joker DPR made an open statement about his sources: I have numerous sources, but the most interesting data is brought by my spies, who are in law enforcement agencies. Not everyone can become a spy. A spy must be an intelligent and decisive person. In law enforcement agencies, some individuals feel underestimated, which makes them easy targets to recruit. Each of them believes that their boss is unfair and treats everyone like a slave. . . . Some spies help me for ideological reasons: they do not want to serve the new government. But they are the minority. Also, some anonymous spies help me for the sake of their career ambitions. For example, someone’s deputy leaks documents to me, after the publication of which his boss receives a penalty, and the next time, this deputy himself takes the place of his boss and continues to want more. I don’t care what drives these people, for me they are a tool . . . (Joker DPR 2019)

Hacker Organizations

55

As it seems, every word in the interviews is well prepared and calculated. So, this statement can be no more than bravado and a trick to intimidate and undermine the Ukrainian Forces. With a lack of verifiable sources, it is difficult to determine whether these guesses are true. However, this hacker could be a former high-ranked officer with connections (a chain of informants), IT skills, and/or an IT team, which worked for him. Feasibly, he was dishonorably discharged or was forced to resign. As its popularity grew, the hacker team began to get plenty of messages from various people and organizations, including domestic and foreign intelligence services (Joker DPR 2019). Surprisingly, Joker DPR does not hide its professional email, and anybody can find it and directly contact the channel. According to the hacker, intelligence services ask for personal information or send false information, which once published, would ruin Joker’s reputation; they keep trying to infect the hacker’s computers with malware. Also, Ukrainian servicemen and ordinary people write emails to him, where they share their life stories and concerns (Joker DPR 2019). Shortly after the beginning of the conflict in Ukraine, the Telegram administration blocked the Joker DPR outlet. At its closure in March 2022, around 60,000 followers had joined it. Its team immediately opened a new outlet on March 25, 2022, and continued to work. Thus, since 2019, the Joker DPR group has maintained rigorous control through the brand positioning of the movie character. This is one of its surviving tactics, which helps to promote the brand and protect its team from reckless self-revealing. Even the interviews, given to two Russian media sources, were conducted with regard to this brand positioning approach. Every word was calculated. Every unwanted question was turned down. Considering this, the open and long-lasting admiration of Joker DPR to the Ukrainian oppositional figure, A. Shariy, looks like another misleading trick. BEREGINI This hacker group, claiming to be a female-run organization, named itself “Beregini.” According to Slavic mythology, Bereginya is a pagan female goddess or spirit whose main function is to protect humans from evil forces. Within public cyberspace, this group appeared in 2016 with the creation of its Twitter, YouTube, and Facebook accounts. Its initial website was on WorldPress​.co​m, but in 2017, Beregini opened a new website—bg14​.o​rg—which has been operating ever since. To introduce itself to the Ukrainian public, the team released the following statement, written in Russian: Dear Ukrainians! We are “Beregini,” the Ukrainian women hacker movement. We stand for peace in Ukraine, we are against this war. Oligarchs push our

56

Chapter 2

country to collapse, disseminating chaos and devastation. Poverty and hunger are common realities for every Ukrainian family. . . . From the TV screens they zombify us, describing Russia as our enemy and blaming it for waging this conflict. Meanwhile, former bandits and other criminals united into gangs and called themselves patriots. They kill, rape, and rob civilians. And behind all this horror is the president and his government, the Ministry of Internal Affairs, the Security Service, and the Ministry of Defense. The bloodsuckers came to power. (Beregini Group 2016)

This message revealed the sorrow and frustration which took over the Beregini members, who love their homeland Ukraine but are not ready to accept the government and its actions. This disagreement inspired the women to unite and create the group. Worth noting is that Beregini hackers repeatedly underlined that the Maidan and gloomy events in Odessa and the Donbas region gave them the idea that something really wrong happened to their state, and they must help the Ukrainians (Fedotova 2022). The deeper the female hackers penetrate the government’s secrets and learn about the 72nd Centre of Information and Psychological Operations, the more light the group can shed on this department—its information manipulation, information operations, and its methods to influence minds (Fedotova 2022). As mentioned earlier, this hacker group has promoted itself as a female entity. In an interview for the MK​.​ru newspaper, a Beregini representative confirmed that its core team exclusively contained women with IT degrees (Fedotova 2022). However, the Beregini team currently includes male members too. They helped Beregini occasionally, and further, decided to join. This group embraces not only IT professionals, but other professionals such as translators, social media admins, journalists, and others, who are mainly volunteers. A representative mentioned a female volunteer (“Cinderella” is her nickname) from the Russian Federation who translated leaked information from Russian to English (Fedotova 2022). In February 2022, a woman who introduced herself as one of the leaders of the group, Olga Vatslavskaya, gave an interview to a Russian newspaper (Rozanov 2022). According to her, she lives in a European country, but her homeland is Ukraine, and she insisted she was a native Rusyn3. The information about this woman did not surface on the Beregini Telegram channel and website. This article could be a fake story invented by the anchor. Interestingly, the IT expert Masalovich took the information about Olga Vatslavskaya for granted in his video about Beregini. Also, he pointed out a certain set of characteristics—the way the group conducted its operations, precision, and other virtual features, which indicated the female essence of this group (Masalovich 2022).

Hacker Organizations

57

XAKNET In contrast with other presented groups, XakNet is the oldest and most sophisticated group of enthusiasts, whose members conducted attacks during the Georgian war of 2008 (Russian OSTIN 2022). On Telegram, its public channel appeared with a claim about a successful attack on the Ukrainian president’s website (President​.gov​​.ua) on March 1, 2022 (XakNet Team 2022). Furthermore, for open communication, the group created a special email for its followers. XakNet did not initially articulate its goals and values, so followers began to contact the hackers looking for professional, but sometimes illegal, services. To clarify its agenda and motivation, XakNet declared that the team did not provide commercial services such as hacking personal accounts on social media platforms, financial fraud, and/or other financially motivated hacking services (XakNet Team 2022). In its statement, the group underlined that they weren’t pursuing any financial gain: “We are not a commercial enterprise. We do not collect donations. We do not sell any service, and we do not look for jobs. We do not work for the Russian intelligence service or any other government department” (XakNet Team 2022). Instead, the group tried to persuade people that its hackers were trying to help their homeland and protect its citizens (XakNet Team 2022). Among these statements, the XakNet group directly expressed its reasonable doubts and bitterness, which reveals the group members’ significant experience and intelligence. Its main concern is its legal relationship with the Russian government. According to the group, after the outbreak of the war, many Russian IT specialists decided not to look for a better life abroad. Some of them became a part of the ongoing cyberwar during their off time. Even though Russia is in a cyberwar, they still have to clandestinely launch cyberattacks on their adversaries; the hackers are terrified by possible legal consequences from the Russian authorities, and as a result, only a few hacker groups work openly (XakNet Team 2022). For XakNet, the Russian authorities committed a big mistake by detaining members of the hacker group, REvil, in 2021 and 2022: the REvil hackers targeted foreign objects and never ever worked within the Russian Federation (XakNet Team 2022). So, according to XakNet’s logic, these hackers did not break any Russian laws and should not be prosecuted. The hackers warned the Russian authorities that extradition of Russian hackers for crimes committed outside of the homeland would undermine the cooperation and trust within the IT community for the Russian government (XakNet Team 2022). XakNet asked the government to negotiate the difficult situation with IT specialists: We do not call for their release (REvil members). We demand that you scrutinize this problem meticulously and work out effective policy in this regard . . .

58

Chapter 2

We are guided solely by our “understanding” of this world and convey our point of view as specialists . . . (XakNet Team 2022)

Following the hackers’ “tradition,” the group did not disclose information about its members. Nonetheless, the XakNet member who gave an interview with the Russian channel “Russian OSTIN” mentioned that all its members were Russian citizens with various religious affiliations. Also, he stressed that none of its members were conscripted or served in the Russian Military Forces. Apparently, XakNet embraces individuals in their 40s with a college IT education, who at the current moment have a regular job and are financially stable. Thus, XakNet IT professionals with bright perspectives and career growth joined the current cyberwar, driven by their patriotism and compassion for their people. They fear punishment from the government, which had not developed substantial cyber power and let the cyberwar be in the hands of private hacker groups. XakNet is actively looking for a dialogue or connections within the governmental sector to be an official entity. In November 2022, the deputy of the State Duma, Dmitry Gusev, contacted the team to discuss its activities and status. Gusev has the political will and power to advance and enhance the situation with the domestic hacker activists. Nevertheless, it is difficult to predict the further development of this “state-hacker” dialogue. KILLNET AND ITS AFFILIATES KillNet started as a group of enthusiasts which included at least six IT specialists; they were known under the following nicknames on Telegram: Xeshi, Rati, KillMilk, Alpham65, and BTK. The nickname of the sixth member remained unidentified. Later, every group member built their own unit to conduct cyberattacks. The hacker brand KillNet remained under the control of KillMilk, who made a decision to leave the group in July 2022. In his final statement, KillMilk wrote: “For my country, I am going to get engaged in something very dangerous for my KillNet team. So, I decided to leave the KillNet group for its safety. However, I will help KillNet in the future. Nothing will be different!” (We are KillNet 2022). KillMilk was replaced by an individual with the nickname BlackSide, who presented himself as a hacker and the owner of a forum on Darknet (We are KillNet 2022). According to KillNet’s official outlet, the new leader BlackSide specialized in ransomware and crypto phishing, targeting U.S. and European crypto resources. The KillNet group introduced itself to the Russian-speaking audience at the end of January 2022. On Telegram and YouTube, its team created public accounts and uploaded a video advertisement. As shown in the video, initially, its founders planned the new brand as a business which would provide

Hacker Organizations

59

tools for hacker attacks. Allegedly, customers would be able to pick a plan in accordance with their goals on the KillNet website, which would go live in February. The main business would go through the website, but customer service would work via a chain of private and public Telegram channels. Apparently, the KillNet team began to develop its website long before the announcement of its creation. During February 2022, rare posts about KillNet’s development appeared on its Telegram channel, keeping up public interest for the new enterprise (Galeev 2022). Eventually, the KillNet website was launched on February 22. In two days, the global situation began changing at an unprecedented pace: the Russian Armed Forces entered Ukraine. In light of the political circumstances, the KillNet founders altered their initial goals, converting their commercial enterprise into a politically motivated group and later, movement. According to its admins, it embraced up to 4,500 people in April 2022 (Galeev 2022). Six months after the appearance of KillNet, this group consisted of fourteen groups such as Anonymous Russia, Zarya, Legion, A Writer from a Center, RadiS, Bear.IT.Army, Mirai, Russian Hackers Team, and others. In a statement issued on September 29, 2022, the KillNet team declared: “KillNet is not a group anymore! Now, KillNet is a new global hacker religion which protects the interests of the Russian Federation!” (We are KillNet 2022). It is important to underline that for many hacker groups, gathering under the KillNet umbrella and affiliating with that brand made it easier to advance their group and expand their crowd. It should be noted that KillNet embraced two types of teams. The first category refers to the groups which were created within KillNet and, later, which began to work independently. The second category includes the entities which were created and active sometime before joining the KillNet group. As stated previously, there were six IT specialists in the KillNet brand team. To widen KillNet’s structure, they began to create new units, which focused on separate sets. Although Xeshi became the creator of the new unit Zarya, the individual with the “Rati” nickname established Anonymous Russia, and KillMilk set up a Legion subdivision. As time went on, Zarya began to articulate its independent status. In contrast with Zarya, the group called Anonymous, which appeared as a separate entity, tried to emphasize its affiliation with KillNet. Anonymous Russia and Zarya Since February 24, 2022, there has been a serious increase in the number of hacker groups which are eager for publicity and recognition. Anonymous Russia became one of them. To laudably announce its appearance, the group breached the well-known Ukrainian corporation Roshen (Roshen​.c​om) and

60

Chapter 2

claimed it on its brand-new Telegram account (Anonymous Russia 2022). However, this attack was not confirmed by other sources. Apparently, if there was a breach, it was a low-level distributed denial-of-service (DDoS) attack which only lasted for a short time. For this new hacker entity, its creators or creator simply copycatted the famous group Anonymous, which was established in 2003. Using its brand name and its symbols, this pro-Russian group introduced itself as an Anonymous Russian branch: Hi, world! We are Anonymous. We are hackers, attackers, spies, provokers, or common neighborhood guys. Anonymous is an idea. Anonymous is not an organization, club, or party. We do not have a centralized hierarchy. So, it does not have a leader. Also, Anonymous does not have a center for work coordination. We embrace young and old members from various states. We are everywhere . . . Join our movement. Be a part of Anonymous. (Anonymous Russia 2022)

At the end of this statement, the motto of the old Anonymous group was added: “We are anonymous. We are legion. We do not forgive. We do not forget. Expect us.” Given the political circumstances, this hacker group declared that many Anonymous members around the world who do not support Russia and its military activities in Ukraine are defectors and government agents (Anonymous Russia 2022). These false Anonymous members spread quarrels and undermined the group’s unity and agenda. According to Anonymous Russia, the branches of Anonymous from Germany, Hungary, Switzerland, and Austria supported the Russian government (Anonymous Russia 2022). Since the establishment of its Telegram outlet, Anonymous Russia claimed various attacks against Ukrainian, Polish, Kazakh, and other digital entities. Its attack on the Russian Vk​.c​om was presented as a fight for freedom of speech in July and September 2022. Although the cyber aggression against Vkontakte was effective, Anonymous decided to try its skills on Tik-Tok. Its “proud” announcement declared that the Anonymous group shut down Tik-Tok for one to three minutes (Anonymous Russia 2022). Interestingly, in its first month of operation, the group attacked Belarussian websites such as a domestic shoe store chain (belwest​.​by), the federal department of education (edu​.gov​​.by), and a taxi service (taximaxim​ .​by). Some Belarussian entities were shut down because the Anonymous team was practicing how to use its hacking software, while other websites became targets for personal reasons. For instance, a city sanitation department, located in Gomel, Belarus, was shut down because the Anonymous hackers did not get hot water in their apartments (Anonymous Russia 2022). In another example, one of the anonymous hackers was almost hit

Hacker Organizations

61

by a car from a local car service while crossing the street. The infuriated hacker decided to punish the service with a DDoS attack (Anonymous Russia 2022). In total, at least thirty-six Belarussian websites became victims of Anonymous from July to August 2022, but the group stopped attacking Belarussian entities in the fall of 2022. The fact that the majority of them were in Gomel means that a few members of this group were residents of Gomel, Belarus. To conduct its actions, Anonymous Russia teamed up with various hacker groups such as NBP Hackers, DeaDNET, and others. Some of these connections were short-lived and the teams split via mutual announcements on Telegram accounts. However, on July 23, 2022, Anonymous Russia proclaimed close ties with KillNet, and this collaboration seems to be long-lasting and mutually beneficial. Trying to improve its financial situation, in November, Anonymous Russia declared its cooperation with a hacker group named Zero Day, which provided DDoS services (Zero Day 2022). An individual with IT skills, and the cofounder of the KillNet brand who was hiding under the nickname “Xeshi” established the Zarya unit, which further was transformed into its own group. During the summer of 2022, Xeshi gathered his own group of hackers, who previously were Zarya followers. The new members were selected in accordance with their IT skills because the Zarya team went further than simple DDoS strikes. Targeting mainly Ukrainian resources, sometimes the group launched attacks on other countries. In its mission statement, the Zarya group underlined its primary target—government facilities related to military and intelligence services. “We do not hamper crucial social services such as medical, fire, and police departments. We do not publish personal data of citizens, and we do not steal money from charity organizations,” Zarya continued (Zarya 2022). To reinstate Zarya’s independent status in the eyes of the Telegram crowd, Zarya’s leadership did not widely publicize their cooperation with KillNet. Nevertheless, it honorably promoted its teamwork with XakNet and Beregini, which added value to the young, unknown brand. Distancing itself from KillNet and promoting its hacker brand, the Zarya admins created a discernible logo for its Telegram channel. In addition, the Zarya hackers have kept its content thread organic, avoiding reposting KillNet’s material or mentioning it at all. Another vital step in brand building was made on November 30, 2022, with the launching of the Zarya website. Designing this website, the group stayed consistent with Zarya’s symbols and color palette. KillNet was started as a group of enthusiasts. However, with the growth of the “KillNet” brand, newcomers and less successful hacker groups joined it and operated under its umbrella.

62

Chapter 2

FRWL AND NONAME057(16) The group NoName057(16) announced its appearance via Telegram, where its members established an outlet on March 11, 2022. In its opening statement, NoName057(16) introduced itself as a hackers’ unit and warriors against modern neo-Nazis. Furthermore, their statement declares: Neo-fascists who seized power in Ukraine are trying to attack Russian cyberspace and intimidate our citizens .  .  . In response to their miserable attempts, we have launched massive attacks on dire propaganda resources, which spread false information about Russia’s special operation in Ukraine . . . We conducted several successful attacks on Ukrainian sources . . . And this is just the beginning. (NoName057(16) 2022)

The hacker group established and managed its outlets, which serve different goals. The main Telegram outlet reports NoName057(16)’s activities in cyberspace. It created a chat in August 2022. However, by November 2022, the chat attracted only about 110 members. Its activity seems to have slowed down; people are in and out of the chat. The chat admins do not communicate with participants, and only simply make reposts from the main NoName057(16) outlet. Obviously, chat visitors expect live conversation and new information, but NoName057(16) does not meet users’ expectations. Hence, the chat is losing members. For convenience, the hackers provide their Proton email in the description of the outlet. Apparently, NoName057(16) has received many emails from fans, reporters, concerned individuals, and adversaries. Nevertheless, the hackers have never responded, posted, or made citations from their email communication. This Proton email is used for so-called official correspondence, but for work (for instance, for sending ominous emails to Ukrainian media sources) the group uses a set of emails opened through Mail​.r​u. In addition, this organization has run another channel “DDosia Project,” which launched at the end of July 2022. According to their introductory message, the NoName057(16) hackers planned to use this space to gather like-minded people here, who were ready to learn how to work with NoName057(16)’s unique software. This software was created for conducting collective DDoS attacks. For novices, the hackers provided detailed guidance. In contrast with the chat, this “Project” has very active and supportive admins, who keep an eye on ongoing communication and respond to participants. Another hacker group opened its Telegram account under the name “From Russia with love” or FRWL on June 11, 2022. However, its members conducted attacks on Ukrainian online entities prior to the emergence of its official outlet. Indeed, at the beginning of May 2022, news Telegram channels

Hacker Organizations

63

spread information about a cyberattack on the Kharkov tank plant. It is not known if this attack was its first action. In June, the group’s official emergence was celebrated with the attack on a Ukrainian facility located in Lvov. In its introductory note, the FRWL hackers emphasized that the team had monitored the war in Ukraine since its beginning, as well as the ongoing cyber battle against the Russian Federation (FRWL 2022). FRWL stressed its close ties with KillNet, XakNet, Beregini, RaHDIt, and other groups, whose successful activities became inspirational and motivational. In fact, this hacker group conducted its attacks before the establishment of its Telegram account, and it promised to do them again. Airing this public note, the group entered a new field: it needed to create multimedia visuals for its actions, discursive communication with followers, and safely run the FRWL social media brand. The FRWL and NoName057(16) founders followed the steps of XakNet, KillNet, and other groups which conducted a chain of attacks. There is not much known about their members. However, they share and promote their political views, which are reminiscent of the KillNet group. Answering questions delivered to its support outlet, FRWL mentioned that its team operated previously and hacked under a different name. This caused government agents to look for this group to determine what attacks it carried out (FRWL 2022). The hackers did not clarify if their pursuers were foreign or domestic.

RAHDIT OR RUSSIAN ANGRY HACKERS DID IT The creators or creators of RaHDIt hid behind this short name with the following showy meaning: “Russian angry hackers did it.” The RaHDIt group had apparently operated before February 24, 2022. In an interview with the Radio of Russia, the group representative described RaHDIt as a community of like-minded IT professionals who have known each other for a long period of time and maintain a high level of ingroup trust (Radio of Russia 2022). In contrast with other hacker groups, the RaHDIt group did not hire new members via the Internet or any other sources. To prevent the penetration of spies, RaHDIt has run as a closed IT club. Undoubtedly, the hackers completely realize the essence of their activities, the legal consequences, and the high attention to their group from foreign and domestic agents. According to the suggestion of the IT Reserve partner and IT specialist Pavel Miasoedov, the RaHDIt group is a group of “white hat” or ethical hackers, who apparently work for ethical hacker services in Russia (Radio of Russia 2022). There are plenty of such companies that tested the vulnerabilities and weaknesses of digital systems. Many businessmen have no doubts that they and their companies are a common target for hackers, and they hire ethical hacker services to test their systems from the outside. Perhaps Pavel

64

Chapter 2

Miasoedov’s guess is correct, given the fact that ethical hackers acquire and have enhanced the same skills as other hackers, but they work legally and report their activities. RaHDIt appears to be motivated and well-organized, so the group introduced itself via the establishment of the Nemediza (Nemesis) website along with a corresponding Telegram account. On these entities, the RaHDIt members have aired personal information about Ukrainian soldiers, which range from credit card numbers and military units to home addresses and family pictures. Indispensable information for the hackers has been posted on Open and Dark Web sources. As RaHDIt reported, in March 2022, its hackers had access to more than 700 Ukrainian governmental websites, whose data was either partially or fully downloaded. Sometimes, the group asked its followers to send tips about individuals. Thus, this group is not “omnivorous”; it has pursued a particular objective and has used various methods to reach it. Moreover, RaHDIt is not financially motivated; any information they collect from their hacks is usually aired on free and public RaHDIt sources. Besides the project “Nemesis,” very little is known about the activities and members of this group. Nonetheless, its members unquestionably conducted hacking attacks on Ukrainian digital entities, but it is difficult to ascertain if they launched cyber extortions on European Union and American websites. Worth noting is the fact that their claims about cyber strikes on Ukrainian, European, and U.S. sites were nonexistent.

PEOPLE’S CYBER ARMY The group People’s Cyber Army entered the cyberwar on March 2, 2022. In the outlet’s description, its team introduced itself as “a group of Russian patriots who care about their homeland” and wants to protect its citizens from dangerous outside agents (People Cyber Army 2022). From its beginning, the hackers planned to rely on the public. Perhaps, to launch effective attacks, it did not have the capacity on its own. Trying to attract as many people as possible, the team members developed a major document, which would help anybody without special IT knowledge and equipment to participate in the group’s coordinated attacks. Apparently, it was drafted before People’s Cyber Army went public and established its Telegram outlet. The DDoS guidance included a detailed explanation about how to conduct this type of attack from a browser and cell phone (People Cyber Army 2022). Able to effectively utilize group work, on March 5, 2022, the group informed its followers that the collective DDoS actions would last at least 1.5 to 2 hours and asked them to follow a schedule for collective actions.

Hacker Organizations

65

A week after the creation of its Telegram channel, the unexpected growth of new members forced the People’s Cyber Army team to develop a new inner group structure, which would embrace five following subdivisions: a general chat, attack coordination, pentesters, a creative team, and webdevelopers (People Cyber Army 2022). Every subdivision served its own goals. For instance, the general chat was a place for “peaceful and productive communication.” Also, the group founders urged participants to place potential targets here. The chat was open to the public, and anybody could follow the link and join it. On the other side, other subdivisions were closed entities, and to become one of their members, an individual should contact their commanders and ask for permission (People Cyber Army 2022). Since its first day on Telegram, the People’s Cyber Army became a target for pro-Ukrainian users, who heavily disliked its posts and continuously sent and posted pro-Ukrainian messages in the chat. The restructure of the hacker organization was provoked by their activities. To curtail the activities of the pro-Ukrainian members, the group’s creators began to moderate the chat’s content and sorted out the group’s followers, banning the most active individuals. However, all these precautions were useless, and the group abandoned its first outlet, operating on a new one starting April 1, 2022. This group is highly organized, consistently targeting from one to three digital entities per day. Prior to an attack, its team learned about its target’s technical and ideological perspectives. These hacker organizations were the frontrunners of the pro-Russian hacker movement, which began to take shape after February 24, 2022. Curious and inspired followers joined their outlets and discussed hackers’ successful attacks within the Russian cyberspace. Putting aside their origin and ties with the government, these groups learned to communicate with their audience and cooperate with each other. During the first four months of the war, the most vigorous hacker leaders came up with the idea of creating a so-called hacker alliance or cyber army. However, in the middle of the summer of 2022, the hackers abandoned this idea completely, because further discussions after the idea was first suggested were few and far between, and any discussions they did have lacked their initial exuberance. Apparently, the groups realized the alliance’s fecklessness. Embracing old and new groups, the hacker movement developed and continues to operate, but is driven by multiple separate groups who cooperate and communicate with each other rather than working under one umbrella. Underlining the pro-Russian stance, two older entities—Beregini and Joker DPR—stand out from this “movement.” For them, this cyberwar began several years before the war on the ground. Being Ukrainian groups, their primary concern is Ukraine and its people, even though the hackers observed Ukraine as being a part of the Russian Federation.

66

Chapter 2

NOTES 1. Andrey Masalovich is a Russian cybersecurity expert and founder of the popular Russian YouTube channel, Cyber Grandfather. He is a frequent visitor of TV and radio shows. 2. Boris A. Rozhin is a reporter and blogger, who has established and has run the renowned news brand, “Colonel Cassad.” In 2015, his name appeared on the Ukrainian website Myrotvorets (Peacemaker). 3. Rusyns are a minority ethnic group residing in Ukraine, Hungary, and some other European states. Some of them are Catholics; others are Orthodox Christians.

REFERENCES Anonymous Russia. 2022. Anonymous is not against Russia. July 18. Accessed November 27, 2022. https://t.me/anon_by/74. ———. 2022. Gomel sanitation department. July 10. Accessed January 1, 2023. https://t.me/anon_by/4. ———. 2022. Maxim car service. July 23. Accessed January 1, 2023. https://t.me/ anon_by/153. ———. 2022. We are Anomymous! July 13. Accessed November 24, 2022. https://t. me/anon_by/30. ———. 2022. We attacked Tik-Tok. July 12. Accessed January 1, 2023. https://t.me/ anon_by/10. ———. 2022. We hacked Roshen. July 10. Accessed November 27, 2022. https://t. me/anon_by/3. Batman, Olga, and Dmitry Zakharov. 2022. IzoLenta Stream with Masalovich. November 1. Accessed November 3, 2022. https://vk​ .com​ /video​ -211429367​ _456241113​?list​=7b404b14a12e49f7a8. Beregini Group. 2016. About us. September 2. Accessed November 20, 2022. https:// beregini​.wordpress​.com​/about/. Fedotova, Darya. 2022. Beregini knows Zelensky’s secret. November 4. Accessed November 19, 2022. https://www​.mk​.ru​/politics​/2022​/11​/04​/khakerskaya​-gruppa​ -beregini​-rasskazala​-o​-pikantnom​-kompromate​-na​-zelenskogo​.html. FRWL. 2022. FRWL’s introductory message. June 11. Accessed November 22, 2022. https://t.me/frwl_team/3. ———. 2022. Questions from our followers. August 17. Accessed December 22, 2022. https://t.me/frwl_team/249. Galeev, Artur. 2022. Lenta. April 15. Accessed June 12, 2022. https://lenta​.ru​/articles​ /2022​/04​/15​/killnet/. Joker DPR. 2022. Shariy’ s video about the breach of Zaluzhnyi’s Instagram account. November 6. Accessed November 20, 2022. https://t.me/JokerDPR/241. Joker DPR, interview by Yulya Vitiazeva. 2019. The interview with Joker DPR News Front (December 15). https://news​-front​.info​/2019​/12​/15​/eksklyuzivnoe​-intervyu​ -news​-front​-s​-dzhokerom​-dnr/.

Hacker Organizations

67

Masalovich, A. 2022. Story of the female hacker group, Beregini. June 30. Accessed November 20, 2022. https://www​.youtube​.com​/watch​?v​=Hz7QrymOlYk. NoName057(16). 2022. Our mission statement. March 11. Accessed November 23, 2022. https://t.me/noname05716/3. People Cyber Army. 2022. Our statement. March 2. Accessed December 3, 2022. https://t.me/CyberArmyofRussia/3. ———. 2022. A DDoS guide for everybody. March 2. Accessed December 3, 2022. https://telegra​.ph​/Kompleksnaya​-instrukciya​-dlya​-provedeniya​-DDoS-​-atak​-03​ -11. ———. 2022. A new structure for our group. March 9. Accessed December 3, 2022. https://telegra​.ph​/Narodnaya​-CyberArmiya​-03​-09. Polykazakova, T. 2019. Who is Joker DPR? December. Accessed November 18, 2022. https://tvzvezda​.ru​/news​/201912121648​-KkhyQ​.html. Radio of Russia. 2022. Signals of the exact time. November 3. Accessed November 15, 2022. https://smotrim​.ru​/article​/3024572. ———. 2022. The interview with RaHDIt hacker. June 6. Accessed November 24, 2022. Rozanov, V. 2022. A hacker from the Beregini group disclosed the SBU plans about Russia. February 24. Accessed November 19, 2022. https://zavtra​ .ru​ / blogs​/haker​_gruppi​_beregini​_rasskazala​_o​_planah​_sbu​_po​_razvalu​_rossii​?ysclid​ =laq1fxs1p0128910584. Rozhin, Boris. 2019. New military channel appeared. November 2. https://t.me/ vityzeva/3789. Russian OSTIN. 2022. “Interview with pro-Russian hackers from XakNet.” Interview with XakNet. June 26. https://telegra​.ph​/Intervyu​-s​-XakNet​-Team​-06​-26. Shariy, Anatoly. 2022. Zaluzhnyi got a serious hit. November 6. Accessed November 19, 2022. https://www​.youtube​.com​/watch​?v​=F6uKWVo5H0w. We are KillNet. 2022. 14 groups joined KillNet. September 29. Accessed December 25, 2022. https://t.me/killnet_reservs/2900. ———. 2022. KillMIlk: I am leaving KillNet. July 28. Accessed December 30, 2022. https://t.me/killnet_reservs/2208. ———. 2022. KillMilk is leaving KillNet. July 28. Accessed December 30, 2022. https://t.me/killnet_reservs/2209. XakNet Team. 2022. Attack on the President​.gov​.​ua. March 1. Accessed November 24, 2022. https://t.me/xaknet_team/2. ———. 2022. Our warning. March 15. Accessed May 1, 2022. t.me/xaknet_team/86. ———. 2022. XakNet service statement. March 12. Accessed November 24, 2022. https://t.me/xaknet_team/64. ———. 2022. XakNet statement. March 28. Accessed March 30, 2022. https://telegra​ .ph​/Do​-novyh​-vstrech​-03​-28. Zarya. 2022. About us. November 30. Accessed January 13, 2023. https://zarya​.akur​ .group​/about​.html. Zero Day. 2022. We are a part of Anonymous Russia. November 22. Accessed December 23, 2022. https://t.me/Anon_ZeroDay/6.

Chapter 3

Russian Hackers Social Media Presence and Brand Building

RUSSIAN HACKERS CHOOSE TELEGRAM The realm of social media includes a countless number of platforms, a large array of methods to engage, and plenty of styles for every entity. Social media users need to figure out which platforms are the most useful according to their preferences and goals. When looking for networks, outlet administrators usually try to discover their potential subscribers by looking at how they spend their time online. For example, administrators watch to see if subscribers are learning new skills or reading the news. Before producing content and responding to comments, an outlet team or an owner should learn not only about their potential audience but also about their main competitors and relevant approachable influencers. These instructions are very general, feasible, and applicable with some reasonable exceptions even for hackers. However, politics changed most, if not the entire way people interact with social media. The beginning of the Ukrainian war and the implemented restrictions on social media usage predetermined the choice of social media platforms for hackers. Shortly after the outbreak of the war, a battle between U.S. tech corporations and the Russian government broke out. On February 25, 2022, to prevent an influx of disinformation, Twitter halted advertisements in Russia and Ukraine and confined suggestions from particular accounts. Although YouTube has labeled videos from Russian state-backed outlets as state funding since 2018, the Twitter administration announced the implementation of similar labels for Russian entities on February 28, 2022 (Roth 2022). On the same day, Meta turned down many Russian propagandist outlets, including Sputnik and Russia Today (RT). The president of global affairs at Meta, Nick Clegg, tweeted that gave requests “from a number of Governments and the 69

70

Chapter 3

EU” the company would limit access to “RT and Sputnik across the EU at this time.” (Clegg 2022) In response to the ongoing war, Google altered YouTube’s monetization for Russian Federation state-funded media channels, preventing these channels from earning money (Google Support 2022). On March 1, Google’s official account on Twitter for Europe announced the closure of two Russian news platforms—Russia Today and Sputnik (Vincent 2022). Prior to the invasion, the Russian authorities had complex relationships with tech companies. After February 24, the situation got worse. On the second day of the war, the Communication agency, Roskomnadzor, announced Internet limiting restrictions on Meta Platforms, Inc., and later, it eventually blocked access to Facebook within the Russian Federation altogether. Accusing the corporation of infringing Russian laws, Roskomnadzor cited 26 records about discrimination of Russian media resources on Facebook occurring during the period from October 2020 to March 2022 (Roskomnadzor 2022). In March, similar restrictions were applied on major social media platforms around the globe as the Russian authorities increasingly accused these platforms of inciting violence against Russian citizens (Habr 2022; Roskomnadzor 2022). In light of this unfolding conflict between the government and tech corporations, Telegram was observed as a safe haven for Russian audiences. Thus, pro-Russian hackers largely moved to this messaging app, which was established in 2013 by the Durov brothers. Despite the efforts of the Russian authorities to channel Russian social media users to Vkontakte and Ok​.r​u, Telegram won this competition, rising as one of the most popular platforms. Here, hackers met their audience, which was also looking for a stable social media realm. Meanwhile, for many Russian citizens, who were looking for information about the war, Telegram began to play a significant role. This is not surprising, but predictable and expected: according to a 2021 survey, where 77% of respondents were Russian and Belarusian Telegram users, 75% of users learned fresh news from Telegram (Melkadze 2021). In 2022, this tendency continued to increase as the Telegram crowd jumped by 40%, from 500 million monthly users in April 2022 to 700 million in November 2022 (Ceci 2022). Domestic statistics gathered via the MegaFon company, one of the largest mobile phone operators in Russia, indicated an analogous trend. As a company representative stated, service growth began after February 24, 2022, and during the first two weeks of March, Telegram traffic soared from 48% to 63% (Tyunyaeva 2022). Thus, in terms of its substantial user base and promising expansion, Telegram was the perfect platform for hackers and their newly born initiatives. Another factor which made Telegram very attractive for hackers was the widespread network of like-minded outlets and content uploaders. War

Russian Hackers

71

journalists Boris Rozhin, Andrey Rydenko, Aleksander Sladkov, Semen Pegov, and Evgeny Poddubny have aired their content on a daily basis. Also, there are many other news channels with a substantial follower base and a solid reputation, including Rybar, Vladimir Soloviev, Readovka, Michael Onyfrienko, and Anna-News. All these accounts are interconnected, and in terms of social media marketing can be counted as social influencers given their proven reputation, unique content, and experience. Their references to hacker outlets or their praise for successful attacks could help to reassure hacker channels’ authenticity and accumulate followers. Considering the highly questionable content of hacker entities, Telegram offers its users security and malleable censorship. Hackers have an opportunity to build bespoke channels for certain activities. On this messaging platform, they found an anonymous encrypted communication hub to send and receive messages to each other and the public as well as upload sizable files of information. Telegram censorship is not as rigorous as other social media platforms. Usually, if accounts anticipate a closure, they create a reserve entity with a similar name, and it works well enough to bypass Telegram censorship and keep its customer base. At that time, to build a hacker brand, Telegram was the perfect social media platform. Indisputably, for hackers, social media options were limited due to political circumstances. Russian users found themselves in a common and difficult position when their own government and tech giants mutually reduced people’s informational space and communication abilities on the Internet. On Telegram, which has become a benign realm for Russian netizens, the hackers met each other. Both found it to be a network of so-called influencers who embraced the new crowd and helped the hackers keep up with the latest trends and hot news topics. Security and the convenience of the platform were a pleasant but expected bonus. It would be unfair to forget to mention hackers’ efforts to widen their brand over other social media platforms. To this point, XakNet successfully established its page on Twitter, but to build and sustain its presence there turned out to be an impossible feat. It was opened in June 2022, and soon its crowd grew to around 500 followers. In August, the Twitter administration blocked it due to multiple complaints and Twitter rule violations. On Telegram, XakNet blamed the Anonymous group, which allegedly encouraged its supporters to complain in droves on the XakNet Twitter page. The KillNet group tried to advance its Twitter account during the summer of 2022. Nonetheless, its account was banned shortly after its establishment. In addition, the KillNet team managed a Vkontakte account. This account became supplementary, apparently because it had not gathered as large a crowd as the team had attracted on Telegram. This short and ineffectual experience just articulated the multiple benefits of heavy reliance on Telegram.

72

Chapter 3

To conclude, modern digital marketing is highly segmented and consists of diverse entities—websites, blogs, and social media platforms. Brands which tried to advance themselves had to elaborate an effective marketing strategy in accordance with the vital features of a chosen digital segment. From the pro-Russian hacker vista, their social media space was narrowed down to Telegram. Within this segment, their teams could develop and implement a brand-building strategy.

RUSSIAN HACKER BRANDS Like common people, hackers have used social media platforms for personal use. Obviously, they operate there without letting everybody know their hacker skills, separating their real personality from the professional field. We can never know if a nice-looking student, a very welcoming neighbor, an annoying coworker, or our sister’s new friend is not a vicious almighty cybercriminal or hacker. Perhaps, domestic or foreign law enforcement agencies have been looking for him or her for a couple of years. In fact, we never know and most likely will never find out. They must remain in the shadows to avoid legal consequences. In terms of personal identity, this is the regular way hackers must operate. Nonetheless, hacker groups have created and demonstrated a group identity, and stories about hackers such as Anonymous, Red Hacker Alliance, LulzSec, and others have appeared on news portals around the world. After the beginning of the war in Ukraine, some pro-Russian hackers decided to look for web publicity and create their brands. For hackers, this publicity is not new, but it definitely has distinct rules. As mentioned previously, hackers have personal accounts across social media platforms for communication with family and friends. From now on, however, hackers have to establish and manage something between personal and illegal. Deciding to work in the open, the hacker groups entered into the marketing and branding field. Every hacker group has its own brand by the mere fact of its existence. Within the branding field, hacker groups, pursuing success, must follow and comprehend marketing rules and principles, which are mostly the same for every marketing agent. Like any other group, hackers need to establish and maintain their brands, accumulate a crowd, and build their reputation. Initially, not many hacker teams realized that web publicity meant more than the establishment of social media accounts and self-revelation as hackers in an outlet’s description. To make a digital presence fruitful and visible, some hackers began to create their own brands. They realized that brand marketing demands continuous efforts of community development and long-term

Russian Hackers

73

exposure. Other hacker groups or single enthusiasts, who mostly failed to promote their brand, joined an already established entity or disappeared. To analyze the hackers’ strategies to create, manage, and communicate their brands, the research established a set of brand-building segments, based on Kotler’s branding model framework and Aaker’s equity model. The set embraces the following segments: brand identity, brand positioning, brand awareness, and brand trust. Brand identity refers to a combination of visual and content strategies that characterize a brand’s personality; it refers to the brand mission, name, symbolic culture (color palette, profile images, logos, etc.), mottos, brand purposes, and so on. Brand positioning relies on brand identity elements and is the brand’s idea or philosophy which will be transferred and spread to its audience. The research observes brand differentiation as an integral part of the brand positioning segment, where differentiation means brand uniqueness in contrast with other market agents or competitors. In fact, brand positioning is directly connected to brand strategy in a broad sense, whereas social media content is used in a more concrete and focused way. Another element of the framework is brand awareness that implies the level of recognition of a brand’s existence and its products among the public. Nowadays, with the domination of social media platforms and multiple online agents, it is very significant yet difficult to build brand trust. Customers need to feel confident in a brand’s ability to keep its own promises and follow its proclaimed values. As hackers tried to advance their web presence via social media and in particular, on Telegram, the research developed a set of metrics for every brand-building segment. Brand identity is measured by the consistency of an outlet’s visual culture, name, and the presence of a mission statement. The brand positioning embraces two major categories: community engagement and online content. The following metrics have been designated to measure these categories: open communication with its audience, engaging content, connection with influencers, and the brand’s financial foundation. Brand awareness refers to collaboration with other channels and association with famous targets. Worth noting is the fact that brand realization depends on marketing persistence, which was examined by the pattern of posting. Brand trust implies the brand’s authenticity, which would be analyzed by monitoring false accounts, political stances, and followers’ involvement in cyberattacks. Some Russian hacking groups invited their public to help them to launch strikes. It is not a secret for anybody that cyberextortion actions are illegal, so Telegram users should maintain a certain level of brand trust prior to joining punishable hacking actions. For hackers’ brands, trust is a multidimensional phenomenon which is tightly linked to audience engagement in hacks and political views: to become a part of the collective cybercriminal actions, an individual had to know the hackers’ positions on the “special

74

Chapter 3

military operation” against Ukraine, the Russian government’s actions, and so on. Political views play a fundamental role because hackers are not bloggers who would share with their followers personal details of their life, a favorite hotel address, or photos from a recent vacation. The hacker audience knew the name of this game and did not expect the usual blogger behavior from hackers. However, trust must be established and sustained even if regular methods to do it are irrelevant. Brand Identity The hackers’ brand identities were built from the Russian military’s actions in Ukraine, which became a trigger point for the branding initiative and development. Their declared brand missions revealed their high concern with the ongoing military crisis and their personal readiness to help the Russian Forces and defend the Russian Federation and its citizens in cyberspace. After entering public cyberspace, the hackers began to explain and communicate their agenda and values. Underlining the highly patriotic mission to protect Russian society, they emphasized that Russia became a central target for cybercriminals and government entities across the globe. Considering this ongoing battle, they could not stand aside and leave the motherland without protection (Russian OSTIN 2022). For Russian followers, the hackers depicted a collective brand personality as an enthusiastic and altruistic patriot with IT skills, who conducted daily cyberbattles against numerous enemies (NoName057(16) 2022; XakNet Team 2022; We are KillNet 2022). In their welcome note to their channel, the People’s Cyber Army team stated that they are patriots of the Russian motherland who care about its future (People Cyber Army 2022). Another important feature of this brand’s image was that the hackers were not vicious attackers, but defenders. To implement this brand trait, they have utilized several methods. First, there was the discussion between KillNet and XakNet about why they joined the war. Allegedly, both groups decided to join the conflict when Anonymous openly launched a cyber war against the Russian Federation for its unfair assault on Ukrainian sovereignty (Milmo 2022). For instance, in the eyes of XakNet members, this menace posed a significant threat; they thought of Anonymous’s power as real and potentially damaging to Russian citizens (XakNet Team 2022). The hackers argued that Anonymous had the capability to ruin small businesses and deplete the bank accounts of common Russian citizens. Shortly after Anonymous’s threatening statement, the KillNet group reacted furiously, stating that Anonymous, as a forgotten and previously famous entity, decided to take advantage of the situation and return to prominence (We are KillNet 2022). Labeling Anonymous as American puppets, the KillNet team was enraged that the public

Russian Hackers

75

would believe in the words of “fake Anonymous” (We are KillNet 2022). Acting out of frustration, KillNet took down the Anonymous website by powerful distributed denial-of-service (DDoS) attacks on February 26, 2022 (We are KillNet 2022). As mentioned previously, Anonymous was responsible for successful strikes against the Russian Ministry of Defense, the State Duma, and the government-controlled network, Russia Today (Galimova, Chebakova, and Yasakova 2022; Milmo 2022). The Kremlin website was offline. Even pro-government media reported this website as unworkable at that time. However, in an Interfax interview, the Kremlin Press secretary Dmitry Peskov rejected the failure of Kremlin​.r​u, stating that the website worked perfectly (Interfax 2022). The attacks were significant and painful because several websites were down for several hours. On February 27, 2022, the Anonymous group announced the first results of its attacks: “ . . . more than 300+ #Russian government, state media, & bank websites in the last 48 hrs, with most of them currently offline” (Anonymous 2022). Among 300 websites, at least three Belarusian banks fell under Anonymous’s attacks: belarusbank​.b​y, priorbank​.b​y, and belinvestbank​.​by (Anonymous 2022). In the aftermath of these effective strikes, XakNet issued a new statement in March 2022; it highlighted again that the group did not initiate this cyber battle, rather it responded to the attacks of Anonymous (XakNet Team 2022). Once established, this group strongly promoted its impeccable brand image. Second, following the brand’s storyline about “hackers as defenders,” XakNet underlined its respect and appreciation to Ukrainian civilians, whom the group did not intend to target and harm. On March 6, 2022, its team reported that it had access to several Ukrainian Internet providers, including vinfast​.ne​t, and had the ability to turn off the Internet for Ukrainian citizens (XakNet Team 2022; XakNet Team 2022). For instance, the vinfast​.n​et website was hacked in retaliation for the recent Ukrainian attack against the Russian Internet provider Beeline. Its setting was returned to factory one. XakNet explained its target choice by “the lack of causing serious damage to Ukrainians” and how “the website settings could be restored in a short period of time” (XakNet Team 2022). Expressing their hesitation in doing something drastic against other Internet providers, the hackers continued: We keep underlining that we do not have questions to Ukrainians. We love, respect, and value them. Back in the day, half of our team was from Ukraine. We fight exclusively with fascists, whom we hate so much . . . We respond to the Ukrainian cyberaggression. Ukrainian sub-hackers have not sorted out methods and targets for attacking Russia. Given these circumstances, we want to ask our people if we have to turn off the Internet in Ukraine. (XakNet Team 2022)

76

Chapter 3

Further, its Telegram outlet opened a survey where for one hour its followers could vote for XakNet’s future actions. Even though the overwhelming majority (more than 60%) approved blocking online communication in Ukraine, XakNet agreed with the minority opinion, which asked the group to keep the Internet service on (XakNet Team 2022). NoName057(16) and People’s Cyber Army groups were not as prolific in terms of content as XakNet or KillNet. Their mission statements were issued at the beginning of their Telegram activities. Further, these groups rarely returned to their statements. Aligning with XakNet’s claim about the protection of Russian society from “Ukrainian fascists” and “Bandera’s followers,” these group statements also pointed out the enemies: “neo fascists, who seized power in Ukraine” (NoName057(16) 2022). Starting its mission statement with the words “death to fascism,” NoName057(16) introduced itself as a warrior against Ukrainian hackers, “admirers of neo-fascist ideas” (NoName057(16) 2022). The statement promised to attack “Ukrainian disinformation sources,” which tried to spread false information about the Russian military operation in Ukraine and “intimidate Russian citizens,” attacking “personal social media accounts and other avenues of communication” (NoName057(16) 2022). Hackers have frequently suggested the direct involvement of the United States and the European Union in this conflict, and the People’s Cyber Army team joined this storyline: “With U.S. assistance, Ukraine has launched an informational war against our people” (People’s Cyber Army 2022). The hacker group “From Russia with Love” (FRWL) joined the hacker movement and the cyberwar against Ukraine in June 2022. Explaining its late “membership,” the team wrote that its members had monitored proRussian hacker actions and were impressed by their results, so the group decided to go open. Its mission statement echoed the previous hackers’ mission declarations and was in line with the overall hacker brand identity: “We are FRwL. We cannot stay in the shadows, observing horror in Ukraine . . . We are against Nazism! Our warriors fight on the ground, and we support them with all our hearts. Work, Brothers! We will work here” (FRWL 2022). To be successful in the highly diverse and competitive online market, symbolic culture identity is extremely critical, especially for a newly established brand. Brand symbolic culture includes visual elements, which appear on social media, emails, websites, broadcasts, videos, and other places. It refers to logo, color palette, typography, and message layout. In general, hackers’ symbolic culture is not well developed and performs poorly. The only element that most hackers found meaningful for their web publicity was their logo. Other elements of brand symbolic culture were ignored by most of the hacker teams.

Russian Hackers

77

Entering Telegram space, every group presented its logo, but the groups did not invest much in the logo’s meaning or visual appearance. The Joker DPR team uses the Hollywood Joker pictures as a logo, connecting the image with the name of the group. However, the Joker DPR group used the Joker’s images randomly and without consistency, airing many different Joker photos. So, the usage of this vivid character as a symbol is a good idea; but, in fact, the Joker DPR group does not have any singular recognizable logo for followers. XakNet did not have its unique logo until one of its followers created it for the team. Since March 2, 2022, People’s Cyber Army changed its profile symbol three times, where the group had a different color palette and even group name. Another group, Anonymous Russia, adopted a logo designed by the old Anonymous group, established in 2014. After joining KillNet, this logo was modified by adding the KillNet name. The black and white image with lines of numbers was presented as the NoName057(16) logo, which is barely memorable or recognizable. On the other hand, we have Beregini, KillNet, and RaHDIt, which have prominent visual identities and well-designed logos. Although Beregini hackers picked the colors black and white with an inserted symbol inside of a circle, the KillNet logo looks very basic with its name in a basic black and red color mixture. RaHDIt’s project “Nemesis” has a shield shape with a hand holding a scale, which is attached to a sword with the Georgian ribbon on top. Worth noting is that although each group placed their logo in their Telegram profile, none of them promoted their symbols whatsoever. In very rare cases, when the hacker groups created videos, XakNet, KillNet, and FRWL inserted their logos to emphasize who created the content. Out of ten hacker brands, four groups tried to maintain consistency in the layout of messages or accounts. As mentioned previously, the Joker DPR group added an emblematic Joker laugh “Ha-Ha-Ha” at the end of almost every post. “We are Beregini! We remember everything,” this motto ended Telegram posts on the Beregini group account. KillNet demonstrated an effective approach to their account layout. Daily, the group aired “Good morning” and “Good night” to its followers, referring to its followers with various funny names such as “comrades,” “my hackers,” “colonists,” or “occupants.” Through its discussion threads, a growing tendency was observed: KillNet followers began referring to themselves and each other as KillNet referred to them. These posts were popular among the KillNet audience, which wrote numerous responses, often senseless. Another member of the pro-Russian hacker movement, NoName057(16) decorated every post with the image of a bear and a bear footprint with the incorporated group name inside. The choice of names for each hacker group revealed cultural, political, and professional underpinnings. Within the entire system of brand identity, this element was the most pertinent to the hackers. XakNet’s and KillNet’s

78

Chapter 3

names, which can be read “hack a net” and “kill a net,” refer to members’ professional skills and group goals. FRWL was named after the famous Hollywood film of 1964 with the same title. It is very easy to read the irony of the name, and moreover, the hacker group’s origin is highlighted. As noted above, the name “Beregini” has a Slavic origin and feminine undertones, even without knowing Slavic mythology, this name emanates from the word “keep” or “protect” in Russian. This eloquent name further accentuates the fact that this group was created by women and was established in one of the Slavic states. The references to the group’s origin or operation can be detected in “Joker DPR,” where “DPR” means Donetsk People’s Republic. In the aftermath of the appearance of the Ukrainian group of hackers “IT Army of Ukraine,” the Russian copycat appeared under a similar name—People’s Cyber Army. While NoName057(16) remains neutral in terms of its meaning, RaHDIt’s project Nemesis adopted the name of the Greek goddess who stands for justice and retribution. The cultural underpinning is obvious in the name of “RaHDIt,” which means “Russian angry hackers did it.” As stated earlier, another hacker group named itself after the famous Anonymous group, which operated in the 2000s. Adopting its moto, the pro-Russian hackers added the word “Russia” to distinguish the group from its well-known predecessor. As analysis implied, 70% of hacker groups dedicated time to developing their mission statements. So, the majority of groups understood the statement as a cornerstone for the brand development process that helped them not only draw the attention of potential audiences, but other hacker organizations and regular outlets with a similar agenda. Beregini and Joker DPR are special cases because they became famous for their pro-Russian activities before February 24, 2022. For them, it was unnecessary to articulate their mission again. In examining the construction of the mission statements for all the hacker groups, the research revealed that they were presented in different forms, one or several posts, sometimes not even pinned to a top post, and mainly addressed the same points: (1) the group’s activity (hacking) and motivation, (2) adversaries, which hackers planned to strike, and (3) political affiliation, including support for the Russian government and the military forces. Through these points, the hackers depicted themselves as defenders of Russian society from unhinged foreign hackers who forced them to partake in the unfolding war. Typically, brand construction begins by searching for and evaluating potential competitors, but the hacker teams did not try to compete for followers, sponsors, or recognition. Instead, they intentionally or unintentionally looked to establish a network of like-minded hacking outlets which could cooperate with each other and communicate with their mutual audience. In part, this can explain the lack of well-designed symbolic brand attributes as well as a consistent strategy to promote the brand’s unique appearance.

Russian Hackers

79

While every hacker organization entered cyberspace with its own logo and name, two groups—NoName057(16) and Zarya picked their names without a hidden, encrypted meaning; hackers’ audiences generally preferred for their groups to choose a name that reflected their ideology. In general, the hacking teams did not invest much in their visual appearance. Seventy percent of the hacker teams did not promote their symbols via products or social media content, whereas 30% of the teams practiced it very rarely. The research detected a lack of consistency in the layout of messages or accounts: only 40% of the hacking accounts had a unified layout. Although the majority of the hacking groups suffered from a poor symbolic appearance and an incoherent or completely absent mission statement, KillNet’s social media management maintained and elaborated its brand identity, which made the group a frontrunner in terms of communicating a so-called collective hacker identity to the public. Brand Positioning Brand positioning is an aggregation of the value that a brand can present to a special market sector and the public. Within brand positioning two broad categories can be determined—community engagement and content. In accordance with these categories, a set of metrics which help to evaluate the process of brand positioning was determined: open communication with its audience (including participation in cyberattacks), engaging content (asking questions and surveys), connection with influencers, and the financial foundation. Hackers and Their Followers: Communication As unique as hacker products may be, the hacker teams need to find a market and an audience. Doing so, online brands need to tailor their relation-building campaigns through social media interaction. It should be noted that while hacker groups can survive without open communication, and even thrive without it, hacker brands cannot stand and advance their entities without it. This can be explained by two reasons. First, via open connection with followers and supporters, the hackers can accumulate technical power, especially for DDoS attacks. More participants can cause more damage. Second, communication with followers would increase brand awareness. In general, community engagement is an ongoing process, where engagement can reduce or increase over time. On Telegram, the pro-Russian hackers offered different lines of communication with their followers: email, reactions, surveys, comments, and chats. To maintain direct communication with followers, a few hacker groups established emails, which can be found in the outlet’s welcome note on Telegram.

80

Chapter 3

The majority of these teams preferred to receive direct messages from their followers, other concerned individuals, and organizations. For instance, in March 2022, the XakNet group managed at least two emails and one bot which served their particular purpose. Usually, the group directed its followers to write their concerns and proposals. One of these emails was for communication, productive cooperation, and apparently, coordination of mutual actions with other hacker groups (XakNet Team 2022). Along with the emails, the XakNet group managed one bot for direct correspondence which was used to achieve various goals (XakNet Team 2022). XakNet was ready to work with other pro-Russian hacker groups to organize more effective attacks on Ukraine. In a couple of days after airing this welcoming post, its email was overloaded with messages from hackers. This became a great surprise for XakNet, which did not anticipate getting quick and informative responses (XakNet Team 2022). Also, on March 6, 2022, the XakNet team published another email, looking for contacts with Russian media representatives and anchors (XakNet Team 2022). The hacker team admitted that its members could not deliver the information they got from hacking: “We are science people. Our writing pieces are not very well created. We are looking for media professionals in this field. Bandera’s people work very well in this regard, so social media is full of disinformation” (XakNet Team 2022). Surprisingly, hackers were eager for cooperation, whereas the media’s interest for the hackers was very low. At that turbulent time, when Russian society entered the new reality, and most news stories were from Ukraine and about Ukraine, Russian media resources ignored the hackers with their unique information. XakNet continued its futile search for journalists for several months, and eventually, a few of them began to cooperate with XakNet in the fall of 2022. However, they only found one or two journalists, and these journalists apparently failed to provide an analysis of XakNet’s findings. For the KillNet group, communication was crucial, but it established channels in a simpler way than other hackers. KillNet rejected establishing a Telegram bot and highlighted this approach repeatedly. Its audience could contact them through a separate support channel, which apparently belongs to one of the KillNet members (We are KillNet 2022). Also, the team addressed its followers via one of the KillNet founder’s accounts, “KillMilk,” who responded to followers’ comments and made his own. The FRWL members followed KillNet’s path; the hackers designated one of their personal accounts as a support service. In their guidelines, FRWL clarified the purpose of this support, which ranged from content tips and targets for future attacks to an FRWL membership application and technical assistance (FRWL 2022). The response they received through the established support channel was significant as well as unexpected. The FRWL admins exclaimed:

Russian Hackers

81

In 10 minutes after publishing our support outlet, we got countless messages proposing any help we need and numerous thank-you-notes. Also, our soldiers contacted us and expressed their appreciation to us! They were grateful for our last attack on the Ukrainian transportation infrastructure; we did not know this, but we disrupted military logistics in . . . Zaporizhzhia regions! We are excited! (FRWL 2022)

Apparently, the FRWL group did not realize the impact this support account would have on its brand, which facilitated establishing open and direct communication with its followers. Many hacker brands learned effective methods of marketing on the job. For the female hacker group “Beregini,” the management of several different means of communication became an indispensable routine. For individuals who did not want to use instant messages on Telegram, Beregini had encrypted Proton emails, while other followers could reach out to the group via its affiliated account on Telegram. It used open communication means not only for tips, media connections, or cooperation with other groups but for communication with potential spies, who wanted to leak information. At the beginning of the war, Beregini actively promoted its communication means among the Ukrainian military. Indeed, on the day when the war broke out, it sent out a message inspiring Ukrainian soldiers to surrender: We are asking soldiers and officers . . . . If you do not want to repeat the fate of those who ignored our previous proposal1, you have a chance [to] put your weapons down and surrender. Beregini will pass your information on to competent officials. To contact us, there is a Telegram account and email. We will discuss the conditions of your capitulation. . . . We know all of you. We know your addresses. We know your relatives. Surrender! (Beregini 2022)

This group mentioned its special connections with Russian military elites, who made decisions about Ukrainian targets for Russian attacks. Moreover, their ties with the Russian military would be very impressive if they were able to send a report to military leadership as soon as they received a response from the Ukrainian soldiers. Because of these ties, this group cannot be considered as simply “freelancers” or a combination of altruistic enthusiasts. After the outbreak of war, many hackers received a continuous influx of emails and messages from various correspondents, but mainly from supporters, who proposed any assistance and help to the groups. An identical tendency was highlighted by the Beregini team, which not only conducted hacking on Ukrainian digital entities but revealed documents which were sent by so-called spies or supporters. The outlet of Joker DPR emphasized their work with spies, who leaked information for money or for particular benefits.

82

Chapter 3

On August 18, 2022, Beregini initiated a new search for crucial information about the operational situation on the Ukrainian front (Beregini 2022). Allegedly, many Ukrainian soldiers turned out information about human losses, the moral environment, corruption, and other unpleasant facts about their army. Although Beregini looked for fresh information from the battlefield, the Russian Army began to withdraw from the Ukrainian territories. To inspire potential spies from “the SBU,” “the National Guard,” “politicians,” and other concerned individuals, the hackers promised to provide “safe communication means,” protection of “spies’ identities,” and future reputation control in “free Ukraine.” For this campaign, a new bot, called “Tell to Beregini” and an email were established and publicized on Telegram (Beregini 2022). To begin this search, Beregini announced its target—Brigadier General Viktor Khorenko and members of his family. Focusing on collecting and storing personal information, RaHDIt’s project “Nemesis” dedicated a separate Telegram account to deal with correspondence. Some data about Ukrainian militants were gathered via hacking, while some information was received from individuals who knew a person of interest. For instance, on June 4, 2022, the Nemesis crew expressed its appreciation for one of its followers who shared information about a Russian citizen, Yuriy Skachkov (Nemesis 2022). In May, Facebook users sent the profile link of a commander of the SS Bear unit to Nemesis, who was added to its website database (Nemesis 2022). Another way to enhance community engagement is through chats, comments, and emoji reactions, which facilitate brand communication and allow the monitoring of a follower’s brand connection. XakNet, People’s Cyber Army, KillNet, and NoName057(16)—these groups launched chats in addition to having a main outlet. Seven of the hacker groups mentioned here prefer followers to make comments under every post. The main goals of the XakNet and NoName057(16) chats were to promote community-related discussions and gather like-minded people. In these chats, followers had conversations on different topics, which ranged from hacking incidents and hacker’s personal lives to Russian politics and the possibility of a nuclear war. NoName057(16), KillNet, and XakNet chat moderators nourished the community discussions by publishing relevant content. The moderators were dedicated, but not as active as the groups’ followers. Preserving the groups’ agendas, the moderators not only sifted out unacceptable user-generated content, but they encouraged others to be vigilant and moderate themselves by flagging improper comments. In addition, given the specificity of the groups and their political circumstances, hacker moderators scrutinized chat participants. For instance, the NoName057(16) team warned chat visitors to keep their vigilance in communicating inside this chat because its moderators detected many adversaries during every routine check-up (NoName057(16) 2022).

Russian Hackers

83

The hacker group People’s Cyber Army did not accept irrelevant conversation within its chat, stressing that “this communication space is not for housewives” (People’s Cyber Army 2022). Its participants could not discuss political issues without fear of being ousted from the chat. Predominantly conducting DDoS attacks, the People’s Cyber Army group established a chat for its followers, who wanted to conduct cyberattacks in accordance with the group’s guidance and timeframe. Thus, the chat space was used for coordinating its attacks, where people were allowed to ask relevant questions and receive needed assistance (People’s Cyber Army 2022). Moderating the chat discussion threads, the hackers utilized a very restrictive approach to its membership. This approach was the result of a detrimental experience. Shortly after the group’s appearance on Telegram, pro-Ukrainian users halted its operation, and the group’s team was forced to migrate to another outlet. Reinforcing censorship, People’s Cyber Army began to sort out its followers and to join its chat, potential members should send a message to a bot for approval. As an extra security measure, since July 2022, chat conversations have been deleted every three days (People’s Cyber Army 2022). Apparently, the group encountered a serious problem managing the chat participants, who leaked inner chat information and tried to attack other targets, ignoring the group’s goal. By December 18, 2022, the XakNet chat outlet gathered more than 22,000 users. Its moderators implemented the following chat rules: a ban on audio messages, defamatory labels, offensive comments about race, stickers or emoji floods, advertisements, and photos or links to resources showing dead people (XakNet Team 2022). As the content thread demonstrated, the XakNet team did not exercise severe content moderation, and the chat contained a line of senseless comments irrelevant to XakNet’s brand philosophy. However, the absence of pro-Ukrainian remarks indicated that the administrators cleaned the chat on a daily basis. In addition, since December 25, to be approved as a chat member, every user must answer the following question: Where does Crimea belong? If the proper answer was not picked for 30 seconds, the potential user was automatically denied membership. The hacker groups allowed the use of emojis as reactions under posts. This was an effective way to spice up and visualize brand communication. Worth noting is that the overwhelming majority of emoji reactions on the hacker posts were positive, whereas negative reactions repeatedly appeared but in a minor proportion. As stated before, seven hacker brands opened their outlet content for comments. There were only two exceptions—the Joker DPR and People’s Cyber Army channels, whose teams intentionally blocked commenting under their posts. Interestingly, Beregini allowed its followers to leave comments, but its brand conversation was more reminiscent of a brand monologue,

84

Chapter 3

where the followers picked symbolic emoji reactions instead of commenting. Other brands—KillNet, FRWL, XakNet, Nemesis, Anonymous Russia, and NoName057(16) encouraged followers’ comments and oftentimes, their teams provided responses. Trying to humanize the brands and underline their authenticity, KillNet and FRWL participated in online discussions and listened to their adherents. For instance, by engaging in talks, KillNet moderators managed their content, blocking or reprimanding poisonous commentators. Each hacker group utilized brand communication and correspondence with members to a different extent. The most popular and effortless communication method was the emoji reactions, whereas chats were not very trendy. It took plenty of time and constant attention to manage discussion threads and members. Nonetheless, chats and their regulations helped to deliver the meaning of the hacker brand’s agenda. Tailoring talks within the chats allowed the hackers to find dedicated active users who would help the groups conduct cyberattacks. In addition, they established and aired group emails, bots, separate Telegram accounts, and websites. As the hackers stated, these communication channels were overwhelmed by a serious influx of correspondence. Also, open brand communication could result in various changes, including unexpected ones. First, the hacker groups flocking on Telegram looked for professional connections or guidance from more experienced IT specialists. Second, some followers did not comprehend the hacker agenda and asked them to hack Russian citizens in Russia for personal reasons. Nonetheless, hackers realized the importance of brand communication as well as its benefits and shortcomings. They have learned ways to handle their crowd of admirers, other hacker entities, the media, and adversaries. Surveys and Questions Another way to increase their number of followers and thus, social media engagement, is to ask questions and conduct surveys. The quality of posts plays a crucial role in this regard. Brands need to create relevant, intriguing, and entertaining questions to stimulate their audience to place a comment or partake in a survey. Indeed, beauty bloggers may ask their audience to compare two face tonics; however, a hacker’s “product” is different. By asking questions, the hacker groups have to incorporate their specific item without losing a playful approach with their followers. Questions help not only highlight that hackers care about their audience’s opinion but also amuse followers by their skills and abilities. At the same time, well-addressed questions with a motivational and inspirational emphasis help to provide depth for their followers, giving them a more profound perspective on the group’s beliefs, thoughts, and actions. Asking questions not only helps to intensify brand-audience communication, but also encourages dialogue among the audience itself.

Russian Hackers

85

Among the Russian hacker groups, the mischievous KillNet team became an unbeatable frontrunner of the asking-questions strategy. On July 8, 2022, this group claimed responsibility for a denial-of-service attack on the Lithuanian electricity and gas distribution company “Energijos Skirstymo Operatorius AB” (ESO) (RIA News 2022). This strike was one of the numerous cyberattacks on Lithuanian websites after its government decided to stop the transit of sanctioned products to the Kaliningrad region of Russia on June 18, 2022. While Russian officials expressed their fervent irritation to the Lithuanian authorities, the latter rejected the infringement of the transit agreement, stressing that Lithuania must follow EU regulations. Given the political gridlock, the KillNet hackers considered the Lithuanian state as a legitimate target and hacked private and government digital entities. As the ESO website and its affiliated digital entities stopped being responsive, the hackers created video evidence of their attack. To celebrate their success, the KillNet team reached out to their audience: “Hello! .  .  . You should buy beer” (We are KillNet 2022). Further, KillNet felt a growing excitement when a fresh publication about this attack appeared on the Ria​.​ru news portal, and news began to roam within the Russian-speaking Internet. So, the team decided to ask if any Russian anchors snuck into the KillNet outlet. In 20 minutes, the chain of posts about the successful attack was closed with a very impish entry: “Who is from Vilnius here? There is a need to piss on The Seimas of Lithuania and record it. The reward is 0.2 BTC” (We are KillNet 2022). Even though these posts were aired at nighttime, the KillNet group stimulated interaction with its audience by asking resonating and fun questions on its channel: the posts received 2,000 to 3,200 likes. Nevertheless, communicating their agenda and interacting with followers can be serious as well as playful. In late July, KillNet returned to attacks on Poland because the issue with the transit to the Kaliningrad area was resolved. Initiating wide attacks against Polish digital entities, the group stated: Nowadays, we cannot make posts because our attacks will be in vain. Also, we are not going to pick our goals; we will attack every possible target. So, DDoS will strike on the healthcare system, including intensive care facilities . . . They have to think before delivering weapons to Ukraine. They want to see many Russian deaths!? After you . . . (We are KillNet 2022)

The next day, the report about a cyberattack on intensive care facilities was released, although without attached screenshots or video records (We are KillNet 2022). With the absence of the usual evidence, it is possible that the attacks were never launched or were unsuccessful. However, KillNet followers did not challenge the group’s reputation. Taking for granted the claim about the successful strike, KillNet followers fervently expressed their negative views. According to the majority of the chat participants, the attacks

86

Chapter 3

should not kill people, especially, children; the chat members insisted that any healthcare facility should not be a target for hackers (We are KillNet 2022). The reaction of KillNet was immediate and stubborn: Do not condemn these ways to fight against Russophobia . . . If someone does not like our methods, sign out of our channel. Your comments do not have an impact on our actions. We work for the glory of Russia, rather than for you (we are talking about the individuals who criticize us). And our posts are a declaration about actions we have conducted (some of our actions). (We are KillNet 2022)

Followers found this explanation adequate in light of the ongoing war. Even though the first post received many denouncing comments, the explanatory post from KillNet was heavily liked and commented on. So, the satisfied KillNet team decided that the conflict with its followers was resolved and moved to its next target, Polish police precincts. It came to the point where the KillNet group benefited from negative popularity, as the outlet’s social media engagement was twice as high as usual, and war denigrates moral values. The fact that negative fame is still fame proves statistics, which shows why KillNet’s membership expanded to more than 4,000 people in July 2022 (TGStat 2022). To increase community engagement and learn about its audience, the group FRWL launched a survey on July 4, 2022 (FRWL 2022). The survey included nine questions which tried to determine who FRWL followers were. All participants were asked to pick one answer. By December 2022, there were over 2,500 views on this post, but only 803 people participated in this survey (FRWL 2022). According to the survey, 55% of the respondents picked the following answer: “I am a common citizen who loves Russia and supports hackers-activists,” and around 30% of individuals admitted that they learned new information and enjoyed hackers’ success. Remarkably, the number of IT specialists who did not belong to hacker groups among the FRWL audience is about 15% (FRWL 2022). In the comment section, some of its followers mentioned that their social or professional group was not included in the survey. These individuals were a military staffer, a nurse, a math teacher, a payroll specialist, and a retired man (FRWL 2022). The FRWL chat admin provided a polite and personalized response to every comment. The public appearance of the hacker brands combined with the political momentum shaped public perceptions about hackers and their activities. On August 4, 2022, FRWL asked a simple but very significant question: “How does a hacker differ from a common individual?” (FRWL 2022). Overall, participants underlined the significant current metamorphosis in the meaning of a hacker due to the unfolding war and deteriorating situation in Ukraine. The most liked comment stated: “Nowadays, a Russian hacker

Russian Hackers

87

is a light warrior, confronting cyber evil. It is a defender of our homeland! It is a volunteer, who decided to fight for us” (FRWL 2022). Further, the author of this comment expressed a hope that pro-Russian hackers would unite in a Russian Cyber Army for a decisive and powerful cyber offensive against the adversaries (FRWL 2022). Also, in the eyes of the FRWL audience, hackers were described as “good people who love Russia,” “unique humans,” and “very clever and brave IT specialists.” The intensive brand positioning as patriotic warriors had a significant impact on the Russianspeaking audience. Active Telegram users began to revise their negative and fearful views on hackers: the connotations of these descriptions are positive and emotional. Posting encouraging content, the pro-Russian hackers had a favorite question, asking their audience about a future target or targets. Usually, this type of question brought much attention and received numerous comments, where the public shared its speculations and hints. After conducting several attacks on the government facilities in Ukraine, the XakNet group moved to private targets. On May 5, 2022, its channel proposed a survey asking which “Ukrainian oligarch’s enterprise” would become XakNet’s next target (XakNet Team 2022). Every follower should choose one out of ten following famous rich businessmen from the Forbes list: Rinat Akhmetov, Victor Pinchuk, Kostyantyn Zhevago, Ihor Kolomoisky, Gennadiy Bogolyubov, Aleksander Geregi, Petro Poroshenko, Vadym Novynskyi, Oleksandr Yaroslavskyi, and Yuriy Kosiuk. The total number of survey participants was 8,669, where 3368 followers (39%) picked Ihor Kolomoisky, and 2,365 followers (27%) voted for former Ukrainian president Poroshenko (XakNet Team 2022). Rinat Akhmetov was in the third position with 2,263 votes (26%) (XakNet Team 2022). The XakNet chat exploded from an influx of commenters. Some of them suggested hacking the Ukrainian journalist Dmitry Gordon instead; others proposed Oleksii Arestovych, who serves as an advisor to the Office of the Ukrainian president (XakNet Team 2022). Despite Ihor Kolomoisky receiving the biggest number of votes, on June 28, 2022, XakNet reported a successful hacking on Rinat Akhmetov’s DTEK Group2 (XakNet Team 2022). In the comments under the post, several followers expressed their concern about the purpose of the survey because the main target was supposed to be Kolomoisky. Nevertheless, the overall attitude in the chat was positive and minimized the effect of the negative comments. According to XakNet, its hackers entered and remained inside DTEK Group’s branches for some time. In a statement calling the conducted attack “ethical hacking,” the hackers declared: We did not take over control. We did not encrypt data and backups. We did not interfere with the operation of power plants. We did not paralyze their work. We

88

Chapter 3

just watched you to show our penetration . . . We are not terrorists or criminals. We want nothing from you. (XakNet Team 2022)

Further, promising to transfer all backdoors from the system and repair any damage caused by their hacking, the group asked for the following condition: “Rinat Akhmetov should publish a statement with the phrases Glory to Russia and Akhmad is power!3” (XakNet Team 2022). To prove the hacking, XakNet released several files with DTEK information on its Telegram outlet. The hackers expected the accomplishment of their condition in one week, otherwise, they threatened to place the backdoors on the Internet for public access. In return, on July 1, 2022, the DTEK Group issued a statement where it claimed the Russian Federation was responsible for the hacking. The statement concluded that the enemies tried to destabilize the technological processes of generating and distributing power and undermine the energy security of Ukraine, as well as to disseminate through state propaganda false information about the work of companies, and as a result, leave Ukrainian consumers without a supply of electricity. (DTEK 2022)

In addition, the DTEK statement underlined the coordination of the cyberattack and simultaneous missile attacks on the Dnipropetrovsk region and, specifically, on the zone of the Kryvyi Rih TPP on June 28, 2022 (DTEK 2022; TCH 2022). XakNet’s ultimatum was ignored, and the group did not raise this issue again, moreover, since July 18, the XakNet Telegram outlet has remained inactive. The group only returned in September 2022. Trying to invigorate community engagement, NoName057(16) adopted the practice of using surveys in September 2022. The team was encouraged when they received a tremendous response from their followers after posting a question about the next target state for DDoS attacks. During October, NoName057(16) followers answered the same question five times. Perhaps, the significant turnout can be explained by the weekday when these questions were aired. In October, the hackers posted the questions on weekends. In contrast with October, in November, the pattern of posting was different, and the question appeared on the channel on weekdays. As a result, the posts received a lower number of comments and emoji reactions. Analyzing the comments, the tendency was detected to pick a target state in accordance with its circulation within Russian news headlines. On November 3, 2022, Russian media disseminated news that the Czech Parliament designated the Russian Federation as a state sponsor of terrorism (Ura News 2022; RIA 2022). In two days, the NoName057(16) group asked its audience which state they wanted to attack. Among traditional targets such as Poland, the United States, and Great Britain, followers named the Czech Republic.

Russian Hackers

89

On June 10, 2022, Volodymyr Zelensky authorized a law which authorized the use of territorial defense units to operate in war zones (the Verkhovna Rada of Ukraine 2022). Referring to this legal initiative, in a couple of days, the members from the FRWL group, who apparently hacked some documents from Ukrainian governmental facilities, decided to ask its followers if they approved leaking Ukrainian fighter names who joined the Territorial Defense (FRWL 2022). In this proposal, FRWL stated that after the enactment of this law, the Territorial Defense fighters became legitimate targets and enemies for the hackers. Unsurprisingly, 97% of respondents asked to go forward with this initiative (FRWL 2022). On June 24, 2022, several pages with full names and home addresses of the Ukrainian fighters from the Zhytomyr region became available on the FRWL outlet (FRWL 2022). According to the hackers, FRWL had more information, but it decided to hold onto it for a while (FRWL 2022). Predominantly, the survey and question posts were related to hacking activities. However, this is not necessarily always a pattern. Indeed, as the pro-Russian hackers became public, various domestic and foreign journalists contacted them to take an exclusive interview. In August 2022, the group “FRWL” asked its followers to vote for the following question: “Should FRWL give an interview to the Norwegian anchor Thomas Frigard” (FRWL 2022). Looking to advance its hacker brand on an international level, the group underlined its willingness to talk with this journalist, who looked like “a good guy” (FRWL 2022). Six hundred and fifty-six followers took part in this survey, where 70% of respondents encouraged the hackers to go for it (FRWL 2022). Not all the FRWL followers shared the group’s enthusiasm. Under this survey, a discussion broke out, and followers expressed their profound concern with a few issues. First, there were several scrupulous users who decided to do an online search on this Norwegian anchor; the excavated information about Thomas Frigard was suspicious and they concluded this person looked neither serious nor real (FRWL 2022). Second, during an interview, hackers might accidentally disclose their identity and location (FRWL 2022). Third, in the chat, the followers argued that this interview would be used by Western anchors to advance a disinformation campaign against the Russian Federation (FRWL 2022). Interestingly, the voice of the followers who supported the interview was barely articulated and sounded much like this: “We can go for it, but with any Russian media representative” (FRWL 2022). By December 2022, the FRWL group did not accept a public interview with a foreign media source. Perhaps, the warnings conveyed by the minority of the followers were persuasive, and the group decided not to go forward with the interview. For the hacker groups, this strategy was very popular and productive in terms of shaking up community engagement. To followers, the results of the

90

Chapter 3

surveys obtained by these posts are not that valuable compared to how essential these posts are themselves, where the users may express their opinions and directly communicate with the hackers and other concerned individuals. The survey participants did not follow up on the results, demanding the hackers accomplish their promises in accordance with voting results. An airing of surveys or asking questions related to the hackers’ activities was found effective for the brand and intriguing for its followers, who observed themselves as an indispensable part of hacking. From the perspective of a common Internet user, hacking is a unique technical process, and although it is illegal, hackers usually go unpunished and get away with their crimes. The illegal side of this process vanishes in the eyes of the Russian-speaking followers because the ongoing war serves as a justification for the hackers’ cyberaggression. Also, this cyberaggression is widely observed to be a cyber defense against those opposing Russian society. Participation in Cyber Strikes and Hiring New Members In relation to the previous community engagement strategy, it is crucial to analyze two effective methods: participation of Telegram users in cyberattacks that have been coordinated and initiated by hacker brands and hiring campaigns within the crowd affiliated with Telegram. Usually, hackers launch attacks without using unknown individuals. However, in 2008, when the Russian-Georgian conflict broke out, hackers appealed to Internet users for mobilization, recruiting volunteers across Russian-speaking cyberspace to participate in cyberattacks against Georgian websites (Smith 2014). Applying the same operational pattern, the proRussian groups have actively engaged their Telegram followers as well as other like-minded hacker organizations and lone-wolf hackers. While Joker DPR, Beregini, RaHDIt, Zarya, Anonymous Russia, and FRWL did not refer to using any outside power, People’s Cyber Army, NoName057(16), KillNet, and XakNet worked with their followers. The KillNet and XakNet groups looked for their followers’ help only a few times, while other mentioned groups utilized this strategy on a regular basis. Interestingly, XakNet claimed that its members were active participants in cyberextortion against Georgian websites in 2008. If so, they would have been engaged in writing scripts or training IT novices at that time. However, at the present time, XakNet prefers to rely on its own human resources, minimizing external contact with the public. Energetically communicating with followers and advancing its brand, KillNet rarely appealed to its followers to assist with an imminent cyber action. This can be explained by the fact that the KillNet group built an umbrella brand which predominantly looked for permanent or temporary cooperation with other hacker groups or lone-wolf IT professionals. So, given the

Russian Hackers

91

significant number of KillNet followers, this team found other effective ways to maintain productive relationships with its audience. In XakNet’s first days on Telegram, the group received many demands from common followers who were willing to help the hackers. On March 4, 2022, for non-IT professionals, XakNet created and presented a special resource on its website xaknet​.tea​m. On its Telegram channel, the group posted the following guidance: You asked how you can help us. Thank you for this desire! Nowadays, everyone can help! The provided page was created for enthusiasts who are not apathetic to the current situation. You need to open it from your browser, and online resources of Ukrainian fascists will be automatically attacked, slowing down their work. (XakNet Team 2022)

The guidance underlined that users could expect their home browser to be slow, but they did not have to close the page; while this XakNet page was open, attacks and targeted normal traffic continued (XakNet Team 2022). Advertising the website as a safe and effective place for attacks, XakNet encouraged visitors to spread this resource among friends. It is not known how many people were brave enough to utilize this resource, but apparently, some of the XakNet followers contributed to the exhaustion of Ukrainian websites. On May 22 and 23, 2022, XakNet, together with KillNet, DDoS Service, and its volunteer followers launched massive cyberattacks on the Ukrainian artillery control system Kropyva (Nettle) (Defence Express 2022). Ukrainian IT specialists created Kropyva to be suitable for PC tablets, and now, it is widely used by Ukrainian units. On May 18, 2022, several Russian news sources began to spread a post warning Russian servicemen from uploading the application Kropyva on their devices (Neoficialniy Bezsonov 2022). There were a few cases when soldiers downloaded the Ukrainian software and placed their maps in it. Looking for tech assistance, Russian servicemen from the self-proclaimed Luhansk People’s Republic (LNR), which is located near the town of Krasny Liman, contacted the XakNet group. Later, the XakNet content thread presented several posts with a video thank-you note for XakNet and photos of missiles with XakNet’s name on them. Through these posts, the group suggested a new level of relationship with the Russian Forces in Ukraine (XakNet Team 2022). It is possible that because of the call from the Russian military about Kropyva, XakNet began to invite and hire new members and volunteers since May 21 (XakNet Team 2022). Its hiring campaign can be divided into two major categories: inexperienced individuals and IT specialists. The XakNet team underlined that it looked for enthusiastic volunteers who would not get paid for their activities but rather receive a unique

92

Chapter 3

experience: “You are not going to earn money here. Also, we will not take money for your education. The price of your education: work for the good of our state with our team until the special military operation is running” (XakNet Team 2022). The next day, XakNet reported a significant number of applicants for both categories (XakNet Team 2022). Undoubtedly, some new members were chosen to be a part of the attacks on the Kropyva resources. The first attack, which took place several hours before the second attack, was conducted by forces of the hackers for KillNet, XakNet, and DDoS Service. As a XakNet representative said in a later interview, this attack revealed that the groups did not have enough resources to destabilize Kropyva. For the next attempt, XakNet bought indispensable equipment and shortly resumed attacks on the Kropyva online resource and associated Telegram channel (Russian OSTIN 2022). XakNet started the attack by posting on its Telegram channel. While the hackers conducted their part of the attack, the followers of the KillNet and XakNet channels were directed to overload the Kropyva Telegram outlet and phone service by requests to join the system (Legion 2022). For several hours, the massive, coordinated DDoS attacks from different directions continued and resulted in exhaustion of the resources. In a concluding post, the team stated: “Our friends from the battleground said that our attack was successful . . . We helped to save lives. To know this is more valuable than money” (XakNet 2022). Amusingly, on May 28, 2022, Colonel General Michael Teplinskiy honored the XakNet group for helping to liberate the town Krasny Liman (Russian OSTIN 2022). Even for the hackers themselves, this attack was an unexpectedly positive real-world outcome: they observed the real consequences of their online actions. Cyberwar can and does have a visible and critical impact on our reality, and even human lives sometimes depend on it. Further, the group stopped engaging its followers in cyberattacks temporarily for its actions, focusing on cooperating with other hacker groups and its own goals. At the beginning of March 2022, the group “NoName057(16)” did not rely on Telegram users when launching its attacks. However, in July, its team established the chat “DDosia Project” and began actively building work connections with its followers. On this chat, participants communicated with each other and the NoName057(16) team. To be a part of this Project, every user needed to go through a registration procedure using a NoName057(16) Telegram bot, which provided work statistics for registered participants, monitored the top volunteer participants, and allowed changes to personal data. To implement financial incentives for its volunteers, NoName057(16) requested every chat member establish a crypto wallet. The hackers confirmed that the group tried to find sustainable financial sources to motivate its volunteers (DDosia Project 2022). The financial situation became stable by September 2022, when the group announced bonuses for its ten volunteers.

Russian Hackers

93

Individuals who won first and second positions should receive 80,000 rubles (around $1,000) and 50,000 rubles ($710), respectively (NoName057(16) 2022). The person who placed third would get 20,000 rubles ($290) to his or her crypto account (NoName057(16) 2022). The other seven individuals received $100. In October and November, NoName057(16) provided the same amount for bonuses, and twenty volunteers received cryptocurrencies for performing DDoS attacks. It is not clear how long the hackers will continue this practice and where they get the money to support these volunteers. Given the fact that the same participants received incentives in these months, the question about the reliability of these monthly competitions rises. In contrast to NoName057(16), the People’s Cyber Army hackers entered the public space with prepared instructions and a software package for DDoS attacks. In March, a chat for discussions of ongoing and future strikes was established, inviting Telegram users to join it through a People’s Cyber Army bot. An interesting detail is that the group admins prepared targets, published them, and defined the exact time for the beginning of a strike. Obviously, the possibility to partake in cyberattacks along with real hackers attracted some Telegram users. Some of them could participate in strikes on a regular basis; others entertained themselves by one-time involvement. The real impact of this cyber volunteering is impossible to evaluate, as the groups did not, as expected, disclose information about their members and newcomers, and actual volunteers refrained from sharing this controversial experience. More active members meant more potential for useful volunteers, though their level of commitment varied from person to person. Among the teams who worked with volunteers, KillNet had the biggest and fastest-growing crowd of followers, whose number jumped from 39,350 in April 2022 to 94,288 in December 2022. In contrast with KillNet, the size of XakNet’s crowd was stable but not as large in 2022, fluctuating around 35,000 followers. Shortly after their establishment, in April 2022, NoName057(16) and People’s Cyber Army attracted 2,370 and 5,890 people, respectively. In eight months, NoName057(16)’s membership soared by more than 150% (17,000 followers), whereas the number of People’s Cyber Army followers did not increase notably and was more than 7,000. Both groups ran closed chats for volunteers only. It was impossible to reach People’s Cyber Army’s chat, but the NoName057(16) entity embraced around 10,000 people by the end of December 2022. Although over the course of the war there were signals of a rising amount of people sympathizing with the hackers, the hardcore followers who were ready to assist the hackers would barely exceed 10,000 by very rough estimation. To some extent, this community engagement method shares a similarity with a crowdsourcing model in which an initial core group presents a problem

94

Chapter 3

via digital platforms, expecting enthusiastic and like-minded individuals to contribute to a solution. Nonetheless, it can be concluded that entering the ongoing cyberwar, hackers must rely on their own capacity to conduct strikes rather than on the Telegram audience, but an invitation of followers to be a part of strikes is a popular way to gain a Telegram audience and enhance brand recognition. All real work was done behind the scenes by IT professionals from within the group. Hiring Campaigns Another way to invigorate community engagement is to announce a hiring campaign. For recruitment of individuals, Telegram was the perfect place, where the hackers advanced their brands and showed off their values and agenda. Taking into consideration hackers’ brand reputation and the ongoing cyberwar, many applicants would be serious, but not necessarily dedicated to the hackers’ brands and agenda. So, it is improper to assume that every hacker brand tries to utilize this method because it is associated with a high risk and requires the implementation of security measures, which hackers do not usually practice. KillNet repeatedly organized hiring campaigns; the number of cyberattacks grew every single day and the group’s structure increased exponentially. Also, KillNet became a target too, and it searched for fresh team members and supporters to conduct coordinated attacks. In March 2022, the group experienced a shortage of labor capacity. In light of this, KillNet launched a survey, checking its Telegram followers’ willingness to join the team as “cyber warriors.” This poll, aired on March 4, attracted about 6,000 people (We are KillNet 2022). Eighty-eight percent of the participants were ready to help, but the majority of them did not have the capacity or necessary skills. Twelve percent of people admitted their lack of motivation to be involved in KillNet’s attacks. Many followers listed their skills, proposing to volunteer for the advancement of the group. For instance, several users with female nicknames expressed their readiness to help and learn indispensable IT skills (We are KillNet 2022). Other users were worried about legal prosecution and adequate cyber protection (We are KillNet 2022). In general, the recruiting campaign was very effective, because a statement aired on March 9 said that the number of its participants jumped up to 1,780 (We are KillNet 2022). Between March and June 2022, KillNet repeatedly initiated hiring campaigns, looking for IT professionals and sympathizers with indispensable equipment. On March 4, 2022, KillNet embraced three main subdivisions: attackers, technical support, and spreaders. The attacking branch was divided into four units: “Mirai,” “Jacky,” “Sakurajima,” and “DdosGung” (Sweet, Author’s Archive 2022). Later, new units emerged inside the group (for instance, Zarya), while other units were dissolved or became inactive. Every

Russian Hackers

95

unit had its leader, who apparently coordinated their unit’s activities. Perhaps, he or she had a broad set of responsibilities, such as accepting and terminating an individual’s membership from the unit. As the group accepted new unskillful members, it established a learning “center.” In this section, the new members learned the basics of DDoS attacks (We are KillNet 2022). To track media coverage and accomplish other management functions, KillNet used volunteers. It is unknown if the group’s supervisors were on a payroll. At least until July their financial situation was not determined or consistent. However, in June, the KillNet leadership invited potential candidates by promising to pay them for their work. The group utilized a different pattern of work. First, KillNet hired any enthusiastic supporter from their Telegram and Vkontakte channels. Then, the group narrowed its demand, exclusively accepting IT professionals or people with some IT experience. Candidates should send their CVs to the KillNet group, after which those who were selected went through a background check. As reflected in KillNet posts, many fresh members voluntarily or involuntarily left the group after their approval. Apparently, KillNet experienced significant turnover and a constant labor shortage. In June and July 2022, KillNet leadership undertook measures to rearrange its staffers because the group had become a target for concerned Ukrainian activists. There had been multiple attempts to penetrate it. Supposedly, one of these new members from Kharkov infiltrated the team and described the KillNet hiring process as primitive and easy-going, and included defacing a website of the member’s choice. To obfuscate the KillNet team, this infiltrated member called his client, asking him to do a favor—change the appearance of a website. This primitive manipulation was recognized as legitimate, and KillNet allegedly approved him to be a part of the team (Deanon Club 2022). Mocking KillNet for their lack of vigilance and low IT knowledge, this spy placed malicious software on one of KillNet’s outlets, and according to him, many people jumped to upload it to their computers. This Kharkov IT specialist did not take KillNet seriously, highlighting the poor qualifications of its members. Online users did not receive clarification about this video testimony from KillNet. In this case, KillNet preferred to ignore it; however, the hackers admitted Ukrainian infiltrators in its branches. At the beginning of July 2022, KillNet caught pro-Ukrainian spies, and it was forced to stop the ongoing hiring process for a time (We are KillNet 2022). So, serious targets, the high labor turnover, the penetration of proUkrainian spies, and the lack of sustainable financial support resulted in a short period of inner disarray. During these difficult weeks, the hackers continued to communicate with their audience, promising that they would resume attacks and asking them to stay with the brand. In return, the followers did not leave in droves, and the KillNet audience remained stable. As a

96

Chapter 3

result, the KillNet brand was not seriously undermined and began to expand its presence swiftly once again. Within the XakNet group, there were at least two major divisions: the core of the XakNet group and volunteers. To accelerate the divisions’ activity, XakNet used its Telegram outlet as a hiring tool, which the group found beneficial and convenient. As mentioned previously, in May 2022, the group initiated a hiring campaign. For new members with a lack of IT experience and education, the team organized an online school, where volunteer teachers would train novices (XakNet Team 2022). The unit of volunteer teachers consisted of IT specialists who were able to pass an XakNet exam with flying colors. All software, equipment, and other materials for the education were provided for free by the XakNet team. Therefore, XakNet’s old members did not work with the novices or communicate with them directly. While XakNet accomplished its own goals, the new members received and shaped their IT skills. Looking for IT professionals and enthusiastic individuals from other fields, XakNet published three hiring posts, and the post which was targeted at non-IT people gathered the most attention. Even Russian-speaking immigrants residing in Europe voiced their desire to help the hackers (XakNet Team 2022). Also, XakNet invited spammers, social engineers, and experts on phishing and DDoS attacks (XakNet Team 2022). In the fall of 2022, the XakNet structure expanded, and along with the chat and main outlet, its team established several other branches. A DDoS branch began functioning after the alleged merger of XakNet with another group, called DDoS Service (XakNet [DDoS] 2022). This branch, called XakNet DDoS, established a Telegram channel in October 2022, but in less than one month, it became the victim of a coordinated mass attack from Ukrainian users. As the Ukrainian crisis worsened and the cyberwar continued, DDoS activities became a popular trend among the pro-Russian hacker organizations. The XakNet and FRWL groups, which were focused on other types of strikes, began to acquire this new sector (FRWL 2022). To gather a DDoS team, XakNet settled on a new recruitment action, which began from a survey among followers who decided to join. This poll was designed to determine if the XakNet followers had any previous DDoS experience. Its results revealed that 70% of respondents did not have the experience necessary to conduct DDoS attacks, while 21% of participants stated having only basic DDoS skills (XakNet [DDoS] 2022). Only 9% of surveyed followers were skillful enough to join cyber offensives immediately (XakNet [DDoS] 2022). In total, the survey embraced 740 people, and perhaps many of them went through all stages of hiring. Considering these findings, XakNet described the general requirements for candidates: supporters older than 18 years, “not necessarily with IT skills,” but with “a basic English level.” Sending indispensable

Russian Hackers

97

information to the group, the candidate must provide a cover letter where they have to describe “why they fit this position,” “the status of Crimea,” and their position toward “the Russian military operation” (XakNet [DDoS] 2022) Also, the cover letter should contain their “level of IT experience,” age, address, and English level (XakNet [DDoS] 2022). These controversial requirements resulted in a vigorous discussion among potential candidates and followers. For example, many people had doubts if the question pertaining to Crimea served its purpose to filter out pro-Ukrainian spies. For them, the XakNet team should modify it and instead ask about the status of Kherson. Other chat members asked for clarification on the age limitation for new members. Community Engagement and Hackers’ Misfortune As with any brand builder who wants to attract followers and stimulate a relationship with its audience, the KillNet group tried to enrich its content with posts from other sources. Given the specificity of hacking, KillNet’s authentic and unique content cannot be produced on a daily basis. So, in light of this, the KillNet hackers are in a relentless search for relevant and interesting news on other Russian sources. Indeed, the KillNet account released a disparaging comment about the head of the Russian Orthodox Church, Patriarch Kirill, and his statement about Russia. After his Sunday sermon in the main church of the Rosgvardiya in Balashikha near Moscow on November 6, 2022, Patriarch Kirill cautioned about the powerful external forces which try to undermine Holy Russia (The Patriarch Press Service 2022). These forces challenge the very existence of the Russian Federation and Russian society. He also mentioned that he prayed for peace on the Russian land, firm Slavic unity, and brotherhood. Mocking Patriarch Kirill, the founder of KillNet, KillMilk, noticed that the Patriarch talks too much about politics rather than paying attention to the Orthodox faith (We are KillNet 2022). While the post received many “likes,” the overwhelming majority of the KillNet chat participants pointed out his incorrect position on this issue. Followers highlighted that KillNet should listen to Patriarch Kirill more meticulously because the hackers did not understand the significance of his words. Some of the participants yelled for separation of church and state, underlining that this sort of statement from Church officials is a negative sign and the principle of separation is under attack (KillNet Chat 2022). Nonetheless, the controversial issue and KillMilk’s comment broke out a fervent and fruitful dispute amid the KillNet followers, unlike most other KillNet posts, which are followed by a batch of senseless exclamations and emojis.

98

Chapter 3

Difficult or positive connections with a famous figure can bring public attention to a new brand. This happened with the XakNet group in July 2022. Ksenia Sobchak’s affiliated news outlet “Careful! News” on Telegram circulated news about when “the government affiliated XakNet hackers conducted an offensive cyberattack on the Ukrainian TV channel Dom” (Careful! News 2022). XakNet members hacked the TV channel stream and uploaded their footage with the Russian flag and anthem. In the Russian Federation, Ksenia Sobchak is a notorious media person and the famous daughter of a wellknown Russian politician of the 1990s, Anatoly Sobchak. Therefore, association with this significant influencer would be beneficial. XakNet could not miss this opportunity to let out its frustration, unfolding this story: Ksenia Anatolyevna, you are a lucky person, you live in Russia. If not, “progovernment” hackers would check your bank accounts and financial documents .  .  . “Pro-government hackers” do not really like low-level anchors like you . . . who try to leverage their political ideas and turn them into pure business. (XakNet Team 2022)

Worth noting is that there were many other news sources and anchors who labeled this group “pro-government.” However, these sources are foreign. Indeed, in the interview for Bloomberg, representatives of the U.S. cybersecurity company, Mandiant Inc., underlined XakNet’s possible connections with the Kremlin, stating that this group may coordinate some of its actions with the government (Gillum 2022). On October 26, 2022, reporting the XakNet breach on the Knesset website, the Israel news portal repeated Mandiant’s opinion about the XakNet team and the Russian government. It stressed that “the cyber-attack comes amidst warnings by Israel’s intelligence community” that Russian and Iranian hackers could launch attacks on this website, and Russian representatives warned against “supplying air defense systems to Ukraine” (Israel National News 2022). On a global scale, XakNet monitored articles and research about its activities, reposting and commenting on the most interesting or controversial pieces. For instance, its outlet aired the Bloomberg article, and then on September 25, 2022, XakNet released its remarks on the Mandiant report (XakNet Team 2022). However, only a news report on Ksenia Sobchak’s outlet provoked a substantial public reaction: more than 1,600 likes and 120 comments. For comparison, around 600 likes and 10 comments were left on the report of the Bloomberg article (XakNet Team 2022). In general, for XakNet, the average number of likes per post was 789 between June 29 and September 11, 2022. At this point, the group, which focused on growing its crowd as much as possible, augmented its most valuable assets—reached by association with Ksenia Sobchak, who is well known by the XakNet audience. Associations with foreign sources,

Russian Hackers

99

even reputable ones such as Bloomberg, demonstrated a modest impact in terms of brand building and community engagement. Hackers’ Budgets Social media and building web publicity are time-consuming, so obviously social media platforms became useful for employing various fundraising missions. As with any other digital entity, hackers appealed to a large online crowd of users by brand-building and sharing their agenda. This crowd of like-minded people would be the foundation for financial contributions. Entering the public space, the pro-Russian hacker groups realized this opportunity, but not all groups utilized it. In terms of earning money, there are two fundraising goals. First, the hacker brand needs to gather money for its own needs. Second, they organize or support campaigns for other entities whose agenda fits and conveys the hackers’ brand identity. Occasionally, Joker DPR, KillNet, Anonymous Russia, XakNet, and FRWL initiated or supported fundraising actions, while RaHDIt, NoName057(16), Beregini, Zarya, and People’s Cyber Army were not involved in this sort of activity. To be specific, three hacker groups—Joker DPR, KillNet, and Anonymous Russia—raised funds to stimulate their further development (purchasing equipment, paying bills). XakNet, FRWL, and KillNet asked their followers to donate money to military or civil necessities. The hacker groups presented themselves as patriotic and non-profit, insisting their cyber aggressions were politically motivated and dictated by the current geopolitical situation. Nevertheless, several groups complained that their support channels were exhausted by numerous messages wherein Telegram users asked the hackers to provide illegal services with a promise to pay lavishly. For example, to drive home the idea of hacktivism, the XakNet team repeatedly explained their non-profit principle. Along with FRWL, XakNet rejected accepting donations, selling their channel space for advertisements, and conducting personal for-profit hacking services (FRWL 2022; XakNet Team 2022). To be patriotic, non-profit, and have high-tech capability, the hacker groups need to have significant financial aid. Indeed, XakNet and FRWL stressed that their members have well-paid positions. For instance, since the spring of 2022, XakNet maintained close ties with military media anchors who worked in the Donbas region. In September, the hackers announced direct, personal support to this unit, transferring 200,000 rubles (approximately $2,700) (XakNet Team 2022). In Russia, not many people could afford to be a part of this generous donation. Apparently, the hackers launched cyber offensive attacks on their off days and holidays. It is possible that this occurred among members of other pro-Russian groups such as People’s Cyber Army, RaHDIt, NoName057(16), Beregini, and perhaps, Joker DPR.

100

Chapter 3

In contrast, KillNet and its associate Anonymous Russia seemed to rely on donations, selling brand name goods, and external random sources. Since its appearance, KillNet has asked its followers to contribute money through the following cryptocurrencies: Bitcoin, USDT TRC20, Monero, Ethereum, and Tether. In addition, KillNet collected donations via a TON account4, which was opened in September of 2022. However, on September 25, 2022, Telegram moderators blocked the KillNet account for violation of Telegram rules (We are KillNet 2022). According to Telegram, its outlet contained prohibited information, and 150,000 rubles (almost $2,000) became unreachable. The infuriated group notified its followers about the account problems. To avoid gloomy consequences, a few chat participants decided to send donations to other KillNet cryptocurrency wallets. There were many users who suggested a political underpinning behind the Telegram moderation, rather than the infringement of its user policy. Given the fact that the hackers did not mention this issue further, apparently, the situation was resolved, and KillNet continued to gather donations via Telegram. Conducting media monitoring, the group tried to protect its reputation, which was directly connected to the group’s financial situation. In April 2022, some media sources presented KillNet as a government initiative, which received money from a state budget (We are KillNet 2022). In return, KillNet aired an emotional post where it rebuffed being a government creation or being under government control. To prove its nongovernment status, KillNet underlined its financial independence, mentioning that its members were forced to take loans to keep the group active (We are KillNet 2022). On December 10, 2022, news about the U.S. government dedicating almost 11 billion dollars to protect itself from cyberattacks reached Russian cyberspace (Statista​.c​om 2022). With bitterness, the KillNet team commented: “In Russia, patriotic hackers are not appreciated by the government, and forced to earn money themselves for attacks in Europe. Stealing and selling information could lead to imprisonment” (We are KillNet 2022). In fact, the group admitted that its members not only take out loans but actively conduct illegal activities to collect money for its politically motivated attacks. Although, the KillNet group was not alone. In December 2022, XakNet openly set up an online auction to sell access to one of the Ukrainian government departments (XakNet 2022). In its statement, the auction’s goal was charity, and the gathered money would be transferred to “the people in need,” residing in the war-torn areas. For potential buyers, the hackers clarified some indispensable information: We have access to various state facilities of Ukraine. We are ready to sell this access. You would love it! It will outshine both of our previous targets—the Ministry of Finance and the Ministry of Foreign Affairs. The way you manage

Russian Hackers

101

access is up to you. You can encrypt it, you can keep it open (we can give files along with access, although we will need it for a couple of weeks—for sure). We do not mind if you can claim this hack; you can blackmail individuals if you find some secret information. Do whatever you like to do. The rights to this target are completely yours, our hackers will not disclose any information related to this target. If you want us to publish all files we downloaded from it, we can do that too. (XakNet 2022)

For this lot, the starting price was $27,000, but to purchase it immediately, a buyer should pay around $81,000 (XakNet 2022). Soon, the lot had its first bidder, who offered a little above the starting price. KillNet is a unique hacker brand in many ways. It is the only hacker team which initiated selling brand products, promising potential buyers that it would transfer part of the profit to Russian soldiers (We are KillNet 2022). Trying to widen their brand recognition, the hacker group sold sterling silver jewelry via the Internet. The jewelry was manufactured by a Russian jewelry maker who maintained a website and account on Vkontakte (HooliganZ 2022). There were two items with the KillNet name: a ring and earrings. The number of supporters who bought KillNet souvenirs is unknown. Given the fact that customers who bought KillNet’s jewelry did not place photos of purchased products on social media, people were not very interested in buying these goods in light of their high prices. Indeed, the ring with the KillNet logo cost around $250, and the earrings’ price was $95 (HooliganZ 2022). Just like many other groups, KillNet has never revealed details about its financial operations; the group has not reported about receiving or spending donations. However, some financial proposals help to estimate its approximate financial foundation. In March, KillNet proposed around $3,000 for the destruction of a Bandera monument in Ukraine (We are KillNet 2022). To receive the money, an individual should provide video evidence of his or her action (We are KillNet 2022). Despite the lavish proposal, KillNet followers did not fulfill the requirement. The group kept this money, and further, has refrained from similar actions. Thus, at least, initially, the KillNet leadership has had a reserve of money for the group’s operation and random support for its followers. Nevertheless, any reserves would be depleted sooner or later. To conduct hacking, the hacker groups need a stable source of income, or they may have to disband. For KillNet, the situation changed dramatically in the fall of 2022. On September 27, 2022, the KillNet founder openly expressed his grievances to the KillNet audience (We are KillNet 2022). Apparently, his frustration was instigated by Telegram blocking the KillNet crypto account with more than $2,000. Fighting for the Russian Federation, he encountered a lack of consistent financial funding from Russian businessmen and administrative support from government officials. As the KillNet group grew out of a

102

Chapter 3

small illegal DDoS business, which was closed down at the beginning of the war, KillMilk, the founder of KillNet, used his personal savings and loans to finance KillNet’s activities. Also, other people, apparently his close friends and family members, have provided money to him: “I put aside my Dark Net activities and began to protect my homeland! Thanks to a few individuals who help me in my cyberwar; I do appreciate their funding! However, neither government officials nor businessmen expressed their appreciation! They do not care!” (We are KillNet 2022). Underlining that the entire world helps Ukraine, KillMilk asked the business elites and officials whom they help in this war. Further, he explained how morally difficult it was for him to ask the Telegram followers about donations and described the hardships of organizing a fundraising campaign: I step all over myself seven times and announced fundraising campaigns among my followers! However, Russian banks blocked all my accounts, later Telegram did the same to me:) What for? Because I have fought our enemies? . . . unfair treatment . . . Please, learn from my experience. (We are KillNet 2022)

At the end of the statement, KillMilk encouraged “capitalists” and government employees to donate to the KillNet group. Usually, followers skip donation messages and links, but this case was not trivial, and the followers reacted in droves. The statement reached more than 60,000 views, and generated around 5,500 “likes,” “shares,” and comments (We are KillNet 2022). Unlike the response from KillMilk’s statement, an interview with the leader of KillNet’s associate group “Zarya,” conducted by Gazeta​.​ru in November 2022, received only 2,000 likes and 18 comments from followers (We are KillNet 2022). Evidently, the emotional and highly personalized statement proved to be an exceptional way to get along with brand followers and increase brand awareness without conducting hacking attacks on political opponents. It is impossible to determine if the bitter statement resulted in any donations. However, the KillNet chat visitors actively discussed ways to send money. In the KillNet chat, the overwhelming majority of participants stated that they cannot transfer money via cryptocurrency services; some people underlined that they do not have an account, and other participants with a crypto account complained about the lack of knowledge in transferring money. Both of them asked KillNet to provide a detailed guide. Others promised to donate if KillNet provided a Sberbank card, which is a widely used payment system. The KillNet followers understood that the post’s content was not another fake story but was authentic and correlated with the public’s perception of the political situation within Russian society. In light of the ongoing failures of the Russian Forces in Ukraine, cyberspace was full of rumors and

Russian Hackers

103

suggestions, explaining the military’s retreat by a betrayal of government officials. Despite the high ratings of Putin, Russian society has had low trust and is not ready to change its opinion about local bureaucrats and their poor performance. Not surprisingly, the KillNet audience supported KillMilk. While the chat participants concluded that the KillNet group is in fact only one person, they agreed with the following comment: Gosh, KillMilk is right! What crap is in the oligarchs’ heads?! They waste crazy money for drugs and prostitutes, but they do not want to provide money for the guys who are our only cyber defense. This is very bad. (KillNet Chat 2022)

Responding to KillMilk’s concern, the user “Stishka” issued a motivational comment, which received a substantial number of “likes”: My dear KillMilk and KillNet. I would transfer all money that I have to you. However, I am a housewife. Me and my husband work in a service field . . . We try to survive and raise our two children (two sons). I want them to be good citizens, so I tell them about KillNet, its actions, and your dedication and love to Russia. If you give up, we all will be done! I know for a fact that my 500 rubles do not help you to buy needed equipment or whatever else you need. But I am afraid you will give up and return to previous profitable activities. Be strong! I believe your group will be recognized soon! (KillNet Chat 2022)

Through the chat, many participants expressed the same fear that KillMilk would disband KillNet, being unable to resolve its financial hardships. Some inventive participants advised him to ask the founder of the Wagner military group Evgeny Prigozhin for funds.5 To cultivate a community and reinforce the ties between the KillNet brand and its followers, in several hours its founder aired a warning about a scam risk. Trying to take advantage of KillMilk’s statement, some Telegram users established fake accounts, whose names included KillNet. From these accounts, KillNet followers began to receive messages asking the followers to help with transactions and further, asking for personal financial information (credit card number, names, etc.). The hackers detected the scammers and warned their audience: “We do not communicate via personal messages. This is fraud!” (We are KillNet 2022). On the next day, the KillNet group surprised its followers with a positive message, where the hackers assured people that they continued fighting on Russia’s behalf (We are KillNet 2022). Expressing gratitude for the contributions they received, the group wrote that its team reached its goals. On September 29, 2022, KillMilk bought and installed indispensable equipment (We are KillNet 2022). In return, the supporters were curious about the amount

104

Chapter 3

of money that had been donated the previous day. However, KillNet did not respond to them and did not post any comments about the fundraising results. As mentioned previously, looking for a decisive solution for its financial hardships, KillNet utilized various options: selling hacked data and brand merchandise, and conducting fundraising campaigns among its followers on a regular basis. KillNet infrequently sold hacked data on the Darknet as it established fundraising campaigns. In November, KillNet, along with Deanon Club, hacked one of the largest online drug platforms in Russia—BlackSprut. On November 28, accomplishing numerous police requests, KillNet released around 2,000 clients and dealers’ names resulting in police raids in at least six regions of the Russian Federation (KillMilk 2022). Then, the hackers announced an online sale for the platform’s data: virtual drug stores cost $10,000; personal data for 1,000 people cost $50,000; a chain of connected accounts on Telegram cost from $3,000 to $150,000, and payment stations, including active accounts, started from $8,000 (KillMilk 2022). According to KillNet, the most valuable information was the personal data of the platform’s owners and administration which is estimated at $1 million (KillMilk 2022). The total amount that KillNet and Deanon Club collected is not known, but they received very generous proposals from several Russian buyers. Despite KillNet’s initiative to turn the data over to the police, the Deanon Club group fought against this idea, preferring a more pragmatic approach: Russian law enforcement agencies received the smallest portion of the information. Despite its consistent financial sufferings, KillNet supported and initiated fundraising campaigns for other groups. Its charity activity began in March 2022, when KillNet supported a fund collection for a Russian volunteer, Elena Labutina (We are KillNet 2022). It is not clear if the KillNet members offered money or provided any other help to this volunteer. The next month, KillNet asked for money to buy uniforms and military equipment for one of the Russian units fighting in Ukraine (We are KillNet 2022). In December 2022, another fundraising campaign was launched on the KillNet account (We are KillNet 2022). It collected donations for orphans of the Russian Federation. Many followers were impressed by KillNet’s initiative and decided to support this fundraiser, transferring donations to KillNet-associated accounts on QIWI6, Sberbank, Tinkoff, and cryptocurrency wallets. Contributing to the followers’ donations, the KillNet hackers allotted 20,000 Euros from its budget to the orphans; apparently, the hackers donated money which they earned selling the BlackSprut data (We are KillNet 2022). To enhance community engagement, the KillNet admins asked its audience to provide addresses, websites, and phone numbers of orphanages all over the Russian Federation. While Joker DPR asked for donations occasionally, trying purportedly to gather money for his agents, the KillNet-affiliated group “Anonymous

Russian Hackers

105

Russia” aired a series of direct messages which bolstered a particular fundraising goal. Underlining its independence and trying to motivate its audience, Anonymous Russia wrote: We are a non-government organization, and the President of the Russian Federation does not pay for our activities. Dear officials and businessmen, you live as we do in Russia. Please, do not forget us. We need money to support our mission. (Anonymous Russia 2022)

Like KillNet and XakNet, Joker DPR and Anonymous Russia managed multiple crypto accounts such as Monero, Bitcoin, Tether, and others (Joker DPR 2022). Also, Anonymous followers could deposit money to its QIWI page. Hence, the pro-Russian hackers widely relied on cryptocurrencies, and in rare cases Sberbank, Tinkoff, and QIWI. There are several groups which did not partake in fundraising campaigns whatsoever. They did not engage in or support fundraising initiatives for other hacker groups or volunteers. At least, these hacker teams did not publicize their participation. Obviously, some groups were self-sufficient; others suffered from money shortages. As a result, the hackers actively sold hacked data to replenish the group’s budget. Their audience financially supported hacker fundraising campaigns, especially when these campaigns were clearly articulated, well-explained events such as in the case of the donations for orphans or KillMilk’s declaration. However, due to a lack of financial transparency, it is impossible to determine the hackers’ budgets or the amount of funds sent to the groups via donations from followers. To the question of the so-called self-sufficient groups, there are several sources of money: salary, sponsors, government support, data selling, spreading ransomware, and other traditional ways to earn money. Admirably, driven by patriotism, a few hackers, who work in regular positions, are ready to spend their salary and free time for politically motivated attacks. Also, hackers can have a sponsor or sponsors. Most likely, local businessmen would propose financial support for well-known neighborhood IT specialists. This sponsorship would be beneficial for both, especially during an intense cyberwar. Harsh economic conditions push businessmen to work out a survival strategy. Putting aside patriotism, many businessmen would consider ruining competitors, gathering sensitive information for further blackmail, and so on. The ongoing cyberwar and daily news about foreign cyberattacks on Russian digital entities would serve as a perfect cover. This scenario is highly feasible. Whether or not the government is supporting hackers in Russia is not possible to determine. Nevertheless, pro-Russian hackers, whether they serve as regular IT specialists in a legitimate company or are always involved with the Dark Web, are willing to sell hacked data or use other shadow ways to earn money.

106

Chapter 3

From the pro-Russian hacker vista, their social media space was narrowed down to Telegram. Telegram offers its users security malleable censorship, and an anonymous encrypted communication hub to send and receive messages to each other. Within this platform, the hacking teams could develop and implement a brand-building strategy, advancing their symbolic features and agenda. Every brand starts with a name. As the analysis shows, the Russian hackers preferred names with cultural, political, and professional underpinnings. Communication with their audience was vital for the majority of the hacking groups. While only seven hacker organizations opened their outlet content for comments, every hacking group allowed emojis, which was an effective way to spice up and visualize brand communication. Interestingly, chats were not very trendy within the hacking teams, who preferred to use group emails, bots, separate Telegram accounts, and websites. Communication with the public has limits that cannot be disregarded due to hackers’ security concerns. Not all hackers invited the public to be a part of their cyber strikes. A few groups conducted public hiring campaigns among their Telegram followers, looking for indispensable professionals. Nonetheless, highly trusted and well-known group members did all the real work behind the scenes.

NOTES 1. On February 24, 2022, the Russian Forces conducted a missile attack on a military base located in the Ukrainian town Brovary, near the capital of Kiev. As a result, at least six people were killed. Allegedly, before the strike, some Russian sources tried to contact Ukrainian military units in Brovary, asking them to surrender. Otherwise, they would be attacked. However, Ukrainian soldiers ignored the proposal, and their base was hit. 2. The DTEK Group, a private enterprise, has controlled a significant part of the energy sector in Ukraine. 3. The Chechen motto “Akhmad is Power!” became widely known after the beginning of the war in Ukraine on February 24, 2022. Chechen units fighting in Ukraine have used it as a substitute for Allah Akbar. 4. TON or Toncoin is a cryptocurrency for the TON network, which was originally created by the Telegram platform. 5. Evgeny Prigozhin was a Russian businessman who established the Wagner Group in 2014. He managed a restaurant chain in Russia. 6. QIWI is an online Russian payment platform, which was established in 2007. It covers the Russian Federation and several countries from the post-Soviet region.

Russian Hackers

107

REFERENCES Akim Apachev. 2022. An anti-war action is on the middle of our capital. July 6. Accessed October 12, 2022. https://t.me/akimapachev/2783. Anisimova, N. 2022. The Kremlin refused to consider those who left Russia as enemies of the state. April. Accessed December 23, 2022. https://www​.rbc​.ru​/politics​ /02​/04​/2022​/624​8922​99a7​9474​c00de5993. Anonymous. 2022. Attacks on Belarus banks. February 27. Accessed August 4, 2022. https://twitter​.com​/LatestAnonPress​/status​/1498102027741765637​?ref​_src​=twsrc​ %5Etfw​%7Ctwcamp​%5Etweetembed​%7Ctwterm​%5E1​4981​0202​7741​765637​ %7Ctwgr​%5Ed​2e7b​36ab​95ea​fda8​e58d​1c4a​c4b1​cc1f​6b08987​%7Ctwcon​%5Es1_​ &ref​_url​=https​%3A​%2F​%2Fwww​.belrynok​.by​%2F2022​%2F02​%2F28%. ———. 2022. Post about attacks on Russian websites. February 27. Accessed August 3, 2022. https://mobile​.twitter​.com​/YourAnonTV​/status​/1497846153660014593. Anonymous Russia. 2022. Anonymous is not against Russia. July 18. Accessed November 27, 2022. https://t.me/anon_by/74. ———. 2022. Congratulations to our President. October 7. Accessed January 10, 2022. https://t.me/anon_by/905. ———. 2022. Donations! October 14. Accessed October 20, 2022. https://t.me/ anon_by/1009. ———. 2022. Gomel sanitation department. July 10. Accessed January 1, 2023. https://t.me/anon_by/4. ———. 2022. Maxim car service. July 23. Accessed January 1, 2023. https://t.me/ anon_by/153. ———. 2022. The welcome note. Edited by Julia Sweet. Author’s Archive, July 13. ———. 2022. We are Anonymous! July 13. Accessed November 24, 2022. https://t. me/anon_by/30. ———. 2022. We attacked Tik-Tok. July 12. Accessed January 1, 2023. https://t.me/ anon_by/10. ———. 2022. We hacked Roshen. July 10. Accessed November 27, 2022. https://t. me/anon_by/3. ———. 2022. Your donations. December 23. Accessed December 29, 2022. https://t. me/anon_by/2321. Balashova, A., D. Chebakova, and T. Kornev. 2022. The Ministry of Digital Development offered preferential mortgages and a deferment from conscription for IT specialists. February 28. Accessed 13 December, 2022. https://www​.rbc​.ru​/technology​_and​_media​/28​/02​/2022​/621​cfac​c9a7​9479​492100cfc. Batman, Olga, and Dmitry Zakharov. 2022. IzoLenta Stream with Masalovich. November 1. Accessed November 3, 2022. https://vk​ .com​ /video​ -211429367​ _456241113​?list​=7b404b14a12e49f7a8. BBC News. 2022. Eurovision 2022: Russian vote hacking attempt foiled, police say. May 16. Accessed December 23, 2022. https://www​.bbc​.com​/news​/entertainment​ -arts​-61463364.

108

Chapter 3

BBC. 2022. Russia reported a Ukrainian strike on an oil depot in Belgorod. April 1. Accessed June 19, 2022. https://www​.bbc​.com​/russian​/news​-60944913. Bear IT Army. 2022. A trip to Donbas region. November 5. Accessed December 23, 2022. https://t.me/BEARITARMY/13491. Bear.IT.Army. 2022. Putin’s birthday is today. October 7. Accessed January 10, 2023. https://t.me/BEARITARMY/10694 . ———. 2022. We killed Nevzorov’s website. April 4. Accessed November 14, 2022. https://t.me/BEARITARMY/167. Belokrysova, A., M. Alyukov, A. Denisenko, S. Erpyleva, A. Kropivnitsky, I. Kozlova, N. Korytnikova, et  al. 2022. Russian society and the war in Ukraine. Edited by S. Yerpyleva, and N. Savelyeva. June. Accessed January 1, 2023. https:// publicsociology​.tilda​.ws​/war​_report. Beregini. 2022. Our teamwork with RaDHIt. September 29. Accessed January 13, 2023. https://t.me/hackberegini/1046. ———. 2022. We announce a new hunting for information about the Ukrainian Army. August 18. Accessed December 12, 2022. https://t.me/hackberegini/1006. ———. 2022. We ask you to surrender. February 24. Accessed November 20, 2022. https://t.me/hackberegini/709. Beregini group. 2016. About us. September 2. Accessed November 20, 2022. https:// beregini​.wordpress​.com​/about/. Beschetnikova, Nadya. 2022. Social media discussed the Chanel scandal in Dubai. April 1. Accessed December 24, 2022. https://spletnik​.ru​/105642​-v​-seti​-obsuzhdayut​-otkaz​-butikov​-chanel​-ot​-obsluzhivaniya​-russkikh​-klientov​.html. Carbonaro, G. 2022. HIMARS-maker Lockheed Martin ‘confident’ against Russian hackers. August 10. Accessed December 30, 2022. https://www​.newsweek​.com​/ himars​-maker​-lockheed​-martin​-cyberattack​-russian​-Hackers​-1732504. Careful! News. 2022. XakNet attacks the Ukrainian TV channel. July 1. Accessed November 22, 2022. https://t.me/ostorozhno_novosti/9229. CBS News. 2021. Hackers demand $70 million to end biggest ransomware attack on record. July 6. Accessed January 20, 2023. https://www​.cbsnews​.com​/news​/ ransomware​-attack​-revil​-hackers​-demand​-70​-million/. Ceci, L. 2022. Number of monthly active Telegram users worldwide from March 2014 to November 2022. November 7. Accessed December 5, 2022. https://www​.statista​ .com​/statistics​/234038​/telegram​-messenger​-mau​-users/. CISA. 2022. Russian state-sponsored and criminal cyber threats to critical infrastructure. April 24. Accessed November 12, 2022. https://www​.cisa​.gov​/uscert​/ ncas​/alerts​/aa22​-110a. Clegg, Nick. 2022. Restrictions on state backed media. February 28. Accessed December 5, 2022. https://twitter​.com​/nickclegg​/status​/1498395147536527360​ ?ref​_src​=twsrc​%5Etfw​%7Ctwcamp​%5Etweetembed​%7Ctwterm​%5E1​4983​9514​ 7536​527360​%7Ctwgr​%5E6​5ae3​e48b​9c7f​ea40​aeec​78f2​3c1b​e041​2e37b77​%7Ctwcon​%5Es1_​&ref​_url​=https​%3A​%2F​%2Fdailycaller​.com​%2F2022​%2F02​%2F28​ %2Fmeta. Commissariatodips​.i​t. 2022. Computer attacks on the Eurovision Song contest 2022 foiled by the State Police. May 15. Accessed December 23, 2022. https://www​

Russian Hackers

109

.commissariatodips​.it​/notizie​/articolo​/sventati​-dalla​-polizia​-di​-stato​-attacchi​-informatici​-alleurovision​-song​-contest​-2022​/index​.html. DDosia Project. 2022. Our chat rules. July 20. Accessed December 22, 2022. https://t.me/+fiTz615tQ6BhZWFi. Deanon Club. 2022. A KillNet member from Kharkiv. November 22. Accessed December 22, 2022. https://t.me/c/1830401135/82. ———. 2022. BlackSprut and KillNet. November 17. Accessed December 25, 2022. https://t.me/c/1830401135/67. ———. 2022. KillNet attacked Rutor. N0vember 24. Accessed December 25, 2022. https://t.me/c/1830401135/85. ———. 2022. KillNet “power”. November 18. Accessed December 23, 2022. https://t.me/c/1830401135/70. ———. 2022. Our cooperation with KillNet. November 26. Accessed December 23, 2022. https://t.me/killnet_reservs/3791. Defence Express. 2022. How the “Kropyva” combat control system helps in the most difficult situations: Fortified positions couldn’t save Russian Army. July 23. Accessed December 20, 2022. https://en​.defence​-ua​.com​/news​/how​_the​_kropyva​ _combat​_control​_system​_helps​_in​_the​_most​_difficult​_situations​_fortified​_positions​_couldnt​_save​_russian​_army​-3646​.html. Delyagin, M. 2022. Informational report #58. December 24. Accessed January 12, 2023. https://dzen​.ru​/video​/watch​/63a​00d2​7573​a342​1c5eae69e​?t​=6. Demidov, Anton. 2022. Zakharova called the purpose of the special operation of Russia in Ukraine. 25 February. Accessed October 24, 23. https://www​.gazeta​.ru​/ army​/news​/2022​/02​/25​/17346253​.shtml. DTEK. 2022. Following the missile strikes on TPPs, the enemy inflicts hacker attacks on the power system. July 1. Accessed December 22, 2022. https://dtek​.com​/media​ -center​/news​/vslid​-za​-raketnimi​-udarami​-po​-tes​-vorog​-zavdae​-khakerskikh​-udariv​ -po​-energosistemi/. Fedotova, Darya. 2022. Beregini knows Zelensky’s secret. November 4. Accessed November 19, 2022. https://www​.mk​.ru​/politics​/2022​/11​/04​/khakerskaya​-gruppa​ -beregini​-rasskazala​-o​-pikantnom​-kompromate​-na​-zelenskogo​.html. FRWL. 2022. A survey about our interview. August 22. Accessed December 22, 2022. https://t.me/frwl_team/259. ———. 2022. FRWL’s introductory message. June 11. Accessed November 22, 2022. https://t.me/frwl_team/3. ———. 2022. Hackers! We have to work! September 21. Accessed December 12, 2022. https://t.me/frwl_team/269. ———. 2022. Hey, our team! August 8. Accessed January 12, 2023. https://t.me/ frwl_team/241. ———. 2022. IT specialists flee from Russia. June 28. Accessed November 13, 2022. https://t.me/frwl_team/74. ———. 2022. New vacancy: A DDoS analyst. July 13. Accessed December 23, 2022. https://t.me/frwl_team/192. ———. 2022. Our connections. August 6. Accessed December 22, 2022. https://t. me/frwl_team/240.

110

Chapter 3

———. 2022. Our deal with the organosyn​ .com​​ .ua website. July 2. Accessed December 12, 2022. https://t.me/frwl_team/118. ———. 2022. Our mission statement. June 11. Accessed November 16, 2022. https://t.me/frwl_team/3. ———. 2022. Our recent attack on Gorilla Circuits. August 1. Accessed December 30, 2022. https://telegra​.ph​/Vozmezdie​-08​-01. ———. 2022. Our support channel got plenty messages. June 30. Accessed December 23, 2022. https://t.me/frwl_team/91. ———. 2022. Our support service. June 29. Accessed December 12, 2022. https://t. me/frwl_team/86. ———. 2022. Our trip to Norway. July 1. Accessed December 25, 2022. https://t. me/frwl_team/106. ———. 2022. Pavel Kosov recorded a video. July 11. Accessed October 13, 2022. https://t.me/frwl_team/182?single. ———. 2022. Questions from our followers. August 17. Accessed December 22, 2022. https://t.me/frwl_team/249. ———. 2022. Survey about hackers. August 4. Accessed December 21, 2022. https://t.me/c/1760172860/3586. ———. 2022. Survey about the Territorial Defense leak. June 15. Accessed December 12, 2022. https://t.me/frwl_team/20. ———. 2022. Survey. July 4. Accessed December 18, 2022. https://t.me/ frwl_team/136. ———. 2022. The leak of the Territorial Defense. June 15. Accessed December 12, 2022. https://t.me/frwl_team/19. ———. 2022. The situation with the Moscow restaurant. July 11. Accessed October 13, 2022. https://t.me/frwl_team/172. ———. 2022. The Territorial Defense list. June 24. Accessed December 12, 2022. https://t.me/frwl_team/37. ———. 2022. We do not disappear. November 25. Accessed December 23, 2022. https://t.me/frwl_team/275. Galeev, Artur. 2022. Lenta. April 15. Accessed June 12, 2022. https://lenta​.ru​/articles​ /2022​/04​/15​/killnet/. Galimova, N., D. Chebakova, and E. Yasakova. 2022. The Kremlin website does not work. February 26. Accessed August 3, 2022. https://www​.rbc​.ru​/technology​_and​ _media​/26​/02​/2022​/621​9e9e​09a7​9470​bbfec3f21. Gillum, Jack. 2022. Mandiant finds possible link between Kremlin, pro-Russian ‘hacktivists’. June 29. Accessed November 22, 2022. https://www​ .bnnbloomberg​.ca​/mandiant​-finds​-possible​-link​-between​-kremlin​-pro​-russian​-hacktivists​-1​ .1785468. Google Support. 2022. “YouTube channel monetization policies.” Google​.co​m. February 25. Accessed December 5, 2022. https://support​.google​.com​/youtube​/answer​ /1311392​?hl​=en. Gromova, V, and M Ovsiannikova. 2022. A probe against Aleksander Nevzorov was set up. March 22. Accessed November 14, 2022. https://www​.rbc​.ru​/society​/22​/03​ /2022​/623​9fb3​79a7​947f​2172e9198.

Russian Hackers

111

GTRK Dagestan. 2022. Telegram admins were detained by the FSB. September 29. Accessed January 13, 2023. https://t.me/gtrkdagestan/7216. Gusev, D. 2022. My second statement about the Russian Cyber Front. November 25. Accessed December 14, 2022. https://t.me/gusev_tg/1492. Guttman, Jon. 2022. M142 HIMARS: The US Artillery Tearing Into Russia in Ukraine. July 21. Accessed December 30, 2022. https://www​.historynet​.com​/m142​ -himars/. Habr. 2022. Roskomnadzor restricted access to Twitter. March 5. Accessed December 5, 2022. https://habr​.com​/ru​/news​/t​/654473/. Hill, Michael. 2021. The Kaseya ransomware attack: A timeline. November 21. Accessed January 21, 2023. https://www​.csoonline​.com​/article​/3626703​/the​-kaseya​-ransomware​-attack​-a​-timeline​.html. HooliganZ. 2022. KillNet products. June 2. Accessed December 22, 2022. https://vk​ .com​/market​-120167132​?section​=album​_27. Interfax. 2022. Interview with Peskov. February 24. Accessed March 26, 2022. https://www​.interfax​.ru​/russia​/824296. ———. 2022. RAEC predicted the departure of up to 100 thousand IT specialists from the Russian Federation in April. March 22. Accessed December 23, 2022. https://www​.interfax​.ru​/digital​/830581. International Hacker Alliance. 2022. Our units. April 30. Accessed December 23, 2022. https://t.me/world_hacker_alliance/54. Israel national news. 2022. Russian hackers attack Knesset website. October 26. Accessed November 22, 2022. https://www​.israelnationalnews​.com​/news​/361767. Ivanov, Y. 2022. OUKR​.in​fo received threats from Russian hackers. March 28. Accessed January 1, 2023. https://oukr​.info​/operatyvnij​-ukrayini​-info​-nadijshly​ -pogrozy​-vid​-rosijskyh​-hakeriv​-noname​.html. Izvestia. 2022. Zhykov placated the angry public. December 4. Accessed January 12, 2023. https://iz​.ru​/1435443​/2022​-12​-04​/zhukov​-otmenil​-zapret​-na​-kamufliazh​-v​ -barakh​-posle​-intcidenta​-s​-uchastnikom​-svo. Joker DPR. 2022. Funds for my spies. November 9. Accessed December 24, 2022. https://t.me/JokerDPR/261. ———. 2022. Shariy’s video about the breach of Zaluzhnyi’s Instagram account. November 6. Accessed November 20, 2022. https://t.me/JokerDPR/241. JokerDPR, interview by Yulya Vitiazeva. 2019. The interview with Joker DPR News Front, December 15. https://news​-front​.info​/2019​/12​/15​/eksklyuzivnoe​-intervyu​ -news​-front​-s​-dzhokerom​-dnr/. Kadyrov, Ramzan. 2022. A statement about enemies of the state. April 3. Accessed December 23, 2022. https://t.me/RKadyrov_95/1759. Karasin, Grigory. 2022. Russia is a sponsor of terrorism. November 23. Accessed November 29, 2022. https://t.me/Grigory_Karasin/631. Kildushkin, Roman. 2022. A founder of KillNet about the cyber war. August 7. Accessed December 23, 2022. https://www​.gazeta​.ru​/tech​/2022​/08​/07​/15229652​ .shtml. ———. 2022. The leader of Zarya: We are not terrorists. November 6. Accessed January 2, 2023. https://www​.gazeta​.ru​/tech​/2022​/11​/06​/15734689​.shtml​?updated.

112

Chapter 3

KillMilk. 2022. A list of staffers. August 11. Accessed January 13, 2023. https://t.me/ killmilk_rus/32. ———. 2022. Attack Lockheed Martin! July 31. Accessed December 30, 2022. https://t.me/killmilk_channel/17. ———. 2022. Gysev’s project. November 23. Accessed October 13, 2022. https://t. me/killmilk_rus/278. ———. 2022. KillNet birthday. November 13. Accessed December 23, 2022. https://t.me/killmilk_rus/226. ———. 2022. My interview. December 20. Accessed December 20, 2022. https://ton​ .place​/killmilk​?w​=post7781395. ———. 2022. My next steps for Lockheed Martin. August 11. Accessed January 13, 2023. https://t.me/killmilk_rus/35. ———. 2022. Our prices for the BlackSprut platform. November 29. Accessed December 31, 2023. https://t.me/killmilk_rus/336. ———. 2022. Our release for the drug platform. November 28. Accessed December 20, 2022. https://t.me/killmilk_rus/333. ———. 2022. Rutor gave money to KillNet. August 22. Accessed September 20, 2022. https://t.me/killmilk_rus/65. ———. 2022. The attack on Lockheed Martin was finished. August 11. Accessed January 13, 2023. https://t.me/killmilk_rus/20. KillNet Chat. 2022. Discussion of the Patriarch Kirill’s statement. November 6. Accessed November 23, 2022. https://t.me/c/1688942657/1105607. ———. 2022. KillMilk’s story discussion. September 27. Accessed November 22, 2022. https://t.me/c/1688942657/841966. KillNet. 2022. KillNet – Russian Hacker Group. May 1. Accessed May 12, 2022. https://trackingterrorism​.org​/group​/killnet​-russian​-hacker​-group/. Kp​.r​u. 2022. Ramzan Kadyrov: We are fighting against NATO. May 18. Accessed May 20, 2022. https://www​.kp​.ru​/video​/880165/. Legion. 2022. Are you ready: Our poll. May 14. Accessed December 23, 2022. https://t.me/Legion_Russia/274. ———. 2022. Eurovision IP numbers. May 14. Accessed December 23, 2022. https://t.me/Legion_Russia/263. ———. 2022. Italian police losers! May 15. Accessed December 23, 2022. https://t. me/Legion_Russia/287. ———. 2022. Our goals for the upcoming attack on Eurovision. May 14. Accessed December 23, 2022. https://t.me/Legion_Russia/264. ———. 2022. Start an attack on Kropyva Telegram! May 22. Accessed December 23, 2022. https://t.me/Legion_Russia/368. ———. 2022. Stop nagging! May 14. Accessed December 23, 2022. https://t.me/ Legion_Russia/280. ———. 2022. Stop the attack, please. May 14. Accessed December 23, 2022. https://t.me/Legion_Russia/281. ———. 2022. Stop the strike! May 14. Accessed May 23, December. https://t.me/ Legion_Russia/279.

Russian Hackers

113

———. 2022. The blitzkrieg tactic. May 14. Accessed December 23, 2022. https://t. me/Legion_Russia/282. ———. 2022. Zarya is looking for IPs for the upcoming attacks. May 14. Accessed December 23, 2022. https://t.me/Legion_Russia/271. Levada Center. 2022. Russia and NATO. April 15. Accessed December 24, 2022. https://www​.levada​.ru​/2022​/04​/15​/mezhdunarodnye​-otnosheniya​-6/. ———. 2022. Russian-American relations. May 25. Accessed December 12, 2022. https://www​.levada​.ru​/2022​/05​/25​/rossijsko​-amerikanskie​-otnosheniya/. Mandiant. 2022. GRU: Rise of the (Telegram) MinIOns. September 23. Accessed November 13, 2022. https://www​.mandiant​.com​/resources​/blog​/gru​-rise​-telegram​ -minions. Masalovich, A. 2022. Story of the female hacker group, Beregini. June 30. Accessed November 20, 2022. https://www​.youtube​.com​/watch​?v​=Hz7QrymOlYk. Mash. 2022. The client explains the situation with the car service. July 5. Accessed November 29, 2022. https://t.me/breakingmash/36328. Matveychev, Oleg, interview by E. Maltzeva. 2022. “An interview with Oleg Matveychev.” Ura​.new​s. December 6. Accessed January 13, 2023. https://ura​.news​/ news​/1052608382. Meduza. 2022. Alla Pugacheva returned to Russia. August. Accessed December 2022, 2022. https://meduza​.io​/news​/2022​/08​/27​/alla​-pugacheva​-vernulas​-v​-rossiyu​-kak​-i​-obeschala. ———. 2022. The Moscow observation wheel was stopped shortly after its opening. September 13. Accessed December 23, 2022. https://meduza​.io​/feature​/2022​/09​ /13​/poka​-rossiyskaya​-armiya​-otstupala​-v​-ukraine​-putin​-otkryval​-solntse​-moskvy​ -samoe​-bolshoe​-v​-evrope​-koleso​-obozreniya. Medvedev, A. 2022. Response to Akim Apachev. July 7. Accessed October 13, 2022. https://t.me/MedvedevVesti/10372. Medvedev, D. 2022. A statement about the enemies of the state. February 28. Accessed December 23, 2022. https://t.me/medvedev_telegram/239. Melikov, S. 2022. The protests in Dagestan. September 26. Accessed January 13, 2023. https://t.me/melikov05/537. Melkadze, A. 2021. Statista​.co​m. June 2021. Accessed December 5, 2022. https:// www​.statista​.com​/statistics​/1252822​/reasons​-to​-use​-telegram/. Metsola, R. 2022. Our website is under attack. November 29. Accessed November 29, 2022. https://twitter​.com​/EP​_President​/status​/1595443471518777345​?cxt​ =HHwWgoC​-sczYk6QsAAAA. Milmo, D. 2022. Anonymous: The hacker collective that has declared cyberwar on Russia. February 27. Accessed May 1, 2022. https://www​.theguardian​.com​/world​/2022​/ feb​/27​/anonymous​-the​-hacker​-collective​-that​-has​-declared​-cyberwar​-on​-russia. Ministry of Foreign Affairs of Russia. 2022. A briefing of the Ministry of Foreign Affair. February 25. Accessed January 12, 2023. https://www​.youtube​.com​/watch​ ?v​=WztQVKdFk0s. MK​.r​u. 2022. Car service in Moscow refused to service a car with a Z symbol. July 6. Accessed December 1, 2022. https://www​.mk​.ru​/social​/2022​/07​/06​/avtoservis​-v​ -moskve​-otkazalsya​-obsluzhivat​-mashinu​-s​-simvolom​-z​.html.

114

Chapter 3

MoscowSun. 2022. Moscow new attraction. September 10. Accessed December 20, 2022. https://t.me/moscowsunofficial/478. Nefedova, M. 2022. Arrests of the REvil hackers became a surprise. January 1. Accessed January 1, 2023. https://xakep​.ru​/2022​/01​/21​/revil​-darknet/. Nemesis. 2022. Thanks for sharing information! June 4. Accessed December 21, 2022. https://t.me/nemeZ1da_ru/174. ———. 2022. Our joined operation. July 29. Accessed January 1, 2023. https://t.me/ nemeZ1da_ru/539. ———. 2022. We received information about a SS Bears member. May 29. Accessed December 12, 2022. https://t.me/nemeZ1da_ru/98. Neoficialniy Bezsonov. 2022. Warning about Kropyva. May 18. Accessed December 20, 2022. https://t.me/NeoficialniyBeZsonoV/13283. NoName057(16). 2022. A warning letter for 4studio. March 28. Accessed February 2, 2023. https://t.me/noname05716/49. ———. 2022. Another fake news source was turned down. March 29. Accessed February 2, 2023. https://t.me/noname05716/51. ———. 2022. Dmitry Gysev’s proposal. November 22. Accessed November 13, 2022. https://t.me/noname05716/1106. ———. 2022. Our clarification. September 22. Accessed December 21, 2022. https://t.me/c/1228309110/6433. ———. 2022. Our first bonuses. September 8. Accessed December 23, 2022. https://t.me/noname05716/841. ———. 2022. Our mission statement. March 11. Accessed November 23, 2022. https://t.me/noname05716/3. ———. 2022. The attack on the Polish airline. August 2. Accessed November 30, 2022. https://t.me/noname05716/561. ———. 2022. Zadix​.n​et is under attack. March 31. Accessed February 2, 2023. https://t.me/noname05716/56. Novaya Gazeta. 2022. A detention order is issued for Nevzorov. May 6. Accessed November 13, 2022. https://novayagazeta​.eu​/articles​/2022​/05​/06​/sud​-v​-moskve​ -zaochno​-arestoval​-publitsista​-aleksandra​-nevzorova​-po​-delu​-o​-feikakh​-pro​-deistviia​-rossiiskoi​-armii​-news. OVD News. 2022. Detentions in Dagestan. September 25. Accessed January 10, 2023. https://ovd​.news​/news​/2022​/09​/25​/spiski​-zaderzhannyh​-v​-svyazi​-s​-akciyami​-protiv​-mobilizacii​-25​-sentyabrya. ———. 2022. Protests in 17 Russian cities. March 6. Accessed October 13, 2022. https://ovd​.news​/news​/2022​/02​/28​/spiski​-zaderzhannyh​-v​-svyazi​-s​-akciyami​-protiv​-voyny​-s​-ukrainoy​-28​-fevralya​-2022. People Cyber Army. 2022. A new structure for our group. March 9. Accessed December 3, 2022. https://telegra​.ph​/Narodnaya​-CyberArmiya​-03​-09. ———. 2022. A DDoS guide for everybody. March 2. Accessed December 3, 2022. https://telegra​.ph​/Kompleksnaya​-instrukciya​-dlya​-provedeniya​-DDoS-​-atak​-03​ -11. ———. 2022. Our statement. March 2. Accessed December 3, 2022. https://t.me/ CyberArmyofRussia/3.

Russian Hackers

115

People’s Cyber Army. 2022. Chat rule. June 23. Accessed December 20, 2022. https://t.me/CyberArmyofRussia_Reborn/584. ———. 2022. Chat rules. June 22. Accessed December 20, 2022. https://t.me/ CyberArmyofRussia_Reborn/626. ———. 2022. Dagestan protests were organized on Telegram. September 26. Accessed November 30, 2022. https://t.me/CyberArmyofRussia_Reborn/1232. ———. 2022. Join our team! March 2. Accessed December 3, 2022. https://t.me/ CyberArmyofRussia/4. ———. 2022. Our attack on the Mozart militant group. September 27. Accessed November 30, 2022. https://t.me/CyberArmyofRussia_Reborn/1237. ———. 2022. Our chat. September 22. Accessed December 20, 2022. https://t.me/ CyberArmyofRussia_Reborn/1212. ———. 2022. Our joined strike at the enemy’s website. April 1. Accessed October 16, 2022. https://t.me/CyberArmyofRussia_Reborn/33. ———. 2022. Our new logo. July 15. Accessed October 10, 2022. https://t.me/ CyberArmyofRussia_Reborn/726. ———. 2022. Our strike on Ukropsoft. October 4. Accessed December 23, 2022. https://t.me/CyberArmyofRussia_Reborn/1286. ———. 2022. The Mozart Group is under our attack. November 21. Accessed November 30, 2022. https://t.me/CyberArmyofRussia_Reborn/1729?single. ———. 2022. Zelensky picture. November 30. Accessed January 12, 2023. https://t. me/CyberArmyofRussia_Reborn/1847. Phoenix. 2022. Repost from the International Hackers Alliance. April 15. Accessed December 23, 2022. https://t.me/phoenixinform/396. Politikus. 2022. Utro Dagestan’s administrators were identified via a link. September 27. Accessed January 12, 2023. https://politikus​ .info​ /events​ /146982​ -sdeanonili​ -razzhigayuschiy​-protesty​-v​-dagestane​-telegram​-kanal​-utro​-dagestan​.html. Polykazakova, T. 2019. Who is Joker DPR? December. Accessed November 18, 2022. https://tvzvezda​.ru​/news​/201912121648​-KkhyQ​.html. Poplavok, V. 2022. Zhykov changed rules for his bars. December 4. Accessed January 12, 2023. https://tvcenter​.ru​/zvezdy​/tak​-byvaet​-sergey​-zhukov​-publichno​-prokommentiroval​-zapret​-na​-vhod​-v​-ego​-bary​-uchastnikov​-spetsoperatsii/. Radio of Russia. 2022. Signals of the exact time. November 3. Accessed November 15, 2022. https://smotrim​.ru​/article​/3024572. ———. 2022. The interview with RaHDIt hacker. June 6. Accessed November 24, 2022. Readovka. 2022. Russian soldiers were kicked out of a bar! December 3. Accessed January 12, 2023. https://t.me/readovkanews/48158. RIA. 2022. Czech Parliament assigned Russia as a sponsor of terrorism. November 3. Accessed December 21, 2022. https://crimea​.ria​.ru​/20221103​/chekhiya​-ofitsialno​-priznala​-vlasti​-rossii​-terroristicheskim​-rezhimom​-1125231247​.html. Ria News. 2022. KillNet hacked ESO. July 8. Accessed November 29, 2022. https:// ria​.ru​/20220709​/khakery​-1801365473​.html. Rogozin, D. 2022. My speech at the missile facility. March 10. Accessed January 11, 2023. https://www​.youtube​.com​/watch​?v​=UlqaeRlfXxY.

116

Chapter 3

Roskomnadzor. 2022. Response measures taken to restrict access to Russian media. March 4. Accessed December 5, 2022. https://rkn​.gov​.ru​/news​/rsoc​/news74156​.htm. ———. 2022. Restrictions for Instagram. March 11. Accessed December 5, 2022. https://rkn​.gov​.ru​/news​/rsoc​/news74180​.htm. Roth, Yoel. 2022. New labels for propagandist accounts. February 28. Accessed December 5, 2022. https://twitter​.com​/yoyoel​/status​/1498343849273425921​?ref​ _src​=twsrc​%5Etfw​%7Ctwcamp​%5Etweetembed​%7Ctwterm​%5E1​4983​4384​9273​ 425921​%7Ctwgr​%5E6​5ae3​e48b​9c7f​ea40​aeec​78f2​3c1b​e041​2e37b77​%7Ctwcon​ %5Es1_​&ref​_url​=https​%3A​%2F​%2Fdailycaller​. com​% 2F2022​ %2F02​ % 2F28​ %2Fmeta​-go. Rozanov, V. 2022. A hacker from the Beregini group disclosed the SBU plans about Russia. February 24. Accessed November 19, 2022. https://zavtra​ .ru​ / blogs​/haker​_gruppi​_beregini​_rasskazala​_o​_planah​_sbu​_po​_razvalu​_rossii​?ysclid​ =laq1fxs1p0128910584. Rozhin, Boris. 2019. New military channel appeared. November 2. https://t.me/ vityzeva/3789. Rudkovskaya, Y. 2022. Chanel scandal. April 1. Accessed December 23, 2022. https://t.me/doveoftheworld/1004. Russia Today. 2022. An interview with KillMilk (KillNet). October 9. Accessed January 2, 2023. https://russian​.rt​.com​/world​/article​/1059107​-killnet​-hakery​-ssha​ -razoblachenie. Russian OSTIN. 2022. “Interview with pro-Russian hackers from XakNet.” Interview with XakNet. June 26. https://telegra​.ph​/Intervyu​-s​-XakNet​-Team​-06​-26. Rusvesna. 2018. Our story. February 8. Accessed December 24, 2022. https://rusvesna​.su​/about. ———. 2022. KillNet gift for us! November 13. Accessed December 20, 2022. https://t.me/RVvoenkor/31764. ———. 2022. Sergey Zhykov’s bar did not allow Russian soldiers to enter. December 3. Accessed January 12, 2023. https://t.me/RVvoenkor/33187?single. Rychkina, T. 2022. Sergey Zhykov comments the incident in his bar. December 4. Accessed January 12, 2023. https://www​.kommersant​.ru​/doc​/5705896. Scott, Mark. 2022. How Ukraine used Russia’s digital playbook against the Kremlin. August 24. Accessed January 1, 2023. https://www​.politico​.eu​/article​/ukraine​-russia​-digital​-playbook​-war/. Shariy, Anatoly. 2022. Zaluzhnyi got a serious hit. November 6. Accessed November 19, 2022. https://www​.youtube​.com​/watch​?v​=F6uKWVo5H0w. SHOT. 2022. An interview with D. Gusev. November 23. Accessed December 14, 2022. https://t.me/gusev_tg/1477. Signal. 2022. Its restaurant account was hacked. July 7. Accessed October 13, 2022. https://t.me/ssigny/32015. Sledkom. 2022. Investigative committee launched a probe against Nevzorov. March 22. Accessed November 13, 2022. https://sledcom​.ru​/news​/item​/1666644/. Smith, David J. 2014. Russian cyber strategy and the war against Georgia. January 17. Accessed April 12, 2023. https://www​.atlanticcouncil​.org​/blogs​/natosource​/ russian​-cyber​-policy​-and​-the​-war​-against​-georgia/.

Russian Hackers

117

Soshnikov, A. 2021. Who did delete the REvil hackers from cyberspace? July 15. Accessed January 1, 2023. https://www​.svoboda​.org​/a​/kto​-ubral​-hackerov​-is​-darkneta​/31359720​.html. Statista​.co​m. 2022. Proposed budget of the U.S. government for cyber security in FY 2017 to 2023. September 12. Accessed January 1, 2023. https://www​.statista​.com​/ statistics​/675399​/us​-government​-spending​-cyber​-security/. Stop-NATO movement. 2022. About us. April 27. Accessed September 12, 2022. https://xn-​-80azccckhe​.xn-​-p1ai​/en​/movement. Strozewski, Z. 2022. Russia Is at war with NATO: Kremlin Official. August 10. Accessed November 12, 2022. https://www​.newsweek​.com​/russia​-war​-nato​-kremlin​-official​-1732679. Sweet, J. 2022. “Author’s archive.” KillNet Post. Vol. B. no. (12). Telegram, April 29. ——— 2022. “Author’s archive.” NoName057(16), Opening post. Vol. Russian Hackers. no. NoName057(16) (0a). March 11. TASS. 2022. Russia to end special operation after removing threats caused by NATO’s colonization of Ukraine. April 20. https://tass​.com​/politics​/1440761. TCH. 2022. The Russian invaders fired on the territory of the Kryvyi Rih TPP. June 28. Accessed December 24, 2022. https://tsn​.ua​/en​/ato​/the​-russian​-invaders​-fired​ -on​-the​-territory​-of​-the​-kryvyi​-rih​-tpp​-2098747​.html. TGStat. 2022. KillNet statistics. July 14. Accessed December 1, 2022. https://tgstat​ .com​/channel/​@killnet​_reservs​/stat​/members​-attraction. The European Parliament. 2022. “Europarl​.europa​.​eu.” European Parliament resolution of 23 November 2022 on recognising the Russian Federation as a state sponsor of terrorism. November 23. Accessed November 26, 2022. https://www​ .europarl​.europa​.eu​/doceo​/document​/TA​-9​-2022​-0405​_EN​.html. The Fair Russia Party. 2022. The discussion of Russian cyber security and economy. November 23. Accessed November 29, 2022. https://vk​.com​/dg​_prav. The Patriarch Press Service. 2022. Patriarchal Sermon after the Liturgy at the Church of Prince Vladimir in Balashikha, Moscow. November 6. Accessed November 22, 2022. http://www​.patriarchia​.ru​/db​/text​/5974368​.html. The State Duma. 2022. Putin signed a new law against fake information. March 4. Accessed November 13, 2022. http://duma​.gov​.ru​/news​/53632/. The Verkhovna Rada of Ukraine. 2022. The project about the Territorial Defense. June 10. Accessed December 21, 2022. https://itd​.rada​.gov​.ua​/billInfo​/Bills​/Card​ /38749. Thevoicemag. 2022. Marina Ermoshkina initiated an anti-Chanel challenge. April 7. Accessed December 23, 2022. https://www​.thevoicemag​.ru​/stars​/news​/07​-04​-2022​ /o​-chellendzhe​-mariny​-ermoshkinoy​-napisali​-telegraph​-i​-the​-mirror/. Troika. 2022. Pavel Kosov’s information was leaked. July 7. Accessed October 13, 2022. https://t.me/rustroyka1945/3759. Tyunyaeva, M. 2022. Telegram bypassed Whatsapp in terms of traffic in Russia. March 20. Accessed December 4, 2022. https://www​.vedomosti​.ru​/technology​/ articles​/2022​/03​/20​/914320​-telegram​-oboshel​-whatsapp. Ura News. 2022. Czech Republic recognizes Russia as state sponsor of terrorism. November 3. Accessed December 21, 2022. https://ura​.news​/news​/1052600412.

118

Chapter 3

Utro Dagestan. 2022. Be prepared for the meeting! September 24. Accessed January 13, 2023. https://t.me/utro_dagestan/2739. ———. 2022. The meeting will be at 15:00. September 24. Accessed January 12, 2023. https://t.me/utro_dagestan/2721. ———. 2022. Instructions for the upcoming meeting. September 24. Accessed January 13, 2023. https://t.me/utro_dagestan/2739. Vincent, J. 2022. YouTube blocks Russian news channels RT and Sputnik in Europe. March 1. Accessed December 5, 2022. https://www​ .theverge​ .com​ /2022​ /3​ /1​ /22956114​/youtube​-blocks​-russian​-media​-rt​-russia​-today​-sputnik​-europe. Voropaeva, E., and A. Serova. 2022. Nevzorov was granted Ukrainian citizenship. June 3. Accessed November 13, 2022. https://www​.rbc​.ru​/politics​/03​/06​/2022​/629​ 9ce6​89a7​9471​1a5d34b26. We are Killnet. 2022. A fake account on Vk​.co​m. November 10. Accessed December 13, 2022. https://t.me/killnet_reservs/3451. ———. 2022. Killnet post. Author’s Archive, April 29. ———. 2022. Mirai released fraudsters’ personal information. September 19. Accessed January 3, 2023. https://t.me/killnet_reservs/2722. We are KillNet. 2022. 14 groups joined KillNet. September 29. Accessed December 25, 2022. https://t.me/killnet_reservs/2900. ———. 2022. A military unit needs our help. April 26. Accessed December 23, 2022. https://t.me/killnet_reservs/768. ———. 2022. A new fundraising event. December 6. Accessed December 23, 2022. https://t.me/killnet_reservs/4207. ———. 2022. A new idea of Russian officials! November 25. Accessed October 13, 2022. https://t.me/killnet_reservs/3771. ———. 2022. A nex poll: Pick a target! July 4. Accessed December 25, 2022. https://t.me/killnet_reservs/2064. ———. 2022. A survey about Russian celebrities. March 17. Accessed November 23, 2022. https://t.me/killnet_reservs/158. ———. 2022. About our group. February 26. Accessed November 20, 2022. https://t. me/killnet_reservs/10. ———. 2022. An email from a Polish spy. July 26. Accessed November 29, 2022. https://t.me/killnet_reservs/2201. ———. 2022. An email from a Polish Telegram user. July 26. Accessed November 29, 2022. https://t.me/killnet_reservs/2202. ———. 2022. Anonymous attacks the European Parliament. November 23. Accessed November 29, 2022. https://t.me/killnet_reservs/3710. ———. 2022. Anonymous is U.S. puppets. no. 1a. Author’s Archive, February 26. ———. 2022. Attacks on Polish intensive care facilities. July 14. Accessed December 1, 2022. https://t.me/killnet_reservs/2158. ———. 2022. Be careful: Fake news. September 11. Accessed December 23, 2022. https://t.me/killnet_reservs/2596. ———. 2022. Be careful: Scam. December 18. Accessed December 19, 2022. https://t.me/c/1688942657/1333438.

Russian Hackers

119

———. 2022. Chat communication about attacks on Poland. July 14. Accessed December 1, 2022. https://t.me/c/1688942657/509856. ———. 2022. Chat under the survey, aired on March 4, 2022. Author’s Archive, March 4. ———. 2022. Check the links. March 17. Accessed November 23, 2022. https://t.me/ killnet_reservs/159. ———. 2022. Do not t-shirts from this website! September 15. Accessed January 1, 2023. https://t.me/killnet_reservs/2661. ———. 2022. Do you sleep? July 8. Accessed November 29, 2022. https://t.me/ killnet_reservs/2106. ———. 2022. Fake accounts. Edited by Author’s Archive. April 25. ———. 2022. Fake KillNet account with many followers. Author’s Archive, June 28. ———. 2022. Fake support account! 27 September. Accessed December 16, 2022. https://t.me/killnet_reservs/2869. ———. 2022. False account of Killnet. Archive, Author’s, March 3. ———. 2022. Financial support. Author’s Archive, March 13. ———. 2022. For crypto enthusiasts, here are KillNet wallets. September 25. Accessed December 23, 2022. https://t.me/killnet_reservs/2829. ———. 2022. Fraud activity. September 27. Accessed September 30, 2022. https://t. me/killnet_reservs/2869. ———. 2022. Fraudsters stole from volunteers. September 19. Accessed January 2, 2023. https://t.me/killnet_reservs/2716. ———. 2022. Hakers’ cooperation against Lockheed Martin. August 10. Accessed December 30, 2022. https://t.me/killnet_reservs/2283. ———. 2022. Is Galkin back? August 28. Accessed December 25, 2022. https://t. me/killnet_reservs/2475. ———. 2022. KillMilk is leaving KillNet. July 28. Accessed December 30, 2022. https://t.me/killnet_reservs/2209. ———. 2022. KillMIlk: I am leaving KillNet. July 28. Accessed December 30, 2022. https://t.me/killnet_reservs/2208. ———. 2022. KillMilk: My story. September 22. Accessed November 22, 2022. https://t.me/killnet_reservs/2858. ———. 2022. KillNet did not get money from the government. December 10. Accessed December 23, 2022. https://t.me/killnet_reservs/4286. ———. 2022. KillNet jewelry. June 2. Accessed December 22, 2022. https://t.me/ killnet_reservs/1702. ———. 2022. KillNet statement on its affiliation. Edited by Author’s Archive. April 20. ———. 2022. KillNet Support statement. Author’s archive, March 9. ———. 2022. KillNet survey. Author’s Archive, March 4. ———. 2022. KillNet’s statement for European media. no. 13(9). Edited by J Sweet. April 25. ———. 2022. My purchases. KillMilk. September 29. Accessed November 23, 2022. https://t.me/killnet_reservs/2898.

120

Chapter 3

———. 2022. Nevzorov website turned down! May 13. Accessed November 13, 2022. https://t.me/killnet_reservs/1275. ———. 2022. Our attack is ended. August 10. Accessed January 13, 2022. https://t. me/killnet_reservs/2291. ———. 2022. Our birthday is today! November 13. Accessed December 24, 2022. https://t.me/killnet_reservs/3499. ———. 2022. Our explanation: We do not regret. July 14. Accessed November 29, 2022. https://t.me/killnet_reservs/2159. ———. 2022. Our joined attack on Rutor. August 15. Accessed October 20, 2022. https://t.me/killnet_reservs/2356. ———. 2022. Our last promises. March 3. Accessed 13 January, 2023. https://t.me/ killnet_reservs/46. ———. 2022. Our new ally: Stop-NATO group. April 17. Accessed May 12, 2022. https://t.me/killnet_reservs/595. ———. 2022. Our response to online blackmailers. July 26. Accessed November 29, 2022. https://t.me/killnet_reservs/2204. ———. 2022. Our survey about NATO and the U.S. February 28. Accessed November 20, 2022. https://t.me/killnet_reservs/20. ———. 2022. Our thoughts about this war. March 22. Accessed May 12, 2022. https://t.me/killnet_reservs/232. ———. 2022. Our warriors were banned from Zhykov’s bar! December 3. Accessed January 13, 2023. https://t.me/killnet_reservs/4123. ———. 2022. Patriarch Kirill’s statement. November 6. Accessed November 23, 2022. https://t.me/killnet_reservs/3382. ———. 2022. Please, write complaints on this account! June 3. Accessed January 2, 2023. https://t.me/killnet_reservs/1717. ———. 2022. Post about Ukraine. Edited by Julia Sweet. Author’s Archive, ­February 26. ———. 2022. Pugacheva is back?! August 29. Accessed December 25, 2022. https://t.me/c/1688942657/676581. ———. 2022. Putin’s birthday! October 7. Accessed January 10, 2023. https://t.me/ killnet_reservs/2978 . ———. 2022. Someone sells t-shirts with our logo on AliExpress. September 15. Accessed January 1, 2023. https://t.me/killnet_reservs/2660. ———. 2022. Telegram blocked out wallet. September 25. Accessed January 1, 2023. https://t.me/killnet_reservs/2824. ———. 2022. Thank you note. September 28. Accessed November 22, 2022. https://t. me/killnet_reservs/2870. ———. 2022. The European Parliament website was attacked. November 29. Accessed November 29, 2022. https://t.me/killnet_reservs/3721?comment=1203637. ———. 2022. The interview with the Zarya leader. November 6. Accessed November 23, 2022. https://t.me/killnet_reservs/3375. ———. 2022. To our officials and oligarchs! We need money! September 25. Accessed December 25, 2022. https://t.me/killnet_reservs/2829.

Russian Hackers

121

———. 2022. Upcoming attacks on Poland. July 13. Accessed December 1, 2022. https://t.me/killnet_reservs/2156. ———. 2022. Utro Dagestan: A full report. September 27. Accessed January 13, 2023. https://telegra​.ph​/Kto​-ustraivaet​-besporyadki​-v​-Dagestane​-09​-27. ———. 2022. We are busy! August 29. Accessed December 25, 2022. https://t.me/ killnet_reservs/2472. ———. 2022. We are celebrating! November 5. Accessed November 30, 2022. https://t.me/killnet_reservs/3364. ———. 2022. We attack Ukrainian cyber police. March 6. Accessed December 20, 2022. https://t.me/killnet_reservs/94. ———. 2022. We attacked the Anonymous website. Vol. Author’s Archive. no. 8. February 26. ———. 2022. We found spies. Author’s Archive, July 4. ———. 2022. We gather money for our Army. March 11. Accessed December 23, 2022. https://t.me/killnet_reservs/112. ———. 2022. We hacked the car service in retaliation. July 5. Accessed November 29, 2022. https://t.me/killnet_reservs/2071. ———. 2022. We initiated a new offensive campaign. July 31. Accessed December 30, 2022. https://t.me/killnet_reservs/2184. ———. 2022. We killed his website! December 3. Accessed January 13, 2023. https://t.me/killnet_reservs/4125. ———. 2022. We promise to defend CIS Internet. February 28. Accessed December 23, 2022. https://t.me/killnet_reservs/18. ———. 2022. What is Rutor? August 15. Accessed October 12, 2022. https://t.me/ killnet_reservs/2350. ———. 2022. What will Poland do? March 23. Accessed December 22, 2022. https://t.me/killnet_reservs/239. ———. 2022. Who is from Vilnius here? July 8. Accessed November 29, 2022. https://t.me/killnet_reservs/2108. ———. 2022. Zelensky gave an interview. April 27. Accessed January 12, 2023. https://t.me/killnet_reservs/601. Writer from the Center. 2022. Utro Dagestan is rich! September 26. Accessed January 13, 2023. https://t.me/killnet_mirror/2303. XakNet (DDoS). 2022. DDoS recruitment. October 30. Accessed December 23, 2022. https://t.me/XakNet_Cyber_DDoS/16. ———. 2022. Survey about DDoS skills. October 28. Accessed October 28, 2022. https://t.me/XakNet_Cyber_DDoS/12. ———. 2022. We united with other hackers. October 28. Accessed December 23, 2022. https://t.me/XakNet_Cyber_DDoS/11. XakNet. 2022. Our final statement about the Kropyva hacking. May 25. Accessed December 24, 2022. https://t.me/xaknet_team/229. ———. 2022. We open an online auction. December 6. Accessed December 23, 2022. https://t.me/xaknet_team/489. XakNet Team. 2022. A note from our Army. May 22. Accessed December 20, 2022. https://t.me/xaknet_team/209.

122

Chapter 3

———. 2022. A statement about the DTEK Group attack. June 28. Accessed December 21, 2022. https://t.me/xaknet_team/275. ———. 2022. Attack on the President​.gov​.​ua. March 1. Accessed November 24, 2022. https://t.me/xaknet_team/2. ———. 2022. Attacks on the DTEK Group. June 28. Accessed December 22, 2022. https://t.me/xaknet_team/274. ———. 2022. Bloomberg article about us. June 29. Accessed December 13, 2022. https://t.me/xaknet_team/290. ———. 2022. Chat rules. July 3. Accessed December 21, 2022. https://t.me/ membersofxaknet/239577. ———. 2022. Email for media contacts. March 6. Accessed April 20, 2022. https://t. me/xaknet_team/40. ———. 2022. Everyone can help us to conduct attacks. March 4. Accessed December 20, 2022. https://t.me/xaknet_team/17. ———. 2022. Fake news. September 11. Accessed December 23, 2022. https://t.me/ xaknet_team/350. ———. 2022. Group’s statement. March 12. Accessed May 13, 2022. https://t.me/ xaknet_team/64. ———. 2022. KillNet discredited itself. Edited by Julia Sweet. Author’s Archive, November 11. ———. 2022. Open positions in our team. May 21. Accessed December 20, 2022. https://t.me/xaknet_team/201. ———. 2022. Our bot. March 4. Accessed April 7, 2022. https://t.me/xaknet_team/20. ———. 2022. Our conditions for Rinat Akhmetov. June 29. Accessed December 21, 2022. https://t.me/xaknet_team/297. ———. 2022. Our cooperation with KillNet. March 4. Accessed April 21, 2022. https://t.me/xaknet_team/21. ———. 2022. Our DDoS attacks on two Ukrainian websites. March 2. Accessed December 22, 2022. https://t.me/xaknet_team/12. ———. 2022. Our decision on Internet providers. March 6. Accessed March 23, 2022. https://t.me/xaknet_team/37. ———. 2022. Our donations. September 30. Accessed December 24, 2022. https://t. me/xaknet_team/376. ———. 2022. Our email for communication. March 6. Accessed April 5, 2022. https://t.me/xaknet_team/41. ———. 2022. Our last hacking. March 31. Accessed January 12, 2023. https://t.me/ xaknet_team/127. ———. 2022. Our old friend help us to conduct DDoS attacks. May 9. Accessed December 23, 2022. https://t.me/xaknet_team/155. ———. 2022. Our report for Dmitry Gusev. November 22. Accessed November 26, 2022. https://t.me/xaknet_team/430. ———. 2022. Our response for a Mandiant report. September 25. Accessed December 22, 2022. https://telegra​.ph​/Mandiant​-Kak​-kompaniya​-za​-neskolko​-milliardov​ -dollarov​-opravdyvaet​-svoj​-fejl​-09​-24. ———. 2022. Our warning. March 15. Accessed May 1, 2022. t.me/xaknet_team/86.

Russian Hackers

123

———. 2022. Pick our next target! May 5. Accessed August 21, 2022. https://t.me/ xaknet_team/154. ———. 2022. Real facts about KillNet. Edited by Julia Sweet. Author’s Archive, November 08. ———. 2022. Response to Ksenia Sobchak. July 1. Accessed November 22, 2022. https://t.me/xaknet_team/311. ———. 2022. Stop this fight! November 14. Accessed December 23, 2022. https://t. me/xaknet_team/409. ———. 2022. Ukrainian Internet providers. March 6. Accessed December 1, 2022. https://t.me/xaknet_team/27. ———. 2022. We are back! May 5. Accessed December 23, 2022. https://t.me/ xaknet_team/148. ———. 2022. We are looking for IT specialists. May 21. Accessed December 23, 2022. https://t.me/xaknet_team/203. ———. 2022. We are looking for volunteers. May 21. Accessed December 22, 2022. https://t.me/xaknet_team/202. ———. 2022. We did not accept it! Edited by Julia Sweet. Author’s Archive, November 6. ———. 2022. We hacked the SBU. October 24. Accessed December 23. https://t.me/ xaknet_team/398. ———. 2022. We hacked Vinfast​.ne​t. March 6. Accessed November 10, 2022. https://t.me/xaknet_team/30. ———. 2022. We look for journalists. March 6. Accessed April 6, 2022. https://t.me/ xaknet_team/23. ———. 2022. We warn the Chanel brand. April 1. Accessed December 26, 2022. https://t.me/xaknet_team/141. ———. 2022. XakNet service statement. March 12. Accessed November 24, 2022. https://t.me/xaknet_team/64. ———. 2022. XakNet statement. March 28. Accessed March 30, 2022. https://telegra​ .ph​/Do​-novyh​-vstrech​-03​-28. Zakharova, Maria. 2022. A note about a closure of Chanel stores in Russia. April 1. Accessed December 25, 2022. https://t.me/MariaVladimirovnaZakharova/2313. ———. 2022. The European Parliament decision. November 23. Accessed November 29, 2022. https://t.me/MariaVladimirovnaZakharova/4192. Zarya. 2022. About us. November 30. Accessed January 13, 2023. https://zarya​.akur​ .group​/about​.html. ———. 2022. Cooperation with KillNet. July 2. Accessed December 23, 2022. https://t.me/informZarya/348. ———. 2022. Documents from the state archive. July 11. Accessed December 24, 2022. https://t.me/informZarya/371. ———. 2022. Our fifth attack. May 16. Accessed December 23, 2022. https://t.me/ informZarya/214. ———. 2022. Our further work. October 26. Accessed December 23, 2022. https://t. me/informZarya/487.

124

Chapter 3

———. 2022. Our next target. December 31. Accessed January 1, 2023. https://t.me/ informZarya/632. ———. 2022. Our travel to the Donbas area. November 21. Accessed December 23, 2022. https://t.me/informZarya/548. ———. 2022. The archive leak. July 12. Accessed December 24, 2022. https://t.me/ informZarya/378. ———. 2022. The attack on the Ukrainian Archive. July 7. Accessed December 23, 2022. https://t.me/informZarya/359. ———. 2022. The FSB professional day. December 20. Accessed December 30, 2022. https://t.me/informZarya/631. Zero Day. 2022. We are a part of Anonymous Russia. November 22. Accessed December 23, 2022. https://t.me/Anon_ZeroDay/6. Zhykov, Sergey. 2022. The issue is resolved. December 3. Accessed January 13, 2023. https://t.me/sezhukovrv/456.

Chapter 4

Hackers Gather Public Trust and Recognition

BRAND TRUST In marketing, brand trust is a crucial and long-term strategy used to create a customer base which will stick with the brand for a long period of time. An effective approach will pay off in terms of new business perspectives, customer advocacy, loyalty, and shaping buying choices. For hacker brands, trust is one of the most critical categories, and must be controlled, managed, and developed in accordance with the specificity of brand products. On one hand, as stated previously, people do not perceive hacking as something transparent and public. Not many people have heard of or know about ethical hackers, whose activities are legal and highly respected. In the public mind, the term hacker usually refers to a criminal, one who does not look for publicity, and in fact, avoids it at all costs. On the other hand, the ongoing cyberwar had an impact on Russian users of the Internet: they became more suspicious, acting with caution. Given these public associations and political circumstances, building trust within the Russian-speaking audience would be a difficult goal for pro-Russian hacker brands. How could people believe that hacker teams seek attention in the same way as a clothing brand, a gifted photographer, or a young actor? Is it a real hacker team running a Telegram account or a team of crooks? Web publicity forced the Russian hacker brands to work on a trust-building approach. To gain and keep the confidence of an audience, the brands concentrate on two factors: ability and integrity. The first factor refers to their capability to carry out what they say their teams can perform. Brand integrity is connected to the control over brand authenticity and brand promises. Brands have to deliver the promises made to their audience with consistency and align with their audience’s expectations. 125

126

Chapter 4

Trust is difficult, and an effective trust-building strategy must be meticulous and thoughtful. Hackers’ crowd was diverse and heavily focused on politics due to the unfolding “special military operation in Ukraine.” After February 24, Russian society experienced a massive metamorphosis as the international reality began to change quickly. Every day brought a sudden and unpleasant discovery, shaking people up with the ban on global social media platforms, unfolding international sanctions, and changing news coverage. The onset of the war initiated division within society; one part of the population did not approve of the aggression, whereas another part supported the government and the military actions against Ukraine (Belokrysova et al. 2022). There was a significant category among Russian society who were not ready to join one of these camps; they had reasonable reservations about the validity of information about the conflict, rejecting supporting or disapproving of the war. Given the political views of the hacker groups that were previously discussed, the hacker communities mostly attracted supporters of the war, and perhaps, to a lesser extent, individuals from the third category. As they could not accept either side, these individuals could be enticed more easily to be a part of the Russian copycat of Anonymous, which would give them the opportunity to be involved without being bombarded by showy political posts. For them, the hackers’ brands were rebellious entities with some hidden anarchistic intentions. Given serious pressure from propaganda and an unusual informational frame, most likely, the individuals who were undecided on the war would turn into war supporters or would leave these communities completely. It seems obvious that when joining this sort of community, both categories of followers looked for a circle of like-minded people where they would be able to get involved with the ongoing conflict and somehow influence its outcome. In the eyes of the followers, hackers would protect their community members, and people who joined these outlets communicated openly with each other with confidence and felt safe enough to partake in cyberattacks. They oftentimes asked the admins to provide guidance on how to secure a personal account on Telegram, what VPN services1 to upload, which educational resources to use for initial IT skills and other questions. In return, the hacker teams established and reinforced a code of conduct, and performed meticulous moderation, removing users with disparate opinions to avoid conflicts. With an obvious inclination to exaggerate the IT skills of the hackers, their audience believed that the hackers were able to access not only clandestine but also truthful information. For their many followers, the pro-Russian position of the hackers served as a justification for their own pro-war stance; people’s logic unfolded like this: if the hackers adhered to this position, it meant that they knew something that the public did not know yet.

Hackers Gather Public Trust and Recognition

127

Further, with the development of live communication with the hacker teams, their subscribers grew their sense of community and belonging into a powerful entity. They began to propose targets for the hackers, asking them to attack Ukrainian and even Russian digital sources with different views and ideas on the war, NATO, Western values, and so on. Moreover, the number of followers who wanted to be a part of the cyberaggression slowly but incessantly increased, because participating was a very attractive and intriguing action, and boosted their self-esteem. Hackers’ Abilities For their followers, the pro-Russian hackers constantly accentuated their abilities and skills. Some groups tried to impress their audience with distributed denial-of-service (DDoS) attacks, inviting their followers to participate, and creating software for their convenience. Other groups such as XakNet or From Russia with Love (FRWL) mostly focused on more sophisticated attacks. Undoubtedly, the majority of their supporters can barely discern the difference between these types of cyber strikes. For them, the best proof of the hacker group’s skills was the frequency of attacks and meaningful targets. To keep up the brand’s vitality and an influx of followers, every group tried to conduct as many attacks as they could launch. However, as serious work has to be done and many resources are involved, the hackers cannot entertain their followers with a successful new action every single day. Some groups’ accounts aired without content updates or communication with their audience for several weeks; other groups announced an alteration in their outlet content. Expecting a new pattern of activity, the hacker groups intrigued the audience in two major ways. First, explaining their upcoming disappearance from cyberspace and the lack of new cyberattacks, the hackers aired a message about ongoing preparation for their next target and that followers should anticipate something interesting soon. In November, the FRWL channel informed its supporters: “Hello to our beloved family! We are alive. But we did a lot, and later we will provide more information about it! How are you?”(FRWL 2022). After that message, the FRWL Telegram account was inactive for a month. In contrast, another hacker group, Zarya, actively communicated with its community to keep up its web presence. After multiple leaks of local Ukrainian governmental facilities’ data and emails, the Zarya hackers decided to take a break: “We need to pause our leaks. Further, the group’s content thread will be filled by analysis of our previous leaks and informational posts. We are preparing something very fascinating” (Zarya 2022). With a hint of the ongoing work taking place in the background, it tried to establish an honest connection with its followers.

128

Chapter 4

Second, the hackers make the public believe that they are doing something incredibly difficult and extraordinary that cannot be disclosed currently. These extraordinary target or targets keep them busy, so the group cannot pay attention to its brand outlet. For instance, the FRWL outlet admin wrote that “the team accumulated the technical vulnerabilities of potential targets” (FRWL 2022). “We stockpiled useful information about our adversaries, but we will provide this information for public access if it stops being strategically important and valuable for our country”—the FRWL group added (FRWL 2022). In May 2022, the Zarya group announced its successful hacking, but the group did not disclose the victim or the exact date of the incident (Zarya 2022). Intriguing its followers, a Zarya admin stressed that “it was a serious comeback for fake Ukrainian hacking. But we need to prepare the data to be revealed” (Zarya 2022). Practicing for a several-week-long period of public inactivity, XakNet posted a message where the group explained its absence introduced a new target, and boasted its previous achievements. The most striking example is the unfortunate attack initiated by the Legion group against Eurovision2 (BBC News 2022). In 2022, this music competition was held in Turin, Italy, where 52 countries sent their representatives. The Russian Federation was banned from participation following its declaration of war on Ukraine. On May 14, 2022, the contest final was scheduled, so to interrupt voting, the KillNet-affiliated group Legion launched a coordinated attack on the Eurovision website. Even though the Zarya group did not mention this attack in its official account, the group helped Legion to find IP addresses for Eurovision (Legion 2022). At least seven hours prior to the action, the Legion admins aired five ostensible Eurovision servers, inviting its followers to strike at a scheduled time (Legion 2022). It announced two primary goals: (1) find a server for online voting and (2) begin a collective DDoS strike which had to end at 7 a.m. by Moscow time (Legion 2022). A few of the chat participants answered immediately, highlighting their readiness to attack: “We were not invited to this tournament. As they labeled us terrorists anyway, we are ready to accomplish our military goal!” (Legion 2022). In one hour, the Legion team suggested downloading the Eurovision application for Android and using a sniffer program to check IP addresses. Later, checking readiness, the Legion admins conducted a poll which revealed that 80% of respondents waited for an order (Legion 2022). In total, 578 people voted in this poll. It is interesting that even Legion’s own followers did not understand why Legion decided to attack Eurovision (Legion 2022). Some individuals underlined that many people watch this show on TV, so the cyber strike did not make sense. Others questioned the time of the attack because Legion ordered the strike to start two hours before the Eurovision voting would be open. Worth

Hackers Gather Public Trust and Recognition

129

noting is that the Legion team communicated with its active followers who joined the strike via its chat before and shortly after the order to launch the action. Despite the demand to hold the cyberattack until 7 a.m., in just thirty minutes after it began, Legion ordered a stop (Legion 2022). Many engaged followers expressed their disappointment and confusion, stating that the voting procedure had not even started. Other followers asked if their attacks were successful. Some enthusiastic people suggested continuing the attack. The discussion under the Legion post promised to take a dangerous turn, so the Legion team hustled to calm the participants: “Stop nagging the DDoS terrorists! Everything goes according to our plan” (Legion 2022). “We do not want to disclose our secrets! You will see everything tomorrow,”—the hackers continued to appease the irritated audience (Legion 2022). However, the dispute with the followers was not over, and the team issued a vague post about the blitzkrieg military strategy to petrify the enemy in a fulminant manner until the enemy can respond (Legion 2022). In fact, this statement was the explanation as to why the cyber operation was stopped: the hackers encountered a powerful response from well-prepared IT specialists, who were able to protect the Eurovision network. Indeed, the next day, news platforms disseminated a police statement about the successfully prevented pro-Russian hacker attack. The Italian police announced that hackers had unsuccessfully tried to infiltrate the opening night and the finals of the song tournament. Anticipating cyberattacks, Italian IT specialists were on duty and conducted a meticulous monitoring of social media platforms (Commissariatodips​.​it 2022). When Russian media outlets began to air this news, the infuriated Legion team issued a long emotional statement, preventing reputational damage (Legion 2022). Trying to present the failure as a shrewd and premeditated action to discover spies on the channel, the group explained that it intentionally used open communication with its public. As the statement continued, the group alleged that they were conducting a training rather than an actual attack. In fact, the Legion’s pompous online posts were detected and monitored by intelligence forces which were fully prepared for the upcoming DDoS strikes. As a result, the Legion team was forced to curtail the strike, scrambling to come up with a feasible excuse for its followers. However, not many followers realized what exactly happened. The unclear justification provided by the Legion group was accepted at face value; there are a significant number of users who simply shouted in the comments “Glory to Russia,” failing to connect all the dots. They continued to believe in the hidden idea behind the command and put their faith in the IT skills of the hackers. Against all odds, the audience of the humiliated hacker group continued to grow.

130

Chapter 4

So, the hackers displayed a very serious demonstration of their abilities and skills. Even during inactive periods or at times when hacks failed, they gave off the impression of being almighty and vigilant among their audience. Attacks on Meaningful Targets Another useful way to impress followers is by conducting attacks on meaningful targets. In the public mind, the significance of the target can nullify the need for successful hacking. The hackers preferred to pick widely known and/or politically vital targets. For targets, the hackers could choose not only particular websites of administrative departments or famous commercial brands but could focus on a specific geographical region. The groups would usually announce that they planned to hack a particular country for the foreseeable future in conjunction with the current political situation and without mentioning a specific target. The presented attacks listed below became very telling in this regard. After the beginning of the war in Ukraine, few companies remained to deal with Russian customers, while the majority of Western businesses preferred to leave the market entirely. In April 2022, Russian social media grew agitated over a scandal regarding a situation in a Chanel outlet in Dubai. Its employees declined to sell a high-end bag to a Russian citizen (Beschetnikova 2022). Many influential and wealthy Russians voiced their resentment about the incident and their disappointment with the service from the brand within the Emirates. “For more than 20 years, I had bought Chanel and Chanel Haute products and I had sat in the first row during its brand shows . . . this situation is a shock!!! I spent more than 1 million Euros there; this situation is a humiliation,” Yana Rudkovskaya3 wrote in her Telegram account (Rudkovskaya 2022). In the aftermath of this incident in Dubai, a Russian TV figure, Marina Ermoshkina, set up an online challenge “Rip apart your Chanel handbag” (Thevoicemag 2022). It was presented as a revolt against the Chanel policy toward Russian customers. Amusingly, the official representative for the Russian Foreign Ministry, Maria Zakharova, commented on this situation, pointing out that Coco Chanel cooperated with the Nazi regime in Germany during World War II (Zakharova 2022). Further, Zakharova mentioned the arrest of the brand’s founder shortly after the liberation of France, and the reason for Coco Chanel’s residency in Switzerland (Zakharova 2022). This unfolding scandal reached the XakNet members, who were infuriated by the Dubai incident. The group issued a statement, where it categorized the situation as “unacceptable torture.” Its statement highlighted that for now, the company was not a part of their “tactical interests,” but when this war was over, the hackers threatened to get back to the brand. At the end of the post, XakNet warned: “In fact, we have a list of offenders of the Russian

Hackers Gather Public Trust and Recognition

131

Federation. Ethical hacking has ended” (XakNet Team 2022). If the XakNet hackers do not end up in prison and a list of their enemies exists, Chanel will have acquired a compelling adversary. In the eyes of the Russian public, this open intimidation of a global brand elevated XakNet’s reputation and capabilities. Endorsing future Chanel hacking, XakNet chat participants believed that only a robust group could challenge the famous target, and no one argued that the attack would not be viable (XakNet Team 2022). Advancing its brand, the KillNet group decided to go for another meaningful target—the European Parliament. After imposing multiple sanctions, on November 23, 2022, the European Parliament designated the Russian Federation a sponsor of terrorism, emphasizing that “its forces have conducted indiscriminate attacks against residential areas and civilian infrastructure, have killed thousands of Ukrainian civilians, and carried out acts of terror throughout the country, targeting various elements of civilian infrastructure such as residential areas, schools, hospitals, railway stations, theatres, and water and electricity networks” and breached international law (The European Parliament 2022). The response of the Russian authorities was immediate and frustrating. Maria Zakharova, the spokeswoman of the Russian Foreign Ministry, wrote in her Telegram account: “I suggest assigning the European Parliament as a sponsor of idiocy” (Zakharova, The European Parliament decision 2022). Grigory Karasin, the chair of the Federation council committee on foreign affairs, argued the decision was not legally based, and “was proved for informational noise” and creating new derogatory labels. At the end of the statement, he concluded: “We will see how far this political schizophrenia goes” (Karasin 2022). The KillNet group remains true to its reputation. On the same day when the resolution was issued, Anonymous Russia, which is a part of the KillNet organization, conducted a successful DDoS attack on the European Parliament website. The hacking occurred in the afternoon, shortly after the European lawmakers declared Russia a sponsor of terrorism. As a result, the website remained down for several hours before regaining its operational status. In two hours, after posting aggravating news about the new status of Russia, the hackers claimed the attack on the europarl​.europa​​.eu website and aired a screenshot which indicated that the website was not responsive in more than twenty states (We are KillNet 2022). This proof of the strike was complemented by an inappropriate remark with a homophobic character. Furthermore, the group tracked media and politicians’ reactions, monitoring the main accounts of European lawmakers and news platforms. Its efforts were not in vain: the president of the European parliament, Roberta Metsola, posted an indignant message on her Twitter. Admitting that the website experienced a “sophisticated attack,” Roberta Metsola argued that “a proKremlin group” was responsible for the hacking (Metsola 2022). KillNet has

132

Chapter 4

frequently conducted DDoS attacks or distributed denial-of-service attacks, which can hardly be considered very sophisticated. Furthermore, several months passed since the beginning of the war in Ukraine and the cyber havoc, allowing politicians and policymakers a chance to monitor the hackers’ behaviors, which follow this particular pattern: “unfriendly actions” toward the Russian Federation most likely will bring a cyberattack. Expectedly, the Russian government and Russian society would be infuriated by this fateful decision. Considering this predictable reaction, it is not very clear why the European Parliament slacked off on its extra cyber protection. The KillNet audience saluted KillNet for this new attack on this remarkable target. Nonetheless, along with traditional emojis of Putin with a glass of sparkling wine and a smiling Dmitry Medvedev, a few chat members voiced their annoyance. Pointing out the long-lasting war in Ukraine, the members asked the hackers to conduct serious and damaging attacks and stop launching insignificant and ineffectual actions. One of the participants bitterly stated: Guys, do something serious eventually. I have monitored your actions for more than six months . . . but this is not serious. A full-scale war is going on, so do something substantial .  .  . and the entire world would be terrified to hear of KillNet. (We are KillNet 2022)

Threat to Hackers: Fake Accounts As has been mentioned, brand integrity is linked to control over brand authenticity and promises. Given the continuing cyberwar, for the hacker brands, authenticity refers to daily monitoring for the circulation of fake accounts on Telegram. These accounts have appeared every day on Telegram. To destroy the credibility of hacker brands, Telegram users tried to imitate their community and support channels. Uploading visual symbols of the hackers’ brands, imposters usually named their fake accounts very similarly to the originals. This tactic confused at least the most inexperienced members of the hackers’ followers. The KillNet group became one of the main victims of these Telegram scammers, whereas other groups infrequently encountered fake accounts. To keep the KillNet audience protected and track false entities, the group established a security unit. The first fake account, an imitation of the KillNet support outlet, was detected on March 2, 2022 (We are KillNet 2022). In March, 14 impostor-outlets circulated on Telegram, whereas in April, the security unit revealed two outlets and one file, presented as a unique KillNet virus—Killnet​.e​xe (We are KillNet 2022). False accounts were public and personal, which propagated products such as malicious software, DDoS attacks, and other services. Individuals behind these false entities used outlet names which were very similar to the original KillNet channels’

Hackers Gather Public Trust and Recognition

133

names. In June, the group revealed another honeytrap account with more than 23,000 followers (We are KillNet 2022). So, although the number of fake accounts for KillNet dwindled from March to August, the quality of these fake entities flourished as they attracted a significant number of followers. Fake channels became a common reality and a persistent problem for KillNet. Between September and December 2022, the team detected several impostor-entities on Telegram and Vk​.co​m. A personal account named Alena KillNet was discovered on Telegram shortly after the public statement made by KillNet’s founder about their money shortage problems (We are KillNet 2022). In order to obtain funds, KillNet widely promoted cryptocurrencies as a main source of contributions from its supporters. However, for donors’ convenience, KillNet used other payment systems, and people who did not want to send money through crypto platforms could contact the group’s support outlet for guidance. Apparently, the impostors kept an eye on KillNet and knew the various nuances of KillNet’s activities. Whoever established this account imitated KillNet’s support account to collect money from its supporters. The trolls introduced themselves as members of the KillNet team who were responsible for customer guidance to KillNet’s other payment options (We are KillNet 2022). Remarkably, KillNet daily monitoring of fake outlets resulted in a similar practice among its followers. This deception was easily revealed by a female KillNet supporter; she stressed her readiness to donate via this impostor-channel. To finalize her transaction, the impostors provided an affiliated bank card number to her. This KillNet supporter immediately turned over this fake entity to the KillNet team, uploading screenshots with the bank card number. KillNet placed a warning for its Telegram followers: “Impostors! We do not send messages . . .” (We are KillNet 2022). Scrolling across social media feeds, another KillNet supporter, who was a Vkontakte user, informed the hackers about its fake page on the Vkontakte platform. The impostor-account looked for sponsorship among the Russian-speaking audience (We are Killnet 2022). Once discovered, the KillNet team asked its audience to complain about this account to the VK administration. Many followers reacted swiftly, reporting to the KillNet chat about a complaint they filed. Given this collective action, the impostor-channel was blocked by the admins in one day. It was previously stated that trolls spread a virus by presenting it as a unique piece of software developed by KillNet. In December 2022, another group of trolls established a private Telegram bot, which proposed a number of services such as hacking of personal Telegram outlets, testing of Telegram account protections, and others (We are KillNet 2022). KillNet supporters were notified not only to avoid dealing with these sorts of outlets, but to report channels which promoted trolls (We are KillNet 2022).

134

Chapter 4

Attempts to undermine brand trust and authenticity can be undertaken from different perspectives. Imposters not only established honey trap accounts, but they also tried to conduct actions under the names of the pro-Russian hacker groups. They practiced issuing statements on behalf of their victims. Applying recognizable brand symbols, they created a statement in line with the hackers’ ideological agenda, which added credibility to the trolls’ actions. The most famous and visible brands of KillNet and XakNet became the first targets. There are two remarkable cases, one which occurred in July 2022, and the other in September 2022. On July 26, 2022, the KillNet team aired a message which was sent to its Telegram account. The sender introduced himself/herself as “a famous phone terrorist” and asked the KillNet group to stop attacks on digital Polish resources. If KillNet would continue its strikes, this person promised to make multiple bomb threats within the Russian Federation on KillNet’s behalf (We are KillNet 2022). The threat from this Polish Telegram user was not taken seriously by the KillNet hackers, who obviously continued their attacks on Poland. KillNet then received another message: “I wanted to settle this issue peacefully. So, your group will bomb the Czech facilities. Then, you will threaten Belarussian police precincts and Vitebsk shopping malls. Add to the list the Almaty airport and subway station” (We are KillNet 2022). Eventually, the KillNet team responded to this user, welcoming his or her attacks across Europe and promising to pay for these actions in the future (We are KillNet 2022). Even though the KillNet team tried to present this situation as a joke, and the majority of its chat participants received it in this way, the group took it seriously. In the next post, the group clarified this controversial situation and warned potential online blackmailers: “For other childish phone terrorists—if you want to make bomb threats from our group’s name in any country, go ahead! You cannot undercut our reputation” (We are KillNet 2022) On September 10, 2022, President Putin, along with the Moscow authorities, opened a new attraction called “Sun of Moscow” (MoscowSun 2022). It is a huge Ferris wheel, with an overall height of 459 feet (Meduza 2022). The day after the opening, the attraction was closed, as its administration announced the need to recalibrate some of the Ferris wheel’s equipment. Later, hackers, presenting themselves as XakNet and KillNet, hacked the Ferris wheel website and aired the following statement: Izium was surrendered. Balakliya was surrendered. Kupiansk was surrendered. Russian generals abandoned their soldiers . . . We are the Russian hackers who do not want to tolerate cowardice, betrayal, and deception. The groups KillNet and XakNet united to stop this bloody wheel. For us, it is not acceptable that while our guys die on a battlefield, rotten Russian intelligentsia watches fireworks and enjoys its life in the capital. We demand that the people responsible

Hackers Gather Public Trust and Recognition

135

for the deaths of our soldiers are punished . . . The Ferris wheel is filled with explosives. (We are KillNet 2022)

At the end of the statement, the hackers promised to blow up the attraction. Shortly after the appearance of this statement, XakNet and KillNet both rejected the responsibility for this attack. Clarifying the situation, the KillNet hackers asked their followers not to take any information posed outside of Killnet’s Telegram accounts at face value, even if they show the group’s logo and name (We are KillNet 2022). In return, the XakNet statement underlined that the group did not conduct cyber aggression within the Russian cyberspace, focusing exclusively on Ukrainian digital resources (XakNet Team 2022). The main goal of imitators is to undermine the credibility of the hacker brands. They did not necessarily target financial gain. To reach out to the hackers’ audience, imitators used the hackers’ logos and established similar names. Since the fall of 2022, troll activity has gone down, but fake accounts remained an issue for the hackers. Alerting its audience about the fake accounts they detected became routine, so its followers learned about the problem and became vigilant and cooperative with the hackers. Political Stance or Brand Promises The pro-Russian hackers generated a brand promise before entering the public space and declaring their brand’s existence. Then, the hackers narrowed and specified the promise to an articulated set of values and experiences that the audience should anticipate from the brand. Learning how to operate within the public space, the teams made vague and emotional promises. “Starting from today, we will attack all European Union countries by DDoS strikes,” the KillNet team proclaimed, promising to defend the Internet of the Commonwealth of Independent States (We are KillNet 2022). In contrast with KillNet, the XakNet group preferred not to mention its strategic potential, stating that XakNet began its own patriotic “special operation” for defeating the Ukrainian disinformation avalanche (XakNet Team 2022). Although KillNet promised to focus on European states, this group hinted about Ukrainian digital entities as a target. So did another pro-Russian team—NoName057(16), which it did in its introductory note, issued on March 11, 2022 (NoName057(16) 2022). People’s Cyber Army, which introduced itself as a group of Russian patriots, promised to monitor and undertake actions which targeted Russian citizens and threatened the Russian Federation (People’s Cyber Army 2022). As was stated previously, the FRWL group joined the hacktivism movement three months after the outbreak of war. So, its brand promise reflected the accumulated experience of the other hacker

136

Chapter 4

brands. Underlining its holistic support for “the Russian military operation in Ukraine,” the hackers promised to fight against Nazism within cyberspace as “the Russian warriors did on the battlefields” (FRWL 2022). While KillNet, XakNet, NoName057(16), People’s Cyber Army, FRWL, and RaHDIt addressed their promise to the Russian audience residing in the Russian Federation, the hackers from Beregini and Joker DPR focused on Ukrainian citizens who did not support Zelensky’s government and were not hostile toward Russia. For the public, the lack of condemnation for Russia’s actions in Ukraine serves as an indication of the hackers’ sympathetic position toward this country. Looking for peace in the Donbas region, the Beregini and Joker DPR groups posed their brands as pro-Ukrainian but without an oligarchy, with a pro-Western orientation in Ukrainian politics and Zelensky’s government. Both brands promised to do whatever they could to improve the situation in Ukraine. Their agenda resonated with the Russian-speaking audience, meeting its followers’ expectations from a brand perspective. In this regard, it is interesting to scrutinize another group—Anonymous Russia. This group repeatedly sent contradictory messages to its Russianspeaking audience. In a welcome post on Telegram, Anonymous Russia admins wrote that its team would “struggle against unscrupulous countries” (Anonymous Russia 2022). Given the fact that this group used the word “Russia” to highlight its geographical affiliation, the Telegram audience deciphered the message about “unscrupulous countries” in terms of the current political circumstances: the “unscrupulous countries” were the countries which condemned the actions of the Russian Federation in Ukraine and actively supported it. At the same time, branding itself as a pro-Russian branch of Anonymous and calling out every Anonymous member who did not support the Russian side in this conflict, the group rejected identifying itself as “Russian cyber patriots like KillNet.” Nonetheless, the Anonymous Russia team agreed that both groups were warriors for “freedom and peace,” but if Anonymous Russia was for global freedom and peace, KillNet stood for freedom and peace for the Russian Federation (Anonymous Russia 2022). Against all odds and despite what they had said about KillNet just weeks before, in less than one month after its appearance on Telegram, Anonymous Russia officially announced joining KillNet. In the eyes of the Russian users, this move automatically made this group pro-Russian and destined to carry out KillNet’s brand promises. Obviously, embracing the original Anonymous’ brand ideology, the team behind Anonymous Russia lost its ideological struggle, not being able to combine support for the Russian Federation alongside global freedom. Its creator or creators tried to take advantage of being associated with the widely known brand KillNet and did not reconcile personal motivation with the original appeal of Anonymous. Its further activities articulated a willingness to support and deliver KillNet’s brand promises.

Hackers Gather Public Trust and Recognition

137

As the hacktivism movement accelerated and the war crisis unfolded, the brands detailed their ideological goal of defending Russia and attacking its adversaries within cyberspace. Brand promises are directly related to the hackers’ political views. With regard to these views and the current political moment, the pro-Russian hacker groups picked targets. Not every hacker team shaped and clearly communicated its ideological position with its followers, but oftentimes, hackers identified views via reposting, merging with a more powerful hacker brand, comments, or labeling. These methods help concerned people to understand the brands and its relevancy to their expectations. There are several viewpoints within the hackers’ political attitude: NATO, the European Union, the United States, the Ukrainian populace, the Ukrainian government, and Russian citizens who openly criticized the Russian government and rebuked the military’s aggression. Through their posts and communications with followers, the hackers expressed their stance on the ongoing war in Ukraine. Some groups such as KillNet and XakNet dedicate significant amounts of time to posting and reposting ideological messages on their outlets, while other groups prefer to articulate their position by reposting KillNet or news channels. Nonetheless, these hacker groups hold the same views on critical political issues and the situation in Ukraine. Among these hacker entities, there is one common feature: the hacker groups repeatedly stated that they support the Russian actions in Ukraine, the Kremlin, and the Russian Forces. NATO For Russia, NATO is traditionally observed as a real menace for the entire region. After the dissolution of the Soviet Union, the Kremlin demanded guarantees that the former parts of the Soviet Union would be prevented from joining NATO. In return, the military alliance embraced states in North America and Europe, trying to counterbalance the Russian Federation’s influence. The Russian government’s anti-NATO narrative, which has not materially changed in years, has proven very effective and persuasive for common citizens. One year after another, Russian society exerts a negative attitude toward NATO, with 76% against in March 2018 and 78% against in March 2022 (Levada Center 2022). Only 10% of respondents expressed a favorable opinion in 2018 and 2022 (Levada Center 2022). These views have not transformed significantly over the past two years and with the outbreak of war. Likewise, Russian society’s view of NATO as a threat to Russia remains mostly unchanged. In 2017, 74% of respondents perceived the military alliance as a danger, while in 2022, this number increased up to 78%. However, the percentage of people who did not consider NATO as a menace dropped from 25% in 2017 to 13% in 2022 (Levada Center 2022). In light of these tendencies, Russian propagandists do not need to dedicate time to stir up the

138

Chapter 4

negative attitude toward NATO. In line with the circulated propaganda, Russian society believes NATO to be a main source of instability and insecurity in the region, and this image does not appear likely to change any time soon. On this well-prepared ground, politicians can apply whatever they need to justify, promote, or advance any action. Since the beginning of the conflict in February 2022, Russian political figures have repeatedly stressed the unequivocal role of NATO in the Ukrainian conflict and the marionette character of Zelensky’s government (Kp​.​ru 2022; Strozewski 2022; TASS 2022). On February 25, 2022, addressing the goals of the intervention to the Ukrainian territories, the Foreign Ministry spokeswoman Maria Zakharova stated: “the puppet Kiev regime must be brought to justice for committing crimes against civilians” (Demidov 2022). Further, the spokeswoman added that “the Ukrainian government does not have sovereignty,” and follows only the orders received from its masters from abroad (Ministry of Foreign Affairs of Russia 2022). The head of Roscosmos, Dmitry Rogozin, insisted that Ukraine was a Nazi regime which was actively supported by NATO in a meeting at the Moscow missile facility of Khrunicheva’s center (Rogozin 2022). As hackers’ posts indicated, they shared this view. The consequence of this position led to the first KillNet survey, initiated in four days after the beginning of the war, where it questioned its followers to pick its next target; there were two choices—NATO or American government websites (We are KillNet 2022). Another interesting fact that is worth mentioning is the interview with KillMilk, the leader of KillNet, which was conducted on December 20, 2022. KillMilk expressed open aggression toward the military alliance, underlining its central role for the ongoing war. When one of the participants asked him about new plans, KillMilk wrote: “I want to wipe out NATO, by any means” (KillMilk 2022). Undoubtedly, he reflected the circulated attitude within Russian society, and at the same time, this statement means that NATO will remain a priority target for the hackers. Stressing that NATO had an offensive mission rather than defensive, the hackers argued that it was actively involved in the ongoing war, supporting Ukraine with weapons, intelligence data, and technical services. In March and April 2022, the KillNet team expressed its serious concern if Poland were to send its forces to assist the Ukrainian government and therefore, drag NATO into the war (We are KillNet 2022). The KillNet admins voiced their opinion: “There is a high possibility that Poland will join this war. But it does not want to fight with Russia, its true goal is old Polish territories, which are a part of Ukraine” (We are KillNet 2022). In April 2022, this group announced its cooperation with the Russian Telegram community called “Stop-NATO,” in order to fight against “the military alliance and the neo-Nazi regime in Ukraine” (We are KillNet 2022). Spreading anti-NATO rhetoric, this group defined itself as “the international

Hackers Gather Public Trust and Recognition

139

volunteer movement,” which embraced members from the post-Soviet region, China, the Middle East, Latin America, the United States, and the European Union. Nevertheless, its international foundation is highly questionable due to the language coverage (Stop-NATO movement 2022). Its only Telegram outlet communicated with its followers in Russian; however its website had two versions—one for Russian speakers and one for English speakers. In general, this set up is not workable because neither version of the website has been updated since May 2022. However, its Telegram account is updated on a regular basis, but the amount of members is not impressive: around 1,200 followers. Against all odds, KillNet intended to build a long-lasting connection with this movement. Between April and December 2022, the KillNet content thread repeatedly showed Stop-NATO posts, underlining the ideological and political beliefs of KillNet’s members. The war in Ukraine has pushed the global community to the brink of nuclear hostility, which would devastate every country on the globe. But NATO and the current Biden-Harris administration further instigated the conflict with Russia, the major nuclear power. In the first video, the KillNet hackers stressed that this war between two Slavic groups was inevitable given current geopolitical circumstances (KillNet 2022). According to them, foreign agents challenged the Slavic brotherhood, and the marionette, Ukrainian President Zelensky, sent Ukrainians to this senseless war, slaughtering them (We are KillNet 2022). The Ukrainian Government and Its Western Allies Under control of the United States and its European allies, “neo-Nazi groups” were formed, trained, and became the frontrunners of the Ukrainian Forces; the hackers underlined that these groups led a war against the Donbas people for the last eight years, while the Ukrainian government disregarded the Minsk conditions (XakNet Team 2022). Blaming President Zelensky for the outburst of war, the hackers repeatedly underlined his imperative role in making a hotbed of neo-Nazism out of Ukraine. In the context of visual communication, the hacker teams oftentimes published pictures of President Zelensky. As Zelensky was a leader of Ukrainian fascists and Bandera’s followers, the images featuring Zelensky were curated to present him in a ridiculous and emotionally negative way; oftentimes, his images had Nazi symbols, which also highlighted the hackers’ perception of this politician (FRWL 2022; We are KillNet 2022; People’s Cyber Army 2022). Ukrainians Separating the Ukrainian government and its citizens, the concept of brotherhood between the Russian and Ukrainian nations was widely popular and

140

Chapter 4

deeply rooted within the Russian national matrix. It implies the profound connection between both nations, where “Kiev Rus” was a historic site of Slavic unity. The hackers shared the rhetoric of common heritage and origin with Belarusian, Ukrainian, and Russian populaces. In its introductory post, the KillNet team presented itself as “like-minded hackers, from the fraternal Slavic populace! We do not support war and fratricide whatsoever!” (We are KillNet 2022). Communicating with its followers, XakNet underlined its respect and appreciation to Ukrainian civilians, whom the group did not intend to target and harm (XakNet Team 2022). However, this rhetoric could not last for long time, and the XakNet team emphasized its inevitable end in light of the intensification of military conflagrations on the battleground and cyberattacks on Russian websites. In March 2022, the KillNet admins admitted their attacks would be damaging for Ukrainian civilians: We are not bloggers. We cannot promise anything, and we do not want to threaten the people of Ukraine. But we will continue our attacks on Anonymous. We will publish personal information of the Right Sector members. We will hack and destroy adversaries’ websites! (We are KillNet 2022)

While XakNet and KillNet warned about future harmful hacking, other groups simply stopped mentioning or referring to the Slavic brotherhood. Sooner or later, every hacker group would be forced to choose between mercy and ruthlessness. Nonetheless, it is worth underlining several examples of so-called ethical hacking examples. As said previously, in March, the XakNet team claimed successful attacks on several Ukrainian Internet providers, which allowed the hackers to switch off the Internet for many residents (XakNet Team 2022). XakNet followers were asked to help the group make the right choice: to turn off the Internet or do nothing to avoid serious damage (XakNet Team 2022). Regardless of the survey’s results, its team made minor changes in the providers’ settings and returned all data to the owners (XakNet Team 2022). On July 29, 2022, FRWL issued an emotional statement, targeted to promote the hacker brand’s ideological agenda. Prior to this statement, its members allegedly conducted a successful attack on the Ukrainian website organosyn​ .com​.​ua. This is a pharmacology company located in Kiev. According to the hackers, their team received full access and control over its system. However, referring to a so-called moral code for the hacker movement, FRWL declared: Protecting Ukrainian civilian lives, we are ready to provide a full and free cyber report about the website’s vulnerabilities along with our recommendations on how to remove them. To get it, website owners should contact us via our support

Hackers Gather Public Trust and Recognition

141

channel and before contacting us, donate medications for sick children and send the video report to us about this action. (FRWL 2022)

Under this post, two screenshots were uploaded, which served as proof of the hacking. The followers of FRWL were excited by the hackers’ professional skills, their mercy, altruism, and their respectful concern about the suffering children. As a result, this post received a lavish emotional reaction with more than 100 likes, and again, criminal activity was accepted as rightful and legitimate due to its emotional appeal. The mentioned case with FRWL occurred in July, but at the end of March 2022, XakNet, which had a significant reputation among hackers, made the decision to stop being ethical and launch effective attacks. Its team revised its views after the hacking of the Ministry of Finance in Ukraine. Skimming through stolen data, the XakNet team found out that Ukraine demanded money for military supplies across the globe. They labeled Zelensky’s government as “shameless culprits” and “corrupt from the bones” and which “used Ukrainians to milk crazy money.” Further, the hackers guessed that the members of the Ukrainian government “placed this money on their offshore accounts” (XakNet Team 2022). Our team does not want to dig deeper into politics. We will publish leaked documents from the Ministry of Finance. XakNet’s Team gives a slap to fascists. We do not ask groups to stop anymore because the difference between Ukraine and Russia has become obvious. Russians fight for their country’s boon, acting out of love and responsibility for Russia. But fascists work for money. Our current attack would be easily sold out for millions. We do not need dollars; we love our country. (XakNet Team 2022)

Thus, the hackers are pro-Russian, and they carried out their promises to Russian society. The Exodus of IT Professionals and “Rebellious Celebrities” As Western countries began to issue one set of crushing sanctions after another on the Russian Federation and foreign businesses decided to pull out, many Russian citizens decided to leave the country. Among celebrities, businessmen, journalists, and officials, IT specialists became one of the professions with the highest rate of emigration. On March 22, 2022, between 50,000 and 70,000 IT specialists moved out of Russia according to the chief of the Russian Association for Electronic Communications. Sergey Plugotarenko further warned the Russian government about a second wave of emigration by IT specialists (Interfax 2022). Given the ongoing cyberwar, where every day many Russian websites experience serious attacks, the Kremlin and Russian society were extremely worried by this

142

Chapter 4

situation. Trying to resolve the problem or at least mitigate the professional losses, the Russian government hectically enacted a few benefits. First, the government provided a significant amount of money and temporary tax relief to support domestic IT companies; IT specialists were entitled to get lowpercentage mortgages, deferment from conscription, and tax cuts (Balashova, Chebakova, and Kornev 2022). Many hacker groups got offended by this exodus, taking it too personally. Indeed, the XakNet team constantly exclaimed, trying to calm their concerned audience: “Do not worry: Russian IT professionals are at home. We do not leave. Everything is fine. We will work exclusively for our country” (XakNet Team 2022). Nonetheless, despite the undertaken governmental measures, during the summer, IT professionals left Russia in droves. An emotional statement from FRWL underlined: Friends! We do not want to touch this topic, but we have to discuss it. For several months, we are observing IT professionals fleeing from the state. And we cannot look at it anymore . . . Our friends complain that Turkish, Thai, and South American hotels are full of IT specialists from Russia. They castigate and condemn Russia . . . Stop it! You need your country. Nowadays, we face a fullblown cyber war, and we are Russia’s main forces. (FRWL 2022)

Rejecting that IT specialists were treated badly and forced to deal with inadequate work conditions, the FRWL team demanded that they “stop their panicking and cowardly escape” (FRWL 2022). At the end of the statement, the FRWL team-labeled IT professionals traitors, who were willing to do anything for money, even to betray their homeland. The Russian hacker brands referred to this exodus as one of the reasons why they began to build their public presence, which could have serious consequences. The hackers not only went after their own kind, but a few hacker teams rebuked escaped Russian celebrities. In fact, these celebrities have experienced the wrath of fellow Russian citizens for escaping from the Russian Federation and condemning the Russian military’s actions in Ukraine. The number of rebellious Russian citizens, including celebrities and business, is increasing every month, therefore, Russian society, with an obviously negative attitude, questions officials and cultural elites over whether or not these fleet figures would be welcomed back into the country should they choose to return. Neither politicians nor cultural figures can ignore this growing public demand. Some officials tried to stir up the negative attitude; others called for a more reasonable response. The first reaction came from the political circles. Four days after the beginning of the war, on Telegram, the former Russian President, Dmitry Medvedev, suggested that the people who left Russia hated their homeland, desired its defeat, and must be considered as “hostis publicus” enemies of the state (Medvedev 2022). Advancing this

Hackers Gather Public Trust and Recognition

143

topic, Rogozin mocked treacherous successful celebrities and oligarchs who fled to other states and rejected supporting Russian Forces by any means (Rogozin 2022). To appease the growing wrath, the Press secretary of Russian president Peskov discerned two categories of fleeing citizens; the first category embraced individuals who did not acknowledge and were scared of the political development, and the second category referred to true enemies of the country, who openly criticized the Kremlin’s actions and the Russian Armed Forces (Anisimova 2022). In particular, Peskov objected to tarnishing Ivan Urgant’s4 reputation, stressing that he knew this anchor personally, and knew he was always a Russian patriot (Anisimova 2022). Peskov’s stance on Ivan Urgant provoked Kadyrov’s response, where the Chechen leader pointed out Peskov’s “unclear” position (Kadyrov 2022). I was not aware that to be a true patriot, you need to criticize Russian actions and move abroad loudly and pathetically. Make a buzz around yourself. And then, get back to Russia when the political situation is more benevolent. Useful scheme!

Kadyrov wrote in his Telegram outlet. While the elites could not straighten out their position, Russian society became very judgmental toward forced immigrants, especially public figures. KillNet paid close attention to this particular issue, observing a serious marketing opportunity here. In March, its admins entertained its followers with a new survey, asking if followers wanted several Russian celebrities— Pugacheva,5 Galkin,6 Meladze,7 Sobchak, and others, to be hacked (We are KillNet 2022). Undoubtedly, the majority of respondents welcomed the possibility of retaliating. On the same day, several links to stolen information about these people were circulated on its outlet, asking the followers to check the data about the “Russian traitors” (We are KillNet 2022). It is not clear if the hacking was conducted by the KillNet team. But its audience was very excited, avoiding questioning the nature of the attack. In March 2022, the couple Alla Pugacheva and Maksim Galkin alone with their nine-year-old twins relocated to Israel. Galkin has repeatedly aired harsh critiques toward the Russian invasion in Ukraine and the Kremlin at his concerts and on his social media accounts (Meduza 2022). As a result, KillNet labeled the couple “ex-superstars” and “traitors” (We are KillNet 2022). Later, when Russian media announced that Alla Pugacheva walked into Moscow in August 2022, the infuriated KillNet team stated: “Pugacheva said that she got back to Russia after a vacation! We do not believe in it! Go f . . . back” (We are KillNet 2022). Killnet speculated if Maksim Galkin also returned, as the hackers wanted to punish the showman for his anti-Russian position (We are KillNet 2022). In light of the unruly cyber mess and the lack of serious cyber security in Russia, this warning should not be dismissed

144

Chapter 4

and disregarded. Famous people are always desirable targets for all sorts of criminals. For KillNet, the family couple Pugacheva and Galkin were not the only target. In July 2022, its audience participated in its next poll. Of ten media personalities, respondents could pick one individual for a future KillNet hacking (We are KillNet 2022). Leading by a narrow margin, a Russian blogger and journalist, Yury Dud, took first place with 46%; the second and third positions were for Ksenia Sobchak (30%) and Aleksander Nevzorov8 (28%). Enthusiastic followers demanded the hacking of not only the celebrities from the poll, but also Maksim Galkin, Andrey Makarevich,9 and Boris Grebenshchikov.10 Worth noting is the fact that the hacker brands utilized surveys to invigorate community engagement; however, they rarely kept their promises, which is exactly what happened with this poll. After the poll closed, KillNet jumped on other targets such as Lithuania, Poland, the United States, and other countries. However, the poll respondents did not forget about the hackers’ promise. During the next several weeks, the followers bombarded the hackers, asking about the hacking of Yury Dud. On August 29, 2022, an angry KillNet was forced to respond, and the explanation was weak and unpersuasive. Ostensibly, the group leader got sick, whereas the team was busy with other targets (We are KillNet 2022). At the end, the hackers could not hide their irritation toward annoying followers, and to get them to behave, KillNet wrote: “Guys! If you do not hear news about attacks, it means we are working on them. Do not forget, please, that we are not a governmental department, and thus, we can only work when we have time for it” (We are KillNet 2022). Astonishingly, the KillNet public halted its complaints, voicing its concern about KillMilk’s health and reassuring the hackers that they would wait for as long as was needed. The KillNet brand built a very loyal crowd, which was ready to accept even an unpersuasive explanation at face value. Further, KillNet never again mentioned this poll and its promise to hack Yury Dud. In fact, this means that the hackers were not able to launch a successful attack. Another meaningful target for the hackers was Aleksander Nevzorov. He was forced to flee the country out of fear of prosecution, because the Investigative Committee initiated a probe against him. The Committee stated that Nevzorov spread false information in his posts on Instagram and YouTube, where Nevzorov suggested that a hospital located in Mariupol was shelled intentionally by the Russian Armed Forces (Sledkom 2022). Also, the investigators stressed that his posts contained inaccurate photos which were created by the Ukrainian media. Worth noting is that the new law about the dissemination of fake information or a call for new sanctions for Russia was signed by Russian President Putin on March 4, 2022. According to this law, individuals will face a fine of up to fifteen years

Hackers Gather Public Trust and Recognition

145

behind bars (The State Duma 2022). From now on, airing news different from the official media sources became punishable. The Investigative Committee utilized this law to chase Aleksander Nevzorov and block his website. On March 22, 2022, RBC anchors contacted Aleksander Nevzorov, who said that he left Russia for other states (Gromova and Ovsiannikova 2022). Later, Nevzorov, along with several other Russian citizens, received the status of foreign agent, and an order for his detention was issued in absentia (Novaya Gazeta 2022). Given the fact that the name of the famous journalist Aleksander Nevzorov was on news headlines for several weeks, the hackers found his website to be a wonderful target. It could bring hacker brands to the media’s attention. The first attack came eight days after the Russian General Prosecutor enacted a blockage for the nevzorov​.​tv website. The hacker group “DepartmentZ” (later, Bear.IT.Army), conducted a DDoS attack on April 4, 2022, placing the announcement with attached screenshots on the group’s Telegram account (Bear.IT.Army 2022). Nonetheless, in four days, the website was fully operational. On May 13, 2022, the KillNet group reported another successful DDoS strike on Nevzorov’s website, which was conducted by one of KillNet’s units named Mirai (We are KillNet 2022). The KillNet attack came shortly after the Russian Basmanny Court issued Nevzorov’s arrest (Voropaeva and Serova 2022). After the KillNet-Mirai attack, the website was under repair, showing “error code 1020” for more than three weeks. Interestingly, despite continuous efforts by KillNet’s chat members to push the hackers to repeat their success, KillNet ignored its followers’ arguments and emotions; this website was no longer an interesting target. Thus, the overwhelming majority of the pro-Russian hacker groups did not track the exodus of IT specialists and chase Russian celebrities. Moreover, supporting the Russian Armed Forces passionately and having special skills, they ignored unfolding scandals over various public figures in Russia, who openly disparaged the Russian military’s actions in Ukraine. Following a socalled ethical code for hackers, the groups could not conduct attacks within the Russian Federation. Even when the hackers were infuriated by Ksenia Sobchak’s article about the joined strike of KillNet and XakNet, XakNet and KillNet did not launch cyberextortion on her. New Hacking Tactics Besides numerous cyber offensives, two groups practiced nonhacking attacks: NoName057(16) and KillNet organized harassment and complaint campaigns targeting various Ukrainian and Russian entities. In contrast with KillNet, which did not use correspondence, NoName057(16)’s harassment campaigns included two steps: spreading emails or messages and a DDoS

146

Chapter 4

strike. Prior to a DDoS attack, the NoName057(16) team sent emails or direct messages to employees, the text of which was subject to change. Sometimes, the hackers signed these emails and messages by the name of their hacker group, but there were emails, where the hackers tried to imitate the writing style of official papers and signed them by the Investigative Committee of Russia. For instance, in March 2022, journalists who worked on the news portal oukr​.in​fo received NoName057(16)’s messages twice (Ivanov 2022). In its second email, NoName057(16) stressed that the hacker group NoName057(16), wants to warn portal staffers. If the portal does not stop spreading false information about the Russian Federation, we will continue our strikes on your website. All of you will face justice. Think about legal consequences until it becomes too late.

To eliminate doubts about the sender’s intentions, at the end of this email, the hackers placed the group’s name with an external link to NoName057(16)’s Telegram account (Ivanov 2022). Although this news portal was informed about the sender, another news outlet received a fraudulent email. On March 28, 2022, 4studio, a Ukrainian news outlet, received NoName057(16)’s impostor message: Russia’s Investigative Committee initiates a criminal investigation against the 4studio personnel, suspecting their involvement into extremism. Related personal information has been forwarded to the authorities. When the Ukrainian territories are under control of the Russian Forces, the 4studio employees will be interrogated and further, convicted. (NoName057(16) 2022)

Further, the email proposed a set of mandatory conditions which would help them avoid the upcoming conviction. From an ideological perspective, through these emails, the NoName057(16) team highlighted the political agenda behind its hacks and its direct support to the Russian government. From a technical perspective, apparently, these impostor emails or direct messages reached all targets because anti-spam tools were ineffective in detecting them as this correspondence arrived in small volumes. Moreover, the hacker team usually did not enclose malicious external links or suspicious attachments. The NoName057(16) team promised to relentlessly chase every Ukrainian news media source which created and circulated “fake anti-Russian news and propaganda” (NoName057(16) 2022). In light of this, NoName057(16)’s harassment campaigns were well organized. Initially, the members of NoName057(16) established new email addresses or sock puppet accounts on social media platforms that allowed sending notes from an unaffiliated account. Building NoName057(16)’s unique brand content

Hackers Gather Public Trust and Recognition

147

and trust among Telegram users, the hackers not only observed an unresponsive website, but one or two team members joined a victim’s social media outlets for tracking and screenshotting any content thread related to their launched campaign. Many victims, who received similar warnings from NoName057(16), aired them on their personal or official social media accounts. Journalists looked to share their worrisome experience with colleagues, whereas the NoName057(16) team aimed to gather visual evidence of its hacks. Once NoName057(16) shut down a website, it would return and attack that same victim again. For instance, between March 8 and April 6, the news resource Ukr​.n​et survived over three DDoS strikes. On March 31, NoName057(16) celebrated a second successful cyberattack on the Ukrainian news portal Zadix​.ne​t, underlining: Its Lviv Nazi administration does not learn its lessons, and continues to pour dirt on our country. Glorifying Stepan Bandera, it tries to smear the Russian Forces. Given this political position, this news outlet will be under fire repeatedly. Stop crying about our DDoS attacks on Telegram! (NoName057(16) 2022)

It is worth noting that NoName057(16) aimed to impress its public without expecting any engagement from them, whereas KillNet asked its audience to actively participate in KillNet’s initiatives. Its team initiated a complaint campaign approximately once per month. It is not clear how KillNet chose its victims. Given the fact that KillNet’s support account was widely advertised, Telegram users sent their complaints on Ukrainian and Russian Telegram accounts as well as on websites with an explicit pro-Ukrainian stance. Moreover, under every KillNet post, chat participants placed a few demands, asking the group to ruin an adversarial online entity. Despite the fact that KillNet’s chat admins did not usually respond to these demands, the hackers could not entirely ignore their audience. So, when it came time for the hackers to pick their next target, they skimmed over their followers messages and chose their victims in accordance with their own personal experience. Their choice depended on various factors ranging from current political circumstances and the amount of time they would need for the hacking to content shortness and the potential positive impact on the group’s reputation. In June 2022, the group detected efforts from one of the Ukrainian outlets to unite its followers for a complaint attack against KillNet’s unit Legion. Instead of waiting for disciplinary measures from the Telegram administration, KillNet launched a counterstrike by organizing its numerous followers to complain about this Ukrainian outlet (We are KillNet 2022). As a result of this digital duel, Legion’s Telegram channel survived, but the Ukrainian counterpart was turned off or was forced to relocate to a new account.

148

Chapter 4

On September 15, 2022, the KillNet team was infuriated and hectically started a new campaign against an AliExpress seller who offered t-shirts with KillNet brand logo (We are KillNet 2022). The hackers considered it as “an unauthorized use” of the group’s symbol. A significant part of KillNet’s audience did not share its frustration at the AliExpress seller, applauding the commercial inventiveness of the seller and suggesting there might be a positive impact on the brand’s recognition. Pushing its followers to file a complaint, KillNet’s chat admins monitored the discussion and jumped at participants with a different opinion. When several chat participants began to talk about purchasing a t-shirt and the cost of shipping, the KillNet admins became offended and demanded that they not buy the t-shirt (We are KillNet 2022). Eventually, despite the obvious disagreement with KillNet, its audience followed its order. As a result, in less than two hours since the first KillNet post about the t-shirt aired, the AliExpress website removed the controversial product. Fervently attacking the small businessman, KillNet presented itself as a brand builder who instilled a strong impression of a control over every aspect of their brand’s appearance online and consequently, trust among its brand supporters. As previously mentioned, how hackers choose their victims is not always transparent. In September 2022, unknown volunteers were somehow able to bring KillNet’s attention to fraudulent activities inside the Russian Federation. Supposedly, the female volunteers looked to buy several boxes of cigarettes for the Russian troops in the Donbas region. After transferring the total amount of money to the seller, this firm disappeared, and its phone became unresponsive. In desperation, the volunteers asked the KillNet group to track the firm and the associated individuals. Following KillNet’s demand, its audience, and affiliated groups helped to deface this group of fraudsters, who stole around $1,000 (We are KillNet 2022). Prior to the defacing, the admins asked the perpetrators to return the stolen money, but apparently, the money was not returned because, after several hours, one of the leading team members and several enthusiastic followers aired the fraudsters’ personal information (We are Killnet 2022). In the KillNet chat, the female volunteers thanked KillNet, stating that police investigators received the pulled-out data. BRAND AWARENESS Hacker Cooperation As was stated earlier, there were several hackers’ brands that entered the public space and began to create their brands and gather their crowd. As is often the case when it comes to the Internet, soon hackers realized one of the benefits of gaining web publicity: they could find like-minded groups to advance

Hackers Gather Public Trust and Recognition

149

their brand and products. An extremely useful tool to set up these connections was brand ideology. Having pro-Russian views on certain key points served as a foundation for long-term or short-term cooperation between the hacker groups. At the same time, their pro-Russian position helped the hacker teams to establish close ties with other digital entities outside of IT professional circles. These types of cooperation targeted different objectives. Although the collaboration between hacker groups usually resulted in mutual cyber offensive attacks, the cooperation with other groups led to financial assistance, advertisement, and informational support. To make a spectacular entry into the public space of Telegram, XakNet conducted two remarkable DDoS attacks on the websites of the Ukrainian President and the Ministry of Defense (XakNet Team 2022). As this group focused on more sophisticated types of cyberattacks, its team collaborated with another unknown group, which provided a DDoS service (XakNet Team 2022). The attacks shut down the Ukrainian websites for a couple of days. One month after these strikes, the XakNet team issued a gratuity note for this DDoS group, promoting its service as effective and reliable among its audience (XakNet Team 2022). On March 4, 2022, XakNet and KillNet began their cooperation (XakNet Team 2022). Keeping their hopes high for this cooperation, the enthusiastic KillNet team announced the creation of the International Hacker Alliance in April 2022. It established the Alliance Telegram outlet which invited other like-minded hacker groups. The Phoenix hacker group, a fresh entity on Telegram, joined it on April 15 (Phoenix 2022). However, this initiative died without explanation from its creator by April 30, 2022, when it aired its last post, and the channel was abandoned (International Hacker Alliance 2022). The official KillNet outlet stopped promoting this project; apparently, something did not work out here. Further communication and coordination with XakNet went through the leader of Zarya, the KillNet subdivision (Zarya 2022). Even though both groups praised their cooperation, promising their followers to join unique strikes in the foreseeable future, their so-called cooperation did not go further than reposts and advertising for each other. Their first action occurred in May. As was described previously, in May 2022, the Russian military units contacted the XakNet team looking for help with the serious situation on the battlefield. To take the Ukrainian system “Kropyva” down, XakNet cooperated with KillNet and a DDoS service group, which assisted XakNet occasionally (Legion 2022). Interestingly, after the successful attack, the XakNet group deleted many posts related to the coordination of this strike. Moreover, its representatives barely mentioned the involvement of other hacker groups in further interviews and their posts. For other participants, such as KillNet’s affiliate Legion, this mutual attack was considered as a special privilege and

150

Chapter 4

honorable event, because XakNet has a significant reputation in today’s digital environment. Until July 2022, the groups did not announce mutual attacks when XakNet and Zarya identified a target. A couple of days later the groups announced a joint hacking on the state archive website (archives​.gov​​.ua) in Ukraine, as XakNet focused solely on Ukrainian resources (Zarya 2022). Initially, to prove the hacking, the hackers published several screenshots, after which they leaked many documents and videos stolen from the archives​.gov​​.ua website (Zarya 2022). On the next day, the groups changed their mind and made a post that they would stop leaking the archive’s data (Zarya 2022). Their audience in turn grew upset with the sudden stop and demanded an explanation from the group, bombarding the announcement with comments. The third joint cyber aggression was launched by the following hacker groups: XakNet, Zarya, and Beregini. According to the hackers, they spent more than a week to get inside the Security Service of Ukraine in October (XakNet Team 2022). This hacking was conducted and coordinated by Beregini, who began to air piles of stolen Ukrainian documents in small portions. However, the Zarya and XakNet followers enjoyed only screenshots and short footage recorded during the hacking. After this, both teams took a break, explaining that team members needed rest, and the accounts would therefore not be filled with exclusive content (Zarya 2022). With the statement, “Cyber attacks are not very simple and require preparation,” the Zarya admins tried to justify the lack of regular activity on its outlet (Zarya 2022). At the beginning of November 2022, an event happened which placed the XakNet-KillNet cooperation on the verge of collapse. A Russian website which is devoted to tech news in the IT sector published a nasty article about KillNet, after which its team conducted a DDoS attack against it (XakNet Team 2022). The XakNet DDoS subdivision castigated KillNet for the attack on the Russian Federation, underlining that this sort of action is not acceptable (XakNet Team 2022). In four days, as KillNet announced its hacking on a Greek medical facility, the scandal began to unfold again. “Initially, their DDoS attack crashed a medical website in Greece. KillNet discredited itself again. . . . This is too low even for you . . . . What has happened with honor and morality?” (XakNet Team 2022). In return, KillNet responded aggressively using inappropriate language. In the middle of this exchange, the XakNet group demanded its DDoS subdivision and KillNet to stop mentioning XakNet’s name in connection to this scandal: We do not understand the reason why both groups are acting out. Can you talk with each other? We sent a message to the admin of our subdivision. Colleagues! Do not mention XakNet: We do not want to be a part of this childish event. (XakNet Team 2022)

Hackers Gather Public Trust and Recognition

151

This post cooled off the hackers from both sides. Nevertheless, in light of this unpleasant experience, XakNet would not reestablish cooperation with KillNet. Moreover, there were plenty of other hacker groups with a professional attitude that could be asked to conduct joint attacks. Alongside its work with well-known groups, KillNet group also actively cooperated with newly established or less popular groups. In August 2022, under its leadership, pro-Russian hackers from Anonymous Russia, Phoenix, and CarbonSec11 allegedly launched an attack on the website of Lockheed Martin, the U.S. global security and aerospace company (We are KillNet 2022). This corporation produced the famous artillery system of HIMARS that the Ukrainian Forces supplied in 2022 (Guttman 2022). Shortly after KillNet claimed its cyber aggression, the Lockheed Martin website remained active. Apparently, the website sustained the DDoS attack, if any was ever launched against the corporation. As Newsweek reported, a company representative did not clarify if the website was under attack, reassuring that Lockheed Martin has “robust, multi-layered information systems and data security” (Carbonaro 2022). The new mission of KillNet was announced on July 21, 2022, declaring the Lockheed Martin corporation as its target. In its statement, the hackers notified followers about launching a new line of attack against weapons manufacturers and promised to use something more than DDoS attacks (We are KillNet 2022). In ten days, KillMilk released a video in English, asking Lockheed Martin employees and concerned citizens to set its offices on fire around the world(KillMilk 2022). For every attacker, he proposed a reward of $50,000, demanding the evidence be sent to his Proton email. At the end of the video, he provided a list of Lockheed Martin’s corporate offices in the United States, Canada, and Europe. Responding to KillMilk’s proclamation, the hacker group FRWL conducted a hacking on Gorilla Circuits, Lockheed Martin’s supplier (FRWL 2022). The group insisted on getting “full access to the Gorilla Circuits information,” including “backups from 2016,” “technical papers,” a list of suppliers, and the customer base. The FRWL hacker team continued its intimidation, saying “Data from organizations affiliated with Gorilla Circuits has been compromised. You are in danger!” (FRWL 2022). The exact date of the attack on the U.S. corporation is not known. Some KillNet posts make it appear that it was August 10 and did not last long: the hackers were surprised when they were removed from the system (We are KillNet 2022). Indeed, the KillNet group did release video evidence and screenshots on August 10, 2022 (KillMilk 2022). To reassure the public that the cyber strike was real, KillMilk allegedly published a list of Lockheed Martin staffers(KillMilk 2022). Further, the KillNet founder underlined that only useless information would be aired immediately, and he clarified his next steps:

152

Chapter 4

What am I going to do next? (1) Soon, you will observe the new technologies of Lockheed Martin. I do not understand rocket systems, but some people do. (2) A full list of its employees will be leaked (more than 100,000 people). (3) I will leak data in the countries where its personnel reside. My leaks love money . . . (4) Lockheed Martin’s stock will be changed . . . I will show a lot of interesting things about this corporation soon. (KillMilk 2022)

After posting a message about this corporation on August 13, the KillNet group stopped mentioning the Lockheed Martin attack completely, and KillMilk did not clarify what happened with the stolen data. Interestingly, the Russian-speaking followers were very enthusiastic and encouraging about this attack on this meaningful target. In terms of brand recognition, this attack brought much sought-after media attention. Unfortunately, in the eyes of a crowd, media attention oftentimes serves as solid, unquestionable evidence of cyber strikes. In general, this strike raised plenty of questions: Was this strike successful? When did the hacking happen? Was the data stolen? What data was compromised? What did the hackers do with the data? It is possible to suggest that two solo hackers—KillMilk and Two-Faced,12 along with several groups—KillNet, Anonymous Russia, Phoenix, and CarbonSec, prepared the cyber aggression on the U.S. corporation together. Nonetheless, this attack can hardly be labeled as a success as the allegedly stolen data did not surface anywhere. As KillMilk and KillNet’s statements showed, financial troubles for Killnet were persistent after this attack and up to December 2022. Apparently, the hackers were not able to sell the data for a good price or KillNet did not have the data to sell because their attack was unsuccessful. In general, this coordinated hacking resulted in media noise rather than real and tangible benefits. Another interesting project to advance KillNet’s brand among the Russianspeaking audience was their teamwork with the Deanon Club group against an online drug trade platform. Since November 2022, the KillNet team has begun cooperating with the group Deanon Club. Previously, both groups had a very unpleasant relationship. Deanon Club repeatedly mocked the KillNet group, underlining its unprofessionalism and highly politicized and non-objective agenda (Deanon Club 2022). This group argued that KillNet not only lacked objectivity, but it became a voice for propaganda. According to its admins, KillNet’s power was an illusion based on its “pompous loud political statements” (Deanon Club 2022). In reality, KillNet’s DDoS attacks were feckless and useless, while their so-called leaks contained widely accessible data. Moreover, Deanon Club suggested that KillNet, which declared an upcoming hack of a famous online drug marketplace but later deleted the post, could take money from its potential victim (Deanon Club 2022). This explained why KillNet’s official outlet erased the declaration of the attack. Nevertheless, ground for reconciliation and negotiation between the groups

Hackers Gather Public Trust and Recognition

153

was soon found, when Deanon Club admitted KillNet’s great skill for hacking Rutor’s website and its supervisor, Egor B. (Deanon Club 2022). Putting aside KillNet’s ostentatious political manifestation, in March 2022, XakNet, the oldest hacker group, praised the KillNet hackers for their well-organized and effective attacks on the Anonymous group and the cyberpol​.in​fo website (XakNet Team 2022). Apparently, KillNet’s abilities and its team’s skills were not that bad. Taking this positive statement from Deanon Club as an opportunity, the KillNet leader, KillMilk, contacted Deanon Club to negotiate a cooperation. During the negotiations, the leaders discussed the coordination of mutual goals and means: We work exclusively on common aims. KillNet will focus on its part, and our group will stay out of the political field. KillNet is good at one field, our group is skillful in another sector. So, together we can accomplish significant goals. (Deanon Club 2022)

It is encouraging to explain the general line of Deanon Club’s conduct. The Deanon Club admin was an extremely talkative individual with high ambitions and a desire to earn money in the middle of the crisis. Without a hint of modesty, he rejected and degraded followers who blamed Deanon Club for being unpatriotic and purely pragmatic in contrast to other hacker groups. Also, the admin openly admitted to doing dirty tricks. Indeed, Deanon Club intentionally castigated hacker groups and was ready to stop a humiliating campaign for some cash. When Deanon Club announced their cooperation with KillNet, the group implied that this cooperation would be limited in quality and short in duration. Further, the reason for the cooperation was cleared up: Deanon Club and KillNet united to strike down the Russian drug platform, Black Sprut. Acknowledging Deanon Club’s ethics, this cooperation would not be a non-profit project. So, to put it simply, there are several likely scenarios at play here. First, perhaps Deanon Club had an order from one of Black Sprut’s competitors to destroy it. Second, another highly likely option, is that: at a particular stage of the cooperation, Deanon Club would accept money from Black Sprut’s owners to end their teamwork. On the other hand, instead of looking for monetary gains, KillNet was open for cooperation and vigorously used it to expand its brand. In this regard, KillNet admins were omnivorous, establishing teamwork with famous hacker entities and small unknown groups. They were ready to help other groups with their targets and propose their own targets, sharing success. To sum up, cybercrimes are a lucrative business, and business is booming. The ongoing cyberwar allowed many dangerous people with corrupt intentions and IT skills to work openly, accumulating a customer base and shaping

154

Chapter 4

their skills. For every member of the world community, consequences of this tendency are predictable and will be disastrous. In real life, hackers cooperate with each other being coworkers, friends, neighbors, classmates, and so on. The intensive cyberwar transformed their way of living and working. Hackers began to learn to trust each other and other people and to build partnerships via the Internet, becoming accustomed to a certain level of visibility. This is demonstrated in a unique case which occurred with the Zarya hacker unit. In November 2022, at least two Zarya members moved to the Donbas area, less than 12 miles from the frontline (Zarya 2022). Being exceedingly cautious, the hacker team did not announce its trip, though its goal was well-articulated: “We, hackers of Zarya, arrived at Donbas for informational assistance and online support. We will meet hackers from the frontlines” (Zarya 2022). So, the Zarya hackers established a relationship with IT specialists in the war zone; perhaps, this was a group called Department Z, established in March 2022, but since November 2022, this hacker group was renamed “Bear. IT.Army” (Bear IT Army 2022). Apparently, the newly arrived IT specialists carried needed equipment and would provide technical assistance to the Donbas group. As the hackers shared a video and photos from their trip, its followers voiced a critical concern about the potential damage to the hackers’ anonymity. Placating their followers, the group’s leader underlined that the group revealed its members’ identity only to “Russian warriors” because Zarya felt an obligation to provide its help there (Zarya 2022). Despite the fact that the hackers promised to inform their audience about the trip, Zarya’s group outlet did not post updates about this trip or members that had been killed while there. Obviously, the newcomers learned basic safety measures, and tried not to jeopardize their and others’ lives. In this regard, worth noting is the fact that KillMilk visited the Donbas warzone two times since the beginning of the war. He did not disclose the reasons why he visited this region, any local contacts, dates, or towns that he visited. Being self-sufficient, the female hacker group Beregini rarely cooperated with other pro-Russian groups. It did, however, coordinate with XakNet and Zarya in October 2022. The majority of the hacked data from that hack was not leaked publicly. Seemingly, Beregini maintained close connections with the group RaHDIt. In July 2022, their hacker teams launched a successful attack on the National Defense University of Ukraine, pulling out much information from its servers such as textbooks, phone books, lists of students, and other materials (Nemesis 2022). In September, together with RaHDIt, Beregini sorted out the data about the personnel of the 72nd Center for Information and Psychological Operations in Ukraine (Beregini 2022). As a result, RaHDIt’s project “Nemesis” aired a chain of posts with photos and the personal data of the Ukrainian personnel.

Hackers Gather Public Trust and Recognition

155

Prior to entering the public space, the FRWL team monitored the activities of many pro-Russian hacker groups such as XakNet, KillNet, Beregini, Joker DPR, and others. As its content thread revealed, the FRWL hackers gave repeated kudos to XakNet. However, FRWL developed very limited cooperation among the hacktivist movement, refraining from teamwork and working out mutual targets. Indeed, when KillMilk declared its campaign against the Lockheed Martin corporation, FRWL conducted a hacking of one of its suppliers. In July 2022, conducting a retaliating aggression toward Norway, which approved the provision of military equipment to Ukraine, this group helped attack the targets of a smaller hacker group “DeaDNetRu” (FRWL 2022). In fact, another group, People’s Cyber Army, did not present itself as open for cooperation with other hacking teams or other similar entities. Nonetheless, it cooperated with the XakNet team a couple of times, or rather, the admins from People’s Cyber Army told their Telegram followers about the strikes. The first joined attack was carried out in April 2022, when the hackers successfully entered the ukc​.gov​​.ua website which accumulated useful information about the Russian Armed Forces and its relocations (People’s Cyber Army 2022). As a result, the website’s servers were eliminated, and a huge amount of data with inner documentation was taken by People’s Cyber Army and XakNet. On Telegram, the hackers presented this action as a retaliation for the Ukrainian attacks on Belgorod, Russia. Indeed, on April 1, 2022, the governor of the area, Gladkov, stated that two Mi-24 helicopters entered the Russian territory from Ukraine and launched air strikes at the local oil depository “Belgorodnefteprodukt” (BBC 2022). In October, preparing a cyber offensive strike on the Ukrainian military software (Ukropsoft), People’s Cyber Army’s hackers coordinated their actions with the XakNet group. Without disclosing details, People’s Cyber Army issued a short note of gratitude for XakNet (People’s Cyber Army 2022). In case of technical difficulties, this group contacted XakNet to coordinate their actions against military objects. Another fascinating case of its cooperation was declared in September 2022, and was directly linked to the mobilization ordered by President Vladimir Putin on September 21. Nevertheless, People’s Cyber Army did not disclose many details or other participants; it was obvious that the hackers were in contact with the Dagestan police. Shortly after the beginning of the mobilization, many Telegram accounts became a harbor for protesters all over the Russian Federation, calling locals to occupy streets and hamper mobilization events (Utro Dagestan 2022). In particular, the channel “Morning in Dagestan/Utro Dagestan” assisted Dagestan’s residents in conducting organized meetings; on September 25, its admins called residents of Makhachkala to gather in the capital’s main Square at 3 p.m. local time (Utro

156

Chapter 4

Dagestan 2022). The online preparation for the anti-mobilization meeting was very meticulous, as the Telegram channel not only scheduled the time and place for the protest, but its team instructed participants to be ready at a particular time to shout simultaneously, “Stop mobilization! Stop the war!” and follow the instructions aired by the outlet’s bot (Utro Dagestan 2022). Prior to the protest, Utro Dagestan’s admins set up a bot for communication and coordination of the protest; for instance, the outlet asked participants to upload photos and videos from the actual event. Supposedly, the hackers from People’s Cyber Army used this bot to reach the Utro Dagestan admins, sending the following message: “Hi! Here is the first victim of violent jackals in uniform! This woman died in an intensive care facility! Please, spread this information!” (Politikus 2022). Under this message, the hackers attached a link which looked like the link to a cloud service; however, this link was a key to get the administrators of the account. It is important to underline that this information, which was widely circulated via Telegram, was not supported or refuted by People’s Cyber Army. The first results of the digital investigation were publicized on the People’s Cyber Army’s official outlet a day after police detained more than 100 protesters (OVD News 2022). At the same time, the Head of the Dagestan Republic, Sergey Melikov, rejected the idea that the protests were a local initiative, stressing that foreign “enemies try to divide” the country by preparing and inspiring the protests in Makhachkala, similar to what occurred in the 1990s (Melikov 2022). Further, he added that “provocateurs do not participate in these protests,” sending Dagestani women to confront police (Melikov 2022). By the way, the so-called identified administration of Utro Dagestan was located in Kiev, Ukraine, but the actual masterminds (four to five people, according to the FSB videos) of the protests were detained in Dagestan (GTRK Dagestan 2022). The hackers from People’s Cyber Army claimed to decipher “this network of provocateurs,” operating within Telegram and identified the names of the organizers, which were turned over to the authorities (People’s Cyber Army 2022). On September 30, 2022, the hackers praised the joined operation: Warriors! Good job! This is not only our success, but many people also helped us! As a result of our cooperation with Dagestani FSB operatives, several admins which managed anonymous chats and Telegram outlets were arrested . . . More than 10 people were detained. (People’s Cyber Army 2022)

Hence, this was the first time when the pro-Russian hackers were engaged in an FSB operation. Interestingly, People’s Cyber Army admitted its engagement in the FSB raid, whereas official governmental news did not contain mentions about the hackers’ assistance. Perhaps, hackers had a long record of assisting the police, the FSB, and other government departments, but they did

Hackers Gather Public Trust and Recognition

157

not expose every case of cooperation. There is another scenario that cannot be disregarded: they could volunteer for this cooperation by providing needed information to the FSB operatives anonymously. The unfolding scandal with the anti-mobilization unrest in the Russian Federation was too enticing to pass up for KillNet’s brand managers. Instead of waiting for the results of the People’s Cyber Army actions, one of the KillNet-affiliated units jumped on the Utro Dagestan outlet from another side. Reviewing the outlet’s budget, KillNet discovered more than $150,000, or 109 ETH, on its crypto account on September 26, 2022 (Writer from the Center 2022). Circulating this newsflash through Telegram, the hackers publicly castigated the FSB, demanding instant action because “a NATO spy” functioned inside the Russian-speaking cyberspace (We are KillNet 2022). Its audience approved KillNet’s appeal toward the FSB, and consequently, several followers sent complaints about KillNet’s data to the FSB website; another part of the audience organized a complaint campaign on Utro Dagestan and a few other outlets within the KillNet chat (Writer from the Center 2022). The KillNet group’s report about the financial situation of this outlet was merely KillNet’s initiative, but the gathered data were sent to the FSB for further consideration. On the one hand, this initiative was a marketing trick to elevate the KillNet brand. On the other hand, the hackers demonstrated their desire to cooperate with the government. The NoName057(16) and Joker DPR groups worked for their targets independently and without partnership. While the former repeatedly referred to other groups, applauding them for their indispensable efforts fighting the enemies of the Russian Federation, Joker DPR did not mention others whatsoever. Perhaps, these groups conducted background communication and teamwork, but they did not announce it. Nonetheless, Joker DPR’s reclusive behavior was not common but acceptable for other hacker groups. Along with professional teamwork, the pro-Russian hackers actively communicated with news outlets, most of which operated on Telegram. For instance, at least three hacker groups (XakNet, KillNet, FRWL) built relationships with the news platform Russian Spring (rusvesna​.​su). This media source was established in 2014, and in 2015, the Russian authorities issued a registration for this outlet (Rusvesna 2018). In September 2022, the Rusvesna news outlet, whose Telegram audience was more than 1,000,000 followers, received contributions of approximately $2,700 (XakNet Team 2022). The XakNet members maintained a long relationship with this channel because “its crew had the same spirit and moral values” (XakNet Team 2022). When Rusvesna asked XakNet to help it buy media equipment, its members gathered the whole amount. Disclosing some details, its statement proclaimed: “We did not ask our followers for financial support. It is a gift from the XakNet team to our colleagues in the

158

Chapter 4

informational field . . . Recently we had a photo report on how the Rusvesna spent our contribution” (XakNet Team 2022). Soon, a similar campaign was launched by KillNet. On November 13, the KillNet admins announced the brand’s birthday, when they purportedly set up a KillNet DDoS service (We are KillNet 2022). To warm up community engagement, KillMilk initiated an intriguing action: “Happy birthday, KillNet! Today, I will split $7,000 in BTC between our followers. Wait for further guidance and establish crypto wallets!” (KillMilk 2022). Then, its followers were asked to answer a question: did they want to send the money to help the news outlet Rusvesna, or did they want to split the money? It is certain that KillNet followed XakNet’s pattern, looking for positive association of its brand with XakNet’s IT professionals, who had a high reputation. In the poll, more than 20,000 Telegram users voted, where 95% of respondents picked the option for the donations to go to the Rusvesna platform. In accordance with the followers’ will, the full amount was transferred to the Rusvesna account by the end of the same day. To prove this transfer, its screenshot with an attached Rusvesna thank-you note was circulated on Telegram (Rusvesna 2022). The KillNet crowd was thrilled, expressing their pride and joy for this action and KillNet’s generosity. Evidently, the FRWL group communicated with one of the Russian military units via Rusvesna’s Telegram outlet. At the beginning of its public activity, the group asked its followers about the possibility of sending drones to the Donbas region. Given the fact that FRWL did not conduct fundraising campaigns, its members considered the purchase of military equipment at their personal expense. Later, in August 2022, the group promoted a Telegram outlet which belonged to a military unit from the Donbas area: “We provide holistic support for this group and stay in touch!” (FRWL 2022). This particular unit did not communicate or accept support from outside entities unless done exclusively via the Rusvesna platform. Given this condition, it has been suggested that FRWL established a connection with the military unit through Rusvesna initially, and later, communicated with the unit directly. Interestingly, the group received many proposals for cooperation from other pro-Russian groups, but FRWL did not accept these proposals (FRWL 2022). According to FRWL’s admin, its members did not think that cooperation would be very productive, and to show appreciation to other hacker groups, FRWL frequently reposted their posts on its thread. Out of nine hacker groups, only three groups provided financial support to the Donbas region. Obviously, Rusvesna and the hacker groups got connected through Telegram messages, sending funds or cryptocurrencies directly to Rusvesna accounts. Other groups were not involved in similar charity projects, refraining from outside contacts. Many hacking groups realized the benefits from teamwork, so they occasionally launched joint

Hackers Gather Public Trust and Recognition

159

strikes. In contrast to KillNet, which was keen for cooperation which was not exclusively related to its major mission of “the retaliation against Russian political enemies,” other teams valued their independent status, establishing a short-term partnership, and chasing one victim. As the Kropyva case showed, the hackers were responsive to requests for help from military units fighting in Ukraine. Despite the sporadic character of the current cooperation, they were apparently willing to offer help to law enforcement agencies and made this cooperation regular and consistent. Given the fact that not every government-assisted operation could be announced, much information about the hacker-government cooperation was concealed from society. This cooperation is very likely to become a mainstay for Russian society as time goes on. Mobilization in Russia Given the personnel shortage in the Russian Army and the fact that the rolling Ukrainian counteroffensive had taken back areas from the East, Russian President Vladimir Putin signed a mobilization decree. On September 21, 2022, partial and immediate mobilization was started with Putin’s televised announcement, where the president underlined what categories of people would be mobilized (Komsomolskaya Pravda 2022). More details were revealed by Minister of Defense Sergey Shoigu. According to him, 300,000 reservists would be needed to control around 1,000 km of the occupied areas in Ukraine (Lenta 2022). Seven days after the mobilization began, the Ministry of Digital Transformation issued a list of specialists who received a deferment from it, and among 195 professions, IT professionals were included (Finance Rambler 2023). While the Russian population tried to digest the new decree, several hacker groups expressed excitement and tried to encourage their less lucky followers. Airing a stream with Putin’s announcement, the FRWL group underlined that many people had a real chance to show their valor and patriotism (FRWL 2022). The FRWL’s enthusiasm was shared by KillNet. Worth noting is the fact that a week prior to the mobilization, its associated analytical channel castigated individuals who rejected joining the Russian Army and fighting in Ukraine: Last night, I checked several chats and found many comments from people who speculated about immigration and relocation in case of mobilization. They are low, cowards, and useless people. . . . Do they want to wear a skirt instead? I like the mobilization for one reason, because I would immediately identify true Russian Brothers . . . The mobilization is a moment of truth. (Writer from the Center 2022)

160

Chapter 4

This post instigated a fervent discussion, where both men and women participated. The female participants were enraged by the demeaning connotation of the word “skirt”; women argued that they were ready to fight for the homeland, emphasizing that they would follow their husbands to fight together (Writer from the Center 2022). Rejecting the defense of corrupt officials, several chat participants admitted that they cared more about their families than about the country. However, there was one suggestion which united all participants: they believed that the mobilization was unavoidable. Interestingly, on the next day, KillNet circulated a survey asking its audience to provide an answer for the following question: Will you join the Russian Army in case of a mobilization order? (We are KillNet 2023) Approximately 23,000 people voted in this poll, where 62% of recipients expressed their willingness to be in the army. While 11% of the participants frankly said that they would do everything to avoid the mobilization, 7% of women were not ready to let their husbands go to war (We are KillNet 2023). The escalation of the war triggered a backlash within the Russian Federation. The opposition to the mobilization appeared immediately in protests in more than 30 cities including Moscow, Ulan-Ude, Tomsk, Saint-Petersburg, Yekaterinburg, Novosibirsk, and others (Kommersant 2022). Mass and individual protests have taken place repeatedly since September 21, 2022. Because KillNet was so excited about the mobilization decree, they jumped at the chance to reproach anyone who shared a different view and issued this statement: “Do not read propaganda created by domestic foreign agents (they sell out their soul to Biden). Eliminate all uncertainties about Russian power and strength! Pro-Western bloggers and media outlets such as the TV channel “Rain” and others spread fear within our society. Disregard any information about mass surrender to Ukraine! Disregard any critiques toward our country and President! If you have valuable information about people who disseminate d­ isinformation in Russia, send their information to us. Death to fascism and the European aggression! Glory to Russia and our great future!” (We are KillNet 2022)

Specifically, KillNet chased the anti-war youth movement “Vesna,” which organized multiple meetings against the mobilization across the country. Shortly after Putin’s speech on September 21, the Vesna leaders, via social media platforms, began to call Russian citizens to occupy their city streets: Today, Vladimir Putin declared the start of the partial mobilization in Russia. It means that thousands of our men—fathers, brothers, and husbands, will end up

Hackers Gather Public Trust and Recognition

161

in war hell. For what will they die? For what will mothers and children cry? Is it for Putin’s mansion? (Vesna 2022)

Even though the street-level resistance was not very strong and longlasting, the KillNet hackers were infuriated by Vesna’s “unpatriotic” stance, which made its members a target for KillNet. Trying to find reliable information about the movement, KillNet aired a post about buying inner information about Vesna’s leaders (We are KillNet 2022). Nonetheless, it did not dig up any unique information that was able to petrify users’ imaginations. Evidently, KillNet’s interest in Vesna faded quickly once authorities began to pressure the movement. On September 24, 2022, Saint-Petersburg police raided apartments of several Vesna members, and in ten days, the city prosecutor’s office initiated a lawsuit looking to ban this civil movement (St. Peterburg Prosecutor Office 2022). For the People’s Cyber Army team, a battle against the Vesna organization became a matter of principle. Being excited about the partial mobilization, the hackers argued that fresh armed forces would “lead Ukraine to a quick end,” and jumped at Vesna’s website (People’s Cyber Army 2022). Starting their cyber offensive, People’s Cyber Army wrote: “As the mobilization was announced, many corrupt liberals came out from hiding. The organization ‘Vesna’ is one of their representatives. We need to kill its website!” (People’s Cyber Army 2022). In less than one hour, its website stopped working (People’s Cyber Army 2022). However, the group was ready to pursue more ideological opponents. As already pointed out, People’s Cyber Army hackers helped Dagestan police to catch anti-mobilization activists associated with the Telegram channel “Utro Dagestan” (People’s Cyber Army 2022). Given KillNet’s flamboyant attitude, its members dedicated plenty of their time to uncovering the financial background of the Utro Dagestan outlet, concluding that their admins were traitors and NATO spies (We are KillNet 2022).13 In contrast with People’s Cyber Army and KillNet, XakNet did not demonstrate its openly negative approach to anti-mobilization initiatives. Its members felt obligated to guide Russian citizens through the untrustworthy online environment. XakNet members monitored the development and tendencies on social media platforms after the mobilization decree and detected that many honeytrap accounts were beginning to circulate. According to the hackers, unknown individuals established chats about the mobilization, where individuals who had been mobilized and family members of mobilized individuals could communicate and share information (XakNet 2022). Looking for help, these desperate people dropped personal information into these chats, jeopardizing themselves and their relatives (XakNet 2022). Explaining the danger of these outlets, XakNet enunciated that they became a useful informational source for “Ukrainian analysts and other adversaries”:

162

Chapter 4

Due to your membership in these outlets, enemies will know who was mobilized and will research information about your relatives. What do you think will happen to your relatives? They will be victims of harassment. Someone will call their cell phones, send horrific videos, and blackmail them . . . We beg Russian media for the maximum coverage of this important information .  .  . Please, inform our people about this serious issue. (XakNet 2022)

The majority of the hacker groups kept silent on the mobilization and did not undertake attempts to chase anti-mobilization activists. Nonetheless, their engagement with the war within the realm of cyberspace began a long time ago; also, their previous activities and openly patriotic and bellicose attitude lend credence to the notion that they supported the mobilization and condemned its opponents. While the FRWL hackers let their audience know their thoughts on the mobilization, XakNet was concerned with the digital safety of its citizens, warning them about the active honey traps. The most outspoken groups were KillNet and People’s Cyber Army, which not only condemned the anti-war initiative but attacked activists and their digital sources. Russian Hackers and the Russian Government By the onset of the intervention in Ukraine, the Russian government was not ready for a cyberwar, especially at its current scale. Moreover, after seven months of the war, it still had not developed a clear approach to the militarization of cyberspace. Russian officials have sometimes tried to address this gap; however, so far, their erratic attempts have not found fertile ground within the ruling elites. Allegedly, shortly after the onset of the war, a group of highly qualified IT specialists contacted officials in the upper level of the Russian bureaucracy, proposing technical assistance on the cyber front. Underlining a desire to work for free, these specialists asked the government to coordinate or somehow guide their cyber offensive strikes (Delyagin 2022). At this time, Russian society was trying to adjust to intensive hackers’ attacks on every Russian digital entity. Nevertheless, the officials did not consider their proposal attractive or a high priority, redirecting it to a bureaucratic labyrinth and emphasizing that this “service” must be assigned through the federal law of state procurement. Taking into account that the IT specialists did not ask for financial compensation for their initiative, the officials merely brushed this proposal under the rug as it was not in line with federal law. In addition, the officials informed the professionals that they could not guarantee their protection because hackers were cybercriminals, and their activities were qualified as illegal.

Hackers Gather Public Trust and Recognition

163

The frustrated IT specialists referred their bemusement to the State Duma deputy, Michael Delyagin, who popularized this situation and the reaction of the officials (Delyagin 2022). Russian society entered the cyberwar with a limited number of IT specialists who would be able to conduct sophisticated cyber aggression; Delyagin blamed the Russian government for an alliance with U.S. authorities to chase and extradite domestic hackers who were suspected of illegal activities (Delyagin 2022). Another attempt to articulate this issue was undertaken in November 2022. Every year, the Fair Russia Party organizes various discussions about the most crucial issues appearing in the state. On November 23, 2022, the party gathered officials and IT professionals to exchange views on cyber security and the digital economy in the Russian Federation (The Fair Russia Party 2022). After XakNet’s claim about the breach of the Ukrainian Ministry of Finance, Dmitry Gusev, a state deputy of Duma, contacted the group. Given an upcoming party discussion, Gusev proposed that the hackers should deliver and explain their agenda, concerns, and goals to the Russian government. To protect themselves from persecution, the XakNet hackers realized that they could not partake in a public meeting. XakNet described the gloomy situation on the cyber battlefield. Scattered pro-Russian hackers are forced to confront the Ukrainian cyber front, which has plenty of volunteers who are highly coordinated and have government support (XakNet Team 2022). In contrast with Ukraine, the Russian cyber “Army” has suffered from a lack of coordination, general rules, and protection. Looking for valid targets, the hacker group stressed a complex problem: “It is difficult to determine what targets we can work on and that targets should be passed on.” (XakNet Team 2022). Driven by patriotism and trying to be useful, XakNet underlined its confusion because the group is not sure if its work is useful for the government and the Russian Army. Consequently, XakNet members experienced declining motivation which was already undermined by the fact that Russia detained REvil hackers as the U.S. government requested (XakNet Team 2022). Furthermore, the group shattered the popular myth about a robust Russian cyber department with almighty hackers: We want to establish direct contact with the Russian authorities that will be beneficial for both sides. Our state does not have a general strategy about how to protect government’s digital sources. There are no particular recommendations on how and who should do it. But these recommendations must be developed immediately. (XakNet Team 2022)

In the spring of 2022, numerous demands from Russian private companies and regional government departments were ripped apart the XakNet email. Feeling lost and powerless, they requested guidance on how to protect their websites. When XakNet specialists got back home from their work at the end

164

Chapter 4

of the working day, they gave free consultations. Despite the interconnectedness of the government’s digital system, many departments rejected any technical assistance, even free of charge, and XakNet explained it clearly: “People do not want to fix enormous, existing issues in cyber protection. The entire regional digital system must be reshaped . . . We learn this major issue from government employees” (XakNet Team 2022). At the Party discussion, Dmitry Gusev presented the main point of this XakNet statement. To begin with, the state deputy regretted the absence of an indispensable cyber defense entity within the Russian government that could protect every Russian citizen in the case of foreign cyberattacks. Then, thanking the hackers for “their incredible actions,” he admitted that many IT specialists leave Russia in fear of being conscripted to the Russian Army and sent to the Donbas region (The Fair Russia Party 2022). Gusev’s proposal made provisions to include current hacker groups into “the Russian Cyber Front” and give them military ranks; the creation of this entity would help to coordinate the hackers’ activities, develop a legal base for the hackers, and establish close connections with the government and the army. On November 25, 2022, to invigorate discussion related to the pro-Russian hackers, the State Duma Deputy, Gusev, issued a new statement, asking other hacker teams to provide their opinion on his initiative. Interestingly, Gusev appealed to a few groups—KillNet, JokerDPR, Zarya, and Bear.IT.Army, whose names were apparently provided by XakNet (Gusev 2022). This means that in seven months of the war, Russian officials still did not have a full picture of the situation with domestic hackers and their groups. This sector was omitted from their attention. A further significant issue was the definition of hackers; according to him, the ongoing cyberwar converted the view on hackers in the Russian Federation: “For the global community, Russian hackers were presented as criminals and attackers. For Russia, after February 24th, 2022, hackers became heroes who battle for fairness employing particular means. They do what our country needs right now” (SHOT 2022). In fact, the deputy highlighted the ongoing process of transformation within Russian society initiated as the hacker groups began to acquire public space on the web and build their brands. The majority of hacker groups could not miss this crucial and promising event which could turn their future around. With gloomy irony, KillMilk approved the Russian officials’ initiative, stressing that the Russian authorities ignored this breakthrough idea for a long time, and thus, it could be too late to improve the situation (KillMilk 2022). The KillNet admins jumped on this idea, exclaiming enthusiastically about their willingness to join Gusev’s “Cyber Front” right away (We are KillNet 2022). Sharing KillNet’s happiness, NoName057(16) stated they would be pleased to receive medals of honor for taking over Lithuania, Latvia, Estonia, Norway, and other

Hackers Gather Public Trust and Recognition

165

states where the group committed cyber offensives. “We fight on the cyber front not for medals, but for our homeland! Russian citizens’ admiration, support, and acceptance of our crucial and serious job is priceless for us,” continued the NoName057(16) group, highlighting its readiness to conduct cyber strikes at its own expense (NoName057(16) 2022). This statement implied a serious concern about the legal foundation for hackers’ current activities and cooperation with the authorities. It should be stated again that the pro-Russian hackers continued to balance their semi-shadow reality, hiding their identities from other states’ agencies as well as from the Russian government. It is impossible to predict if Gusev’s initiative will find support among government officials. However, given the special circumstances and the previous criticism voiced by Michael Delyagin, even this extraordinary idea can be legally implemented. Furthermore, another eloquent official and a member of the State Duma, Oleg Matveychev, put forward an idea about the creation of a cyber unit inside the Russian Armed Forces. Supporting the idea about using the hackers’ patriotic attitude, he stressed: We have many IT specialists who are off the professional market .  .  . Many conscripted young men who have IT inclinations could serve in cyber units. In these units, we could gather individuals who do not want to serve in an army. But these individuals could join the military service if they continue to play with computers instead of regular military service. We will turn these individuals into Russian patriots. (Matveychev 2022)

Interestingly, the deputy mentioned his hacker-friend who had a good education and IT skills, who hacked some U.S. governmental websites in front of the official (Matveychev 2022). Thus, referring to the hackers’ proposal, Delyagin criticized the administrative apparatus which was incapable of adjusting to the extreme situation. Dmitry Gusev’s project, which seemed to be more or less holistic, suggested that the legal issue of cyber criminals and their patriotism would be reconciled via the creation of cyber units within the Russian Armed Forces. Oleg Matveychev’s idea does not look serious or relevant in comparison; he discussed one of the ways to make military service more attractive for youths, but his comprehension of the ongoing cyberwar issue was shallow at best. So far, these ideas sound like populist exclamations rather than serious projects. Worth noting is the fact that these officials did not unite or at least heed each other’s initiatives, instead, they disregarded previous efforts to make this cyber unit a reality. While the Ministry of Defense did not comment or undertake steps to implement these ideas, there was not a persistent political will to advance and fulfill these initiatives.

166

Chapter 4

Since the beginning of the war in Ukraine, the question about the hackers’ connection with the Kremlin reemerged and remained highly debatable. Indeed, without sorting out particular hacking groups, the article on Politico generalized that Russian hacking teams were “Kremlin-linked groups” with average professional skills, seeing how the Ukrainian IT Army of volunteers confronted them effectively (Scott 2022). Underlining the unsophisticated attacks of some Russian hackers, the Cybersecurity and Infrastructure Security Agency observed in particular XakNet and KillNet as cybercriminal groups, driven mainly by financial benefits despite the fact that they pledged allegiance to Russia or Russian people as the war erupted; the possibility of their cooperation with the Kremlin could not be dismissed (CISA 2022). The Mandiant report found out that XakNet and People’s Cyber Army established grounds for close cooperation with government agencies (Mandiant 2022). Eventually, three options can be discerned. First, the pro-Russian hacking teams operated under control of the authorities, whereas the second possibility, is that implied that a few groups, out of the scrutinized hackers’ entities, maintained an independent status. The third theory is that independent teams of hackers cooperated with the government, as the latter could take advantage of the patriotic nature of the hackers’ groups when making attempts to contact them. These options are not mutually exclusive. In this regard, the research examined open online sources. Appearing on public space, every hacker group was forced to clarify its political standpoint in relation to the ongoing military intervention in Ukraine. In part, this occurred because of audience pressure, as concerned subscribers forwarded multiple messages to hackers’ support bots or accounts. Given the modern political environment with huge flows of disinformation and information from the oppositional side, this sort of demand is expected: people do not want to waste time trying to figure out what side of the war a channel adheres to. Thus, on one hand, the informational space became overwhelmingly complex with the growing circulation of various news outlets. On another hand, this space became simplistic: outlets with a pro-Russian or anti-Russian agenda. For a hacker brand, one of the effective ways to increase a channel’s audience was to declare its affiliation. This popular pattern was established by KillNet, which affirmed its stance via continuous displays of political views. For instance, on February 26, 2022, KillNet pinned its self-presentation, where it openly identified the group as “hackers” who did not support the war, which was inspired by Western allies. As the audience of the KillNet brand expanded, subscribers adopted this pattern, demanding from new hacker brands the same self-identification. In terms of the hackers’ perspective, affiliation means government control over an independent hacker team via ideological and/or legal manipulations, financial support, and that the government department was the creator of the

Hackers Gather Public Trust and Recognition

167

team. XakNet, KillNet, and its associated groups—all these groups repeatedly rejected any affiliation with the Russian government. Other groups— People’s Cyber Army, FRWL, RaHDIt, NoName057(16), Joker DPR, and Beregini, did not mention this issue. Indeed, in a sarcastic manner mocking famous resources for their conclusion about XakNet, its Telegram account welcomed followers with the note: “According to Bloomberg, we are the facade of the Russian intelligence service for conducting cyber offensive attacks. According to Mandiant, our admin is a GRU officer.” In fact, XakNet frequently emphasized the group did not maintain ties with the government and the FSB, but XakNet underlined its willingness to establish this sort of connection. In May 2022, the hacking team articulated that the government entities did not demonstrate their interest in XakNet: “Nobody asked us for help. So, we did not begin actions against our Western opponents because we are afraid to cause damage by our thoughtless actions” (XakNet Team 2022). As mentioned earlier, at the end of May, the military representative contacted XakNet via its Telegram messenger, asking for tech assistance with the Ukrainian system “Kropyva.” XakNet showed surprising transparency, providing information about this strike to its followers, and in June, a XakNet representative gave an interview to a Russian news channel (Russian OSTIN 2022; XakNet 2022). As the content thread of XakNet’s Telegram account showed, by accomplishing this task, XakNet ended its partnership with the Army; however, there were considerable doubts that this cooperation was official. In contrast with XakNet, which looked for coordination, KillNet declared its readiness to accept financial support from the government, stressing that the group did not get any government support. Indeed, in September 2022, after airing several crypto accounts, the KillNet team exclusively asked officials and Russian businesspeople to sponsor KillNet’s further cyber activities (We are KillNet 2022). However, this expectation was baseless, given the fact that later the hacking team began to sell stolen data and began to collaborate with Deanon Club against an online drug trading platform. Apparently, for some information from the drug platform, the hackers could receive money. According to KillNet’s admins, plenty of useful information was transferred to Russian police, as KillNet did not have intentions to withhold the police request. Following the same pattern, Anonymous Russia also underlined that the group was not working with the government, and thus, its members were not on “the Russian President’s payroll” (Anonymous Russia 2022). For subscribers’ convenience, it listed five crypto accounts, a QIWI wallet, and a Gazprombank card14 under the following post: “Officials and businessmen, do not forget about us! You live in Russia as we do, and we need financial support for our crucial mission” (Anonymous Russia 2022). It is worth noting

168

Chapter 4

that Anonymous Russia was the first hacker group to ask its followers to contribute money through the QIWI platform and a regular bank. Apparently, as KillNet’s associate, Anonymous discussed this financial innovation with its leadership. As previously indicated, KillNet rejected any affiliation with the Russian government, and its admins fervently keep an eye on the group’s reputation. Their passion went so far that the KillNet team was forced to write a statement in English. Responding to multiple accusations, in April 2022, the group appealed to European media: “You have misidentified us in the world. We are not a PRO Kremlin project. We are simple Russian people who are ready to kick your ass. Our country is not only the strong government you fear so much. Our country also has the strongest people in spirit, so keep that in mind” (We are KillNet 2022). As financial problems continued to pile up, the KillNet group adhered less and less to its own principles. Thus, XakNet and KillNet, the most famous hacker groups abroad, repeatedly shed light on their connection with the Russian government. However, they achieved it differently; while XakNet was open for cooperation and coordination from governmental services, KillNet underlined its willingness to sell its independent status to the Russian authorities or an oligarch. Other pro-Russian hacker groups—People’s Cyber Army, FRWL, RaHDIt, NoName057(16), Joker DPR, and Beregini were out of the media’s attention and as a result, their teams did not address this issue. Another aspect that must be taken into account is the support of the Russian Armed Forces and the Kremlin’s actions in Ukraine. Rejecting the rhetoric of the “I-am-ashamed-to-be-Russian” anti-war approach, the hacker groups declared open and holistic support and approval for any actions of the Kremlin and its army. For instance, by opening its official Telegram account, FRWL directly declared its tremendous support for the Russian Forces. To underline the admiration toward the Russian president and the Russian Forces, the team of People’s Cyber Army inserted his words “If a fight is unavoidable, you must hit first!” inside its new logo, uploaded in July 2022 (People’s Cyber Army 2022). Also, People’s Cyber Army expressed its appreciation to the private militant group “Wagner,” which fought in Ukraine together with the Russian Armed Forces. Usually, hackers’ appreciation was expressed in a particular way, and it is exactly what happened this time; the decision to target the Mozart Group’s website was announced. This is not the first time this website was hacked by People’s Cyber Army. The website fell under their strike on September 27, 2022 (People’s Cyber Army 2022). This digital American resource is a property of the private military company, the Mozart Group, which participated in the war in Ukraine, fighting for the Ukrainian government. The decision to attack this website came to the proRussian hackers after they received news reports about the presence of the

Hackers Gather Public Trust and Recognition

169

U.S. veteran, Andy Milburn, in Ukraine (People’s Cyber Army 2022). If the hackers returned to the previously fallen victim, perhaps it was easy to undermine its defense and the hackers were eager to finish the work they began. The symbolic meaning of this website only increased its chances of becoming a target once again. Many hacking groups celebrated professional military holidays in a traditional way or with a cyber strike. On August 2, 2022, the Polish website for the airline SprintAir, experienced a cyberattack, launched by the NoName057(16) team in honor of the Airborne Forces Day (NoName057(16) 2022). The professional day of Russian intelligence, celebrated on November 5, became a signal for KillNet and its affiliated groups to launch a strike on the State Security Committees and intelligence departments of the Baltic countries. “Congratulations! Honoring our intelligence agents, we will make a huge noise in the rotten Baltic region,” underlined KillNet on its official outlet (We are KillNet 2022). The hackers claimed successful attacks not only on the Baltic states, but on several European websites. In December 2022, the KillNet unit Zarya sent a warm note to the FSB on its professional day, stressing: “We know you read our posts. Thank you for guarding the order inside of our homeland!” (Zarya 2022). Its followers joined in on this message, recognizing FSB’s achievements for the Russian Federation (Zarya 2022). Alongside these signals, a few groups dispatched their warmest regards for the Russian President on his birthday on October 7, 2022 (Anonymous Russia 2022; Bear.IT.Army 2022; We are KillNet 2022). Cooperation with the government refers to the legal perspective of the hackers’ recent activities. It should be stated that many hacking groups publicly acknowledged that their members were actively engaged in highly illegal actions that would be punished sooner or later, and their pro-Russian patriotic views would not be taken under consideration if the Russian authorities decided to persecute the groups. The first hacker team that pointed out this problem was XakNet, which was the most experienced and long-lasting group. Asserting their collective admiration for the skills of REvil members, no one Russian hacking group wanted to repeat REvil’s fate, and with bitterness, they acknowledged the role of the Russian government in stopping REvil’s activities. The overall frustration and disappointment within the Russian IT community was addressed by the XakNet group, which agreed that REvil launched multiple unlawful cyber aggressions abroad. In light of the cyberwar, this frustration became more acute because many hackers conducted attacks on behalf of the Russian Federation on a regular basis. As XakNet emphasized, a few groups came out and operated publicly, whereas many hackers were scared to announce their actions, recalling the arrests of REvil’s

170

Chapter 4

members all over the country (Russian OSTIN 2022). In an interview, a XakNet representative clarified: REvil’s team conducted illegal actions. However, they did it abroad, not in Russia. Their software eliminated itself if it detected sudden presence in the Russian Federation. However, the hackers were detained. Previously, this did not occur, and our Russian specialists freely worked for foreign targets. If they detected something dangerous on Russian cyberspace, the hackers warned the appropriate admins. It was a win-win scheme. (Russian OSTIN 2022)

According to the hackers, there were two crucial issues. First, the Russian government destroyed the existing long-lasting existing “agreement,” which helped to nurture the growth of domestic professionals with unique skills; as the authorities revealed their readiness to punish hackers for crimes committed in foreign states, the IT community was seriously petrified (Russian OSTIN 2022). Second, hackers would decide not to work with the government to stand up for their homeland due to the fear of possible legal consequences (Russian OSTIN 2022). Indeed, the group FRWL, answering questions from its followers, disclosed its constant “manic” worry to be identified (FRWL 2022). Acting out of this fear, the FRWL team did not hire outside specialists, even though many hacking groups did this, for instance, KillNet. To carry on its activities, the FRWL hackers relied only on its existing members and their skills. The same concern was voiced by the leader of Zarya, stressing that to protect his members’ identities, hacked data would only be published on its official website and Telegram channel. “Against all allegations, my group does not deliver piles of hacked documents to the Kremlin because we keep our anonymity and value our security,” continued the hacker in his interview for the Russian newspaper Gazeta (Kildushkin 2022). These groups were right to be wary of the consequences of losing their anonymity. They had seen what had happened to REvil, one of the most prolific ransomware gangs. Targeting mainly U.S. digital entities with a ransomware attack, its victim list contained well-known names such as the U.S. Colonial Pipeline, the software provider Kaseya, the meat processor JBS, and others (CBS News 2021; Hill 2021). After the phone call of U.S. president Biden to President Putin in July 2021 where they discussed the problem with the Russian hackers, REvil vanished from the Darknet (Soshnikov 2021). Some sources indicated that hackers became nervous about upcoming punishment in light of widely publicized U.S.-Russian anti-hacker cooperation (Nefedova 2022). In January 2022, FSB operatives conducted raids in several Russian cities. Later, Russian media reported about fourteen detained suspects in Moscow, Saint-Petersburg, the Lipetsk region, and other occasions. Among serious amounts of cash, investigators

Hackers Gather Public Trust and Recognition

171

discovered more than 1 million dollars on REvil’s crypto accounts (Nefedova 2022). Nevertheless, the hackers realized that one day they would be accountable for hacking attacks, regardless of whether or not they were launched with patriotic enthusiasm after February 24, 2022. Indeed, beginning cyber aggression toward Ukraine, the XakNet group was fully aware of the personal risks associated with this criminal behavior: We clearly understand the danger. We were not under sanctions, and nobody asked us to help. Our activities were not coordinated, and we were not sure if our strikes were needed. If our law enforcement authorities will decide to press charges against us, we are ready for it. (Russian OSTIN 2022)

Nonetheless, not all groups realized that even the Russian authorities would chase them one day. When a Russia Today anchor asked KillMilk about the legality of conducted cyber strikes and punishment for them, KillMilk argued that as long as he and his group operated abroad, he considered himself as a law-abiding Russian citizen (Russia Today 2022). So, disregarding REvil’s misfortune and XakNet’s warning, he believed in hackers’ impunity as long as they followed the so-called agreement and, like KillMilk did, sponsored orphanages across the country. Since the beginning of the conflict, the Russian intelligence service limited its pressure on the IT community: “At least, there were not new announcements about hackers’ arrests. Perhaps the authorities are too busy to chase or cooperate with us” (Kildushkin 2022). Hence, the hackers observed themselves as cybercriminals, hiding their identities from domestic and foreign intelligence services. Hoping for impunity in Russia due to their patriotic actions, the hackers experienced a lack of confidence that their own government would forgive them for the crimes they committed in Europe, Ukraine, and the United States. While they kept their hopes up in Russia, the Russian hacker groups expected severe punishment from foreign governments. For instance, in March 2022, the XakNet team underlined that foreign intelligence services were keen to catch them, waiting for when its members crossed the Russian borders: “We are not going to move out from the Russian Federation, even for a vacation trip. So, do not waste your time; we do not want to be detained by Interpol agents” (XakNet Team 2022). In summary, the hacker groups sent signs, both explicit and numerous, to the governmental departments that they would be glad to develop any form of relationship. XakNet and FRWL openly emphasized their short-term cooperation with the military, and People’s Cyber Army assisted local FSB agents in undermining local protest movements against the mobilization in September 2022. Acknowledging that they committed illegal actions and looking for legalization in Russia, the hacking groups openly support the erratic political initiatives of Russian politicians. However, their willingness to cooperate

172

Chapter 4

with the authorities and their pro-Russian political views does not allow us to conclude that the Russian hacking groups were a project of the FSB. It is plausible that sooner or later some of these groups will be under the control of Russian authorities. Domestic Victims of the Russian Hackers To boost brand recognition and attract new followers, hacker brands seek association with newspaper headlines. The best way to make headlines to work for the brand is to repost the most exciting news, which catches the public’s attention. Also, the hacker teams know what topics their “customers” would relate to most, which allows them to anticipate their impact on the audience. At the beginning of July 2022, news about one of Moscow’s auto repair shops ostensibly denying service to a soldier from the Donbas war zone whose vehicle had a Z symbol provoked significant public attention (MK​.​ru 2022). According to the soldier, the shop owner said that his shop did not serve military staffers. However, the shop owner’s version looked different. The soldier demanded his vehicle be repaired for free because he served in the Russian Army. The mechanics tried to explain to the soldier that the shop was closed and moreover, it did not provide service for his car model. The infuriated soldier reported this situation to the popular Telegram channel “Mash,” whose customer base is around 1.7 million people (Mash 2022). The story was quickly spread via Telegram’s news outlets and then swiftly spread to TV news and print headlines. With the wide publicity of this story, the business and its owner became a target for common citizens and hackers. The KillNet group hacked the auto repair shop’s website and proposed its followers write nasty reviews on Yandex maps (We are KillNet 2022). On July 7, 2022, another business in Moscow tried to survive under the hacker’s pressure. Infuriated Moscow residents notified Akim Apachev’s Telegram outlet about an ongoing charity auction where participants were selling their vintage vinyl disks (Akim Apachev 2022). In particular, Telegram subscribers complained about the auction, which was conducted in a Mexican restaurant owned by a businessman, Pavel Kosov. Remarkably, this restaurant is located not far from the famous building of the FSB headquarters—The Lubyanka. People sent photos of the auction’s announcement on the restaurant’s entrance door: “Tomorrow, a charity vinyl record market begins in our bar.  .  .  . dozens of our friends, musicians, vinyl collectors, and concerned people gave up their items to sell .  .  . Money collected during this event will be sent to @kyivangels” (Akim Apachev 2022). Given the fact that the volunteer organization “Kyiv Angels” is a Ukrainian entity which helps the Ukrainian people and Armed Forces, Pavel Kosov was labeled “a supporter

Hackers Gather Public Trust and Recognition

173

of Ukrainian terrorists who kill Russian children in the Donbas area” (Akim Apachev 2022). Allegedly, many Moscow lounges, bars, and restaurants hosted this auction between June 26 and July 7, 2022. The founders of this event were not known, but in February 2022, these individuals took part in a wave of antiwar meetings in the capital which began on February 24, and the owner of the Mexican restaurant was one of the protesters. On day 4 of these protests, police officers detained Pavel Kosov along with twenty-one other protesters in the Konkovo region of Moscow (OVD News 2022). As the scandal spilled over from Telegram to newspaper headlines, Pavel Kosov’s personal data began circulating all over the Internet, including his home address and cell phone number (Troika 2022). To assist the police, the FRWL hackers collected the data about Kosov and his activities. Its subscribers demanded the hackers launch a DDoS attack against the restaurant, but FRWL explained: “We read your demands, but DDoS attacks or other sorts of attacks are not always needed. We think our police authorities will handle it much better, and more painfully” (FRWL 2022). Undoubtedly, the incident with the Moscow restaurant reached not only the police but also other concerned officials. Indeed, the Moscow Duma deputy, Andrey Medvedev, uttered a serious concern, stressing that he would contact law enforcement agencies and demand that they check the involved individuals for financing the Armed Forces of Ukraine (A. Medvedev 2022). In a couple of days, the frustrated owner was forced to release a video explaining the situation. According to him, the auction’s organization did not inform him about the real goals of the charity auction; thus, this unfortunate incident occurred, and the restaurant’s reputation was tarnished. Pavel Kosov stressed he had never supported the Ukrainian soldiers (FRWL 2022). However, the restaurant’s Instagram account aired a post with a different explanation; allegedly, the restaurant outlet was compromised, and unknown hackers placed a post about the charity auction (Signal 2022). For the concerned public, both explanations became unpersuasive. Consequently, a negative reaction was unavoidable. Indeed, the FRWL hackers leaked information not only about the business but also Kosov’s business partners. Worth noting is the fact that the restaurant was temporarily closed because the owner and employees received threats. In fact, the hackers from FRWL tracked the unfolding scandal. Even though they did not utilize their professional skills, attacking Pavel Kosov and his business partners, the FRWL hackers simply gathered digital evidence which could help to punish these individuals. In December 2022, there was an incident involving Russian soldiers who tried to attend a bar in the city of Krasnodar, but the security guards did not let them in due to the dress code regulations (Rusvesna 2022). Its owner is a

174

Chapter 4

famous singer and composer of the 2000s, Sergey Zhykov; it must be taken into account that in Russia, since February 24, 2022, there has been a rise in public outrage over domestic celebrities for refusing to support the Russian Armed Forces. In light of this, influential Telegram news outlets aired nasty articles and scolded Sergey Zhykov as a part of the celebrity club for his hidden support of the rebellious celebrities (Readovka 2022; Rusvesna 2022). On the same day, the KillNet team asked its audience to share the address of Zhykov’s website because the angry hackers decided to crash it as a lesson for others (We are KillNet 2022). The owner’s reaction to this situation was rapid, but KillNet was faster. Despite the hackers’ promise not to attack Russian digital entities, the group made an exception: 30 minutes after receiving the address, KillNet’s DDoS attack ruined the singer’s website. Even though KillNet provided evidence, it is not known if the DDoS strike was launched because KillNet, Sergey Zhykov, nor Russian news portals mentioned the strike whatsoever (Izvestia 2022; Poplavok 2022; Rychkina 2022). To placate the public and the hackers, Sergey Zhykov revised the dress code rules and invited the troops to one of his bars with their friends (Zhykov 2022). The satisfied KillNet stopped chasing the musician, but its audience was divided on his response. Some of the followers generalized that every celebrity was a potential traitor and Nazi supporter, whereas the other part of the followers was delighted by Zhykov’s warm and reasonable proposal for the troops (We are KillNet 2022). The Rutor platform was the popular Darknet forum where individuals could buy or sell anything. Within the Russian-speaking Internet, there were several conspiracy theories about Rutor’s owners. According to one theory, the forum was sold to law enforcement authorities. There were rumors that drug dealers bought it. In August 2022, Telegram exploded from the news that the Ukrainian intelligence service became the new administration of Rutor (We are KillNet 2022). Therefore, KillNet immediately called hackers for cooperation in order to conduct a huge DDoS strike. Eventually, three groups—Anonymous Russia (the KillNet unit), Phoenix, and QBOTDDOS, joined their efforts in trying to take down the Rutor forum; in addition, KillNet published Rutor’s addresses and asked its followers to participate (We are KillNet 2022). After four days of continuous DDoS attacks, the Rutor admins contacted KillNet and offered to pay them in exchange for stopping the strikes and reinstating the forum’s reputation. As the hackers informed everyone on Telegram, Rutor transferred $15,000 in cryptocurrency, but KillNet deceived the admins, announcing a new attack in three days. To highlight the patriotic intentions of KillNet and prevent rumors, the KillNet team promised to send 50% of this amount to orphanages (KillMilk 2022). Worth noting is the fact that the group did not provide screenshots to prove the transaction from Rutor, and KillNet

Hackers Gather Public Trust and Recognition

175

forgot to provide the promised evidence that the orphanages received its donations. Starting from their first day on social media, the hacker groups felt obligated to explain and proliferate their political position to followers and the Russian authorities, which echoed the official government’s view on the Russian military operation in Ukraine. Monitoring the unprecedented crisis in Ukraine, the hackers felt it was their duty to contribute to the cause online against adversaries of the Russian Federation. Their every action, supported with numerous online posts, was in line with their voiced anti-NATO and anti-Ukrainian government stance. To highlight the pro-government sentiment, many hacking groups congratulated professional military holidays in a traditional way or with a cyber strike. When in the fall of 2022, the Russian government began a partial mobilization, two hacking teams condemned the anti-war initiative. Despite the fact that they openly supported this unpopular government initiative and attacked anti-war activists, the popularity or reputation of these hacking groups was not undermined. In fact, this pro-Russian agenda resonated with the Russian-speaking audience, meeting their followers’ expectations from a brand perspective. At the same time, the pro-Russian political views provided a foundation for cooperation between the hacker groups and other digital entities outside of IT professional circles, such as news anchors, military units, charity organizations, and volunteers. For the hackers, their coherent political agenda augmented and boosted their recognition and trust not only among their followers but also helped the hackers to be accepted by the new informational network formed by pro-Russian informational channels on Telegram. As recognition and trust demanded constant attention relating to content and meticulous oversight from brand management, the hacker groups monitored false accounts which mimicked their outlets and accentuated their abilities and skills to impress followers and warm up public interest by strikes on meaningful targets at home and abroad. NOTES 1. VPN refers to a virtual private network, which helps protect a user’s identity and data. 2. Eurovision is a singing contest, established by the European Broadcasting Union in 1951. There are a number of state members and associated members. In 2022, fifty-two countries participated in this musical competition, excepting the Russian Federation. 3. Yana Rudkovskaya is a Russian music producer. Her first husband was Viktor Baturin, the brother of Yelena Baturina, the widow of Yuri Luzhkov. In 2007, Yana Rudkovskaya got married to skating prodigy Alexander Plushenko.

176

Chapter 4

4. Ivan Urgant is one of the most popular artists in the Russian Federation. Prior to the Russian invasion to Ukraine, he was a host of a popular late-night talk show on the First Channel, sponsored by the Russian government. 5. Alla Pugacheva is seventy-three-year-old Soviet and Russian singer. After February 24, 2022, she decided to leave Russia for Israel due to the war in Ukraine. 6. Maksim Galkin is Alla Pugacheva’s husband and a well-known comedian. Along with his family, he relocated to Israel as the war in Ukraine started. In September 2022, the Russian government recognized him as a foreign agent who gathered money from Ukraine. 7. Valery Meladze is a Russian singer and composer who was born in Batumi, Georgia. 8. Aleksander Nevzorov is a TV journalist and former State Duma Deputy. In March 2022, Nevzorov left Russia; nowadays, he received Ukrainian citizenship. 9. Andrey Makarevich is a Soviet and Russian musician and composer. He is a founder of one of the best rock bands in Russia, named “Time Machine.” 10. Boris Grebenshchikov was born in 1953 in Leningrad. He is a singer/songwriter. Now, Boris Grebenshchikov resides abroad and criticizes the Russian aggression in Ukraine. 11. The hacker group CarbonSec was mentioned by KillNet in August 2022 when KillNet’s leadership prepared the attack on the Lockheed Martin corporation. The CarbonSec Telegram account was blocked in the fall of 2022. The Russianspeaking online segment did not contain information about this group, if it ever existed. 12. According to KillMilk, the founder of the KillNet hacker brand, a hacker with the nickname Two-Faced contacted him and proposed his assistance in preparation for the attack. This hacker is swatter, who usually works on the post-Soviet region, the United States, and European targets. However, it is not possible to provide any information about this individual. 13. More details about People’s Cyber Army and KillNet’s engagement in the story with the Utro Dagestan source can be found in Chapter 4. 14. GazProm Bank is a private bank of the Russian Federation, which and is one of the largest Russian banks.

REFERENCES Akim Apachev. 2022. An anti-war action is on the middle of our capital. July 6. Accessed October 12, 2022. https://t.me/akimapachev/2783. Anisimova, N. 2022. The Kremlin refused to consider those who left Russia as enemies of the state. April. Accessed December 23, 2022. https://www​.rbc​.ru​/politics​ /02​/04​/2022​/624​8922​99a7​9474​c00de5993. Anonymous Russia. 2022. Anonymous is not against Russia. July 18. Accessed November 27, 2022. https://t.me/anon_by/74.

Hackers Gather Public Trust and Recognition

177

———. 2022. Congratulations to our President. October 7. Accessed January 10, 2023. https://t.me/anon_by/905 . ———. 2022. Donations! October 14. Accessed October 20, 2022. https://t.me/ anon_by/1009. ———. 2022. The welcome note. Edited by Julia Sweet. Author’s Archive, July 13. Balashova, A., D. Chebakova, and T. Kornev. 2022. The Ministry of Digital Development offered preferential mortgages and a deferment from conscription for IT specialists. February 28. Accessed 13 December, 2022. https://www​.rbc​.ru​/technology​_and​_media​/28​/02​/2022​/621​cfac​c9a7​9479​492100cfc. BBC. 2022. Russia reported a Ukrainian strike on an oil depot in Belgorod. April 1. Accessed June 19, 2022. https://www​.bbc​.com​/russian​/news​-60944913. BBC News. 2022. Eurovision 2022: Russian vote hacking attempt foiled, police say. May 16. Accessed December 23, 2022. https://www​.bbc​.com​/news​/entertainment​ -arts​-61463364. Bear IT Army. 2022. A trip to Donbas region. November 5. Accessed December 23, 2022. https://t.me/BEARITARMY/13491. Bear.IT.Army. 2022. Putin’s birthday is today. October 7. Accessed January 10, 2023. https://t.me/BEARITARMY/10694. ———. 2022. We killed Nevzorov’s website. April 4. Accessed November 14, 2022. https://t.me/BEARITARMY/167. Belokrysova, A., M. Alyukov, A. Denisenko, S. Erpyleva, A. Kropivnitsky, I. Kozlova, N. Korytnikova, et  al. 2022. Russian society and the war in Ukraine. Edited by S. Yerpyleva, and N. Savelyeva. June. Accessed January 1, 2023. https:// publicsociology​.tilda​.ws​/war​_report. Beregini. 2022. Our teamwork with RaDHIt. September 29. Accessed January 13, 2023. https://t.me/hackberegini/1046. Beschetnikova, Nadya. 2022. Social media discussed the Chanel scandal in Dubai. April 1. Accessed December 24, 2022. https://spletnik​.ru​/105642​-v​-seti​-obsuzhdayut​-otkaz​-butikov​-chanel​-ot​-obsluzhivaniya​-russkikh​-klientov​.html. Carbonaro, G. 2022. HIMARS-Maker Lockheed Martin ‘confident’ against Russian hackers. August 10. Accessed December 30, 2022. https://www​.newsweek​.com​/ himars​-maker​-lockheed​-martin​-cyberattack​-russian​-hackers​-1732504. CBS News. 2021. Hackers demand $70 million to end biggest ransomware attack on record. July 6. Accessed January 20, 2023. https://www​.cbsnews​.com​/news​/ ransomware​-attack​-revil​-hackers​-demand​-70​-million/. CISA. 2022. Russian state-sponsored and criminal cyber threats to critical infrastructure. April 24. Accessed November 12, 2022. https://www​.cisa​.gov​/uscert​/ ncas​/alerts​/aa22​-110a. Commissariatodips​.i​t. 2022. Computer attacks on the Eurovision Song contest 2022 foiled by the State Police. May 15. Accessed December 23, 2022. https://www​ .commissariatodips​.it​/notizie​/articolo​/sventati​-dalla​-polizia​-di​-stato​-attacchi​-informatici​-alleurovision​-song​-contest​-2022​/index​.html. Deanon Club. 2022. BlackSprut and KillNet. November 17. Accessed December 25, 2022. https://t.me/c/1830401135/67.

178

Chapter 4

———. 2022. KillNet attacked Rutor. N0vember 24. Accessed December 25, 2022. https://t.me/c/1830401135/85. ———. 2022. KillNet “power”. November 18. Accessed December 23, 2022. https://t.me/c/1830401135/70. ———. 2022. Our cooperation with KillNet. November 26. Accessed December 23, 2022. https://t.me/killnet_reservs/3791. Delyagin, M. 2022. Informational report #58. December 24. Accessed January 12, 2023. https://dzen​.ru​/video​/watch​/63a​00d2​7573​a342​1c5eae69e​?t​=6. Demidov, Anton. 2022. Zakharova called the purpose of the special operation of Russia in Ukraine. 25 February. Accessed October 24, 2022. https://www​.gazeta​ .ru​/army​/news​/2022​/02​/25​/17346253​.shtml. Finance Rambler. 2023. The Ministry of Digital Development has identified 195 specialties that give the right to a deferment from partial mobilization. September 27. Accessed January 2, 2023. https://finance​.rambler​.ru​/realty​/49414951​-mintsifry​-opredelilo​-195​-spetsialnostey​-dayuschih​-pravo​-na​-otsrochku​-ot​-chastichnoy​-mobilizatsii/. FRWL. 2022. Hackers! We have to work! September 21. Accessed December 12, 2022. https://t.me/frwl_team/269. ———. 2022. Hey, our team! August 8. Accessed January 12, 2023. https://t.me/ frwl_team/241. ———. 2022. IT specialists flee from Russia. June 28. Accessed November 13, 2022. https://t.me/frwl_team/74. ———. 2022. Our connections. August 6. Accessed December 22, 2022. https://t. me/frwl_team/240. ———. 2022. Our deal with the organosyn​ .com​​ .ua website. July 2. Accessed December 12, 2022. https://t.me/frwl_team/118. ———. 2022. Our mission statement. June 11. Accessed November 16, 2022. https://t.me/frwl_team/3. ———. 2022. Our recent attack on Gorilla Circuits. August 1. Accessed December 30, 2022. https://telegra​.ph​/Vozmezdie​-08​-01. ———. 2022. Our support channel got plenty messages. June 30. Accessed December 23, 2022. https://t.me/frwl_team/91. ———. 2022. Our trip to Norway. July 1. Accessed December 25, 2022. https://t. me/frwl_team/106. ———. 2022. Pavel Kosov recorded a video. July 11. Accessed October 13, 2022. https://t.me/frwl_team/182?single. ———. 2022. Questions from our followers. August 17. Accessed December 22, 2022. https://t.me/frwl_team/249. ———. 2022. The situation with the Moscow restaurant. July 11. Accessed October 13, 2022. https://t.me/frwl_team/172. ———. 2022. We do not disappear. November 25. Accessed December 23, 2022. https://t.me/frwl_team/275. Gromova, V., and M. Ovsiannikova. 2022. A probe against Aleksander Nevzorov was set up. March 22. Accessed November 14, 2022. https://www​.rbc​.ru​/society​/22​/03​ /2022​/623​9fb3​79a7​947f​2172e9198.

Hackers Gather Public Trust and Recognition

179

GTRK Dagestan. 2022. Telegram admins were detained by the FSB. September 29. Accessed January 2023, 13. https://t.me/gtrkdagestan/7216. Gusev, D. 2022. My second statement about the Russian Cyber Front. November 25. Accessed December 14, 2022. https://t.me/gusev_tg/1492. Guttman, Jon. 2022. M142 HIMARS: The US Artillery Tearing Into Russia in Ukraine. July 21. Accessed December 30, 2022. https://www​.historynet​.com​/m142​ -himars/. Hill, Michael. 2021. The Kaseya ransomware attack: A timeline. November 21. Accessed January 21, 10. https://www​.csoonline​.com​/article​/3626703​/the​-kaseya​ -ransomware​-attack​-a​-timeline​.html. Interfax. 2022. RAEC predicted the departure of up to 100 thousand IT specialists from the Russian Federation in April. March 22. Accessed December 23, 2022. https://www​.interfax​.ru​/digital​/830581. International Hacker Alliance. 2022. Our units. April 30. Accessed December 23, 2022. https://t.me/world_hacker_alliance/54. Ivanov, Y. 2022. OUKR​.in​fo received threats from Russian hackers. March 28. Accessed January 1, 2023. https://oukr​.info​/operatyvnij​-ukrayini​-info​-nadijshly​ -pogrozy​-vid​-rosijskyh​-hakeriv​-noname​.html. Izvestia. 2022. Zhykov placated the angry public. December 4. Accessed January 12, 2023. https://iz​.ru​/1435443​/2022​-12​-04​/zhukov​-otmenil​-zapret​-na​-kamufliazh​-v​ -barakh​-posle​-intcidenta​-s​-uchastnikom​-svo. Kadyrov, Ramzan. 2022. A statement about enemies of the state. April 3. Accessed December 23, 2022. https://t.me/RKadyrov_95/1759. Karasin, Grigory. 2022. Russia is a sponsor of terrorism. November 23. Accessed November 29, 2022. https://t.me/Grigory_Karasin/631. Kildushkin, Roman. 2022. A founder of KillNet about the cyber war. August 7. Accessed December 23, 2022. https://www​.gazeta​.ru​/tech​/2022​/08​/07​/15229652​ .shtml. ———. 2022. The leader of Zarya: We are not terrorists. November 6. Accessed January 2, 2023. https://www​.gazeta​.ru​/tech​/2022​/11​/06​/15734689​.shtml​ ?updated. KillMilk. 2022. A list of staffers. August 11. Accessed January 13, 2023. https://t.me/ killmilk_rus/32. ———. 2022. Attack Lockheed Martin! July 31. Accessed December 30, 2022. https://t.me/killmilk_channel/17. ———. 2022. Gysev’s project. November 23. Accessed October 13, 2022. https://t. me/killmilk_rus/278. ———. 2022. KillNet birthday. November 13. Accessed December 23, 2022. https://t.me/killmilk_rus/226. ———. 2022. My interview. December 20. Accessed December 20, 2022. https://ton​ .place​/killmilk​?w​=post7781395. ———. 2022. My next steps for Lockheed Martin. August 11. Accessed January 13, 2022. https://t.me/killmilk_rus/35. ———. 2022. Rutor gave money to KillNet. August 22. Accessed September 20, 2022. https://t.me/killmilk_rus/65.

180

Chapter 4

———. 2022. The attack on Lockheed Martin was finished. August 11. Accessed January 13, 2023. https://t.me/killmilk_rus/20. KillNet. 2022. KillNet – Russian Hacker Group. May 1. Accessed May 12, 2022. https://trackingterrorism​.org​/group​/killnet​-russian​-hacker​-group/. Kommersant. 2022. Ongoing mobilization in Russia. September 24. Accessed January 3, 2023. https://www​.kommersant​.ru​/doc​/5581064​?query=​%D0​%BF​%D1​%80​ %D0​%BE​%D1​%82​%D0​%B8​%D0​%B2​%20​%D1​%87​%D0​%B0​%D1​%81​%D1​ %82​%D0​%B8​%D1​%87​%D0​%BD​%D0​%BE​%D0​%B9​%20​%D0​%BC​%D0​%BE​ %D0​%B1​%D0​%B8​%D0​%BB​%D0​%B8​%D0​%B7​%D0​%B0​%D1​%86​%D0​%B8​ %D0​%B8. Komsomolskaya Pravda. 2022. Putin announced the partial mobilization. September 21. Accessed January 2, 2023. https://www​.youtube​.com​/watch​?v​=zKmuCHvGvhQ​&t​=28s. Kp​.r​u. 2022. Ramzan Kadyrov: We are fighting against NATO. May 18. Accessed May 20, 2022. https://www​.kp​.ru​/video​/880165/. Legion. 2022. Are you ready: Our poll. May 14. Accessed December 23, 2022. https://t.me/Legion_Russia/274. ———. 2022. Eurovision IP numbers. May 14. Accessed December 23, 2022. https://t.me/Legion_Russia/263. ———. 2022. Italian police losers! May 15. Accessed December 23, 2022. https://t. me/Legion_Russia/287. ———. 2022. Our goals for the upcoming attack on Eurovision. May 14. Accessed December 23, 2022. https://t.me/Legion_Russia/264. ———. 2022. Stop nagging! May 14. Accessed December 23, 2022. https://t.me/ Legion_Russia/280. ———. 2022. Stop the attack, please. May 14. Accessed December 23, 2022. https://t.me/Legion_Russia/281. ———. 2022. Stop the strike! May 14. Accessed May 23, 2023. https://t.me/ Legion_Russia/279. ———. 2022. The blitzkrieg tactic. May 14. Accessed December 23, 2022. https://t. me/Legion_Russia/282. ———. 2022. Zarya is looking for IPs for the upcoming attacks. May 14. Accessed December 23, 2022. https://t.me/Legion_Russia/271. Lenta. 2022. Putin declared a mobilization. September 21. Accessed January 2, 2023. https://lenta​.ru​/brief​/2022​/09​/21​/putin/. Levada Center. 2022. Russia and NATO. April 15. Accessed December 24, 2022. https://www​.levada​.ru​/2022​/04​/15​/mezhdunarodnye​-otnosheniya​-6/. ———. 2022. Russian-American relations. May 25. Accessed December 12, 2022. https://www​.levada​.ru​/2022​/05​/25​/rossijsko​-amerikanskie​-otnosheniya/. Mandiant. 2022. GRU: Rise of the (Telegram) MinIOns. September 23. Accessed November 13, 2022. https://www​.mandiant​.com​/resources​/blog​/gru​-rise​-telegram​ -minions. Mash. 2022. The client explains the situation with the car service. July 5. Accessed November 29, 2022. https://t.me/breakingmash/36328.

Hackers Gather Public Trust and Recognition

181

Matveychev, Oleg, interview by E Maltzeva. 2022. “An interview with Oleg Matveychev.” Ura​.new​s. (December 6). Accessed January 13, 2023. https://ura​.news​/ news​/1052608382. Meduza. 2022. Alla Pugacheva returned to Russia. August. Accessed December 2022, 2022. https://meduza​.io​/news​/2022​/08​/27​/alla​-pugacheva​-vernulas​-v​-rossiyu​-kak​-i​-obeschala. ———. 2022. The Moscow observation wheel was stopped shortly after its opening. September 13. Accessed December 23, 2022. https://meduza​.io​/feature​/2022​/09​ /13​/poka​-rossiyskaya​-armiya​-otstupala​-v​-ukraine​-putin​-otkryval​-solntse​-moskvy​ -samoe​-bolshoe​-v​-evrope​-koleso​-obozreniya. Medvedev, A. 2022. Response to Akim Apachev. July 7. Accessed October 13, 2022. https://t.me/MedvedevVesti/10372. Medvedev, D. 2022. A statement about the enemies of the state. February 28. Accessed December 23, 2022. https://t.me/medvedev_telegram/239. Melikov, S. 2022. The protests in Dagestan. September 26. Accessed January 13, 2023. https://t.me/melikov05/537. Metsola, R. 2022. Our website is under attack. November 29. Accessed November 29, 2022. https://twitter​.com​/EP​_President​/status​/1595443471518777345​?cxt​ =HHwWgoC​-sczYk6QsAAAA. Ministry of Foreign Affairs of Russia. 2022. A briefing of the Ministry of Foreign Affair. February 25. Accessed January 12, 2023. https://www​.youtube​.com​/watch​ ?v​=WztQVKdFk0s. MK​.r​u. 2022. Car service in Moscow refused to service a car with a Z symbol. July 6. Accessed December 1, 2022. https://www​.mk​.ru​/social​/2022​/07​/06​/avtoservis​-v​ -moskve​-otkazalsya​-obsluzhivat​-mashinu​-s​-simvolom​-z​.html. MoscowSun. 2022. Moscow new attraction. September 10. Accessed December 20, 2022. https://t.me/moscowsunofficial/478. Nefedova, M. 2022. Arrests of the REvil hackers became a surprise. January 1. Accessed January 1, 2023. https://xakep​.ru​/2022​/01​/21​/revil​-darknet/. Nemesis. 2022. Our joined operation. July 29. Accessed January 1, 2023. https://t. me/nemeZ1da_ru/539. NoName057(16). 2022. A warning letter for 4studio. March 28. Accessed February 2, 2023. https://t.me/noname05716/49. ———. 2022. Another fake news source was turned down. March 29. Accessed February 2, 2023. https://t.me/noname05716/51. ———. 2022. Dmitry Gysev’s proposal. November 22. Accessed November 13, 2022. https://t.me/noname05716/1106. ———. 2022. Our mission statement. March 11. Accessed November 23, 2022. https://t.me/noname05716/3. ———. 2022. The attack on the polish airline. August 2. Accessed November 30, 2022. https://t.me/noname05716/561. ———. 2022. Zadix​.n​et is under attack. March 31. Accessed February 2, 2023. https://t.me/noname05716/56. Novaya Gazeta. 2022. A detention order is issued for Nevzorov. May 6. Accessed November 13, 2022. https://novayagazeta​.eu​/articles​/2022​/05​/06​/sud​-v​-moskve​

182

Chapter 4

-zaochno​-arestoval​-publitsista​-aleksandra​-nevzorova​-po​-delu​-o​-feikakh​-pro​-deistviia​-rossiiskoi​-armii​-news. OVD News. 2022. Detentions in Dagestan. September 25. Accessed January 10, 2023. https://ovd​.news​/news​/2022​/09​/25​/spiski​-zaderzhannyh​-v​-svyazi​-s​-akciyami​-protiv​-mobilizacii​-25​-sentyabrya. ———. 2022. Protests in 17 Russian cities. March 6. Accessed October 13, 2022. https://ovd​.news​/news​/2022​/02​/28​/spiski​-zaderzhannyh​-v​-svyazi​-s​-akciyami​-protiv​-voyny​-s​-ukrainoy​-28​-fevralya​-2022. People’s Cyber Army. 2022. Dagestan protests were organized on Telegram. September 26. Accessed November 30, 2022. https://t.me/CyberArmyofRussia_ Reborn/1232. ———. 2022. Join our team! March 2. Accessed December 3, 2022. https://t.me/ CyberArmyofRussia/4. ———. 2022. Many liberals rejected the mobilization. September 21. Accessed January 2, 2023. https://t.me/CyberArmyofRussia_Reborn/1189. ———. 2022. Our attack on the Mozart militant group. September 27. Accessed November 30, 2022. https://t.me/CyberArmyofRussia_Reborn/1237. ———. 2022. Our joined strike at the enemy’s website. April 1. Accessed October 16, 2022. https://t.me/CyberArmyofRussia_Reborn/33. ———. 2022. Our new logo. July 15. Accessed October 10, 2022. https://t.me/ CyberArmyofRussia_Reborn/726. ———. 2022. Our strike on Ukropsoft. October 4. Accessed December 23, 2022. https://t.me/CyberArmyofRussia_Reborn/1286. ———. 2022. Putin’s mobilization order. September 21. Accessed January 2, 2023. https://t.me/CyberArmyofRussia_Reborn/1187. ———. 2022. The Mozart Group is under our attack. November 21. Accessed November 30, 2022. https://t.me/CyberArmyofRussia_Reborn/1729?single. ———. 2022. We attack the Vesna website. September 21. Accessed January 1, 2023. https://t.me/CyberArmyofRussia_Reborn/1191. ———. 2022. Zelensky picture. November 30. Accessed January 12, 2023. https://t. me/CyberArmyofRussia_Reborn/1847. Phoenix. 2022. Repost from the International Hackers Alliance. April 15. Accessed December 23, 2022. https://t.me/phoenixinform/396. Politikus. 2022. Utro Dagestan’s administrators were identified via a link. September 27. Accessed January 12, 2022. https://politikus​ .info​ /events​ /146982​ -sdeanonili​ -razzhigayuschiy​-protesty​-v​-dagestane​-telegram​-kanal​-utro​-dagestan​.html. Poplavok, V. 2022. Zhykov changed rules for his bars. December 4. Accessed January 12, 2023. https://tvcenter​.ru​/zvezdy​/tak​-byvaet​-sergey​-zhukov​-publichno​-prokommentiroval​-zapret​-na​-vhod​-v​-ego​-bary​-uchastnikov​-spetsoperatsii/. Readovka. 2022. Russian soldiers were kicked out of a bar! December 3. Accessed January 12, 2023. https://t.me/readovkanews/48158. Rogozin, D. 2022. My speech at the missile facility. March 10. Accessed January 11, 2023. https://www​.youtube​.com​/watch​?v​=UlqaeRlfXxY. Rudkovskaya, Y. 2022. Chanel scandal. April 1. Accessed December 23, 2022. https://t.me/doveoftheworld/1004.

Hackers Gather Public Trust and Recognition

183

Russia Today. 2022. An interview with KillMilk (KillNet). October 9. Accessed January 2, 2023. https://russian​.rt​.com​/world​/article​/1059107​-killnet​-hakery​-ssha​ -razoblachenie. Russian OSTIN. 2022. “Interview with pro-Russian hackers from XakNet.” Interview with XakNet. June 26. https://telegra​.ph​/Intervyu​-s​-XakNet​-Team​-06​-26. Rusvesna. 2018. Our story. February 8. Accessed December 24, 2022. https://rusvesna​.su​/about. ———. 2022. KillNet gift for us! November 13. Accessed December 20, 2022. https://t.me/RVvoenkor/31764. ———. 2022. Sergey Zhykov’s bar did not allow Russian soldiers to enter. December 3. Accessed January 12, 2023. https://t.me/RVvoenkor/33187?single. Rychkina, T. 2022. Sergey Zhykov comments the incident in his bar. December 4. Accessed January 12, 13. https://www​.kommersant​.ru​/doc​/5705896. Scott, Mark. 2022. How Ukraine used Russia’s digital playbook against the Kremlin. August 24. Accessed January 1, 2023. https://www​.politico​.eu​/article​/ukraine​-russia​-digital​-playbook​-war/. SHOT. 2022. An interview with D.Gusev. November 23. Accessed December 14, 2022. https://t.me/gusev_tg/1477. Signal. 2022. Its restaurant account was hacked. July 7. Accessed October 13, 2022. https://t.me/ssigny/32015. Sledkom. 2022. Investigative Committee launched a probe against Nevzorov. March 22. Accessed November 13, 2022. https://sledcom​.ru​/news​/item​/1666644/. Soshnikov, A. 2021. Who did delete the REvil hackers from cyberspace? July 15. Accessed January 1, 2023. https://www​.svoboda​.org​/a​/kto​-ubral​-hackerov​-is​-darkneta​/31359720​.html. St.Peterburg Prosecutor Office. 2022. Actions against the Vesna movement. September 30. Accessed January 1, 2023. https://t.me/procspb/2661. Stop-NATO movement. 2022. About us. April 27. Accessed September 12, 2022. https://xn-​-80azccckhe​.xn-​-p1ai​/en​/movement. Strozewski, Z. 2022. Russia is at war with NATO: Kremlin Official. August 10. Accessed November 12, 2022. https://www​.newsweek​.com​/russia​-war​-nato​-kremlin​-official​-1732679. TASS. 2022. Russia to end special operation after removing threats caused by NATO’s colonization of Ukraine. April 20. https://tass​.com​/politics​/1440761. The European Parliament. 2022. “Europarl​.europa​.​eu.” European Parliament resolution of 23 November 2022 on recognising the Russian Federation as a state sponsor of terrorism. November 23. Accessed November 26, 2022. https://www​ .europarl​.europa​.eu​/doceo​/document​/TA​-9​-2022​-0405​_EN​.html. The Fair Russia Party. 2022. The discussion of Russian cyber security and economy. November 23. Accessed November 29, 2022. https://vk​.com​/dg​_prav. The State Duma. 2022. Putin signed a new law against fake information. March 4. Accessed November 13, 2022. http://duma​.gov​.ru​/news​/53632/. Thevoicemag. 2022. Marina Ermoshkina initiated an anti-Chanel challenge. April 7. Accessed December 23, 2022. https://www​.thevoicemag​.ru​/stars​/news​/07​-04​-2022​ /o​-chellendzhe​-mariny​-ermoshkinoy​-napisali​-telegraph​-i​-the​-mirror/.

184

Chapter 4

Utro Dagestan. 2022. Be prepared for the meeting! September 24. Accessed January 13, 2023. https://t.me/utro_dagestan/2739. ———. 2022. Instructions for the upcoming meeting. September 24. Accessed January 13, 2023. https://t.me/utro_dagestan/2739. ———. 2022. The meeting will be at 15:00. September 24. Accessed January 12, 2023. https://t.me/utro_dagestan/2721. Vesna. 2022. Occupy streets! Protest against the mobilization! September 21. Accessed October 1, 2022. https://t.me/vesna_democrat/3630. Voropaeva, E., and A. Serova. 2022. Nevzorov was granted Ukrainian citizenship. June 3. Accessed November 13, 2022. https://www​.rbc​.ru​/politics​/03​/06​/2022​/629​ 9ce6​89a7​9471​1a5d34b26. We are Killnet. 2022. A fake account on Vk​.co​m. November 10. Accessed December 13, 2022. https://t.me/killnet_reservs/3451. ———. 2022. Mirai released fraudsters’ personal information . September 19. Accessed January 3, 2023. https://t.me/killnet_reservs/2722. We are KillNet. 2022. A new idea of Russian officials! November 25. Accessed October 13, 2022. https://t.me/killnet_reservs/3771. ———. 2022. A next poll: Pick a target! July 4. Accessed December 25, 2022. https://t.me/killnet_reservs/2064. ———. 2022. A survey about Russian celebrities. March 17. Accessed November 23, 2022. https://t.me/killnet_reservs/158. ———. 2022. About our group. February 26. Accessed November 20, 2022. https://t. me/killnet_reservs/10. ———. 2022. An email from a Polish spy. July 26. Accessed November 29, 2022. https://t.me/killnet_reservs/2201. ———. 2022. An email from a Polish Telegram user. July 26. Accessed November 29, 2022. https://t.me/killnet_reservs/2202. ———. 2022. Anonymous attacks the European Parliament. November 23. Accessed November 29, 2022. https://t.me/killnet_reservs/3710. ———. 2022. Be careful: Fake news. September 11. Accessed December 23, 2022. https://t.me/killnet_reservs/2596. ———. 2022. Be careful: Scam. December 18. Accessed December 19, 2022. https://t.me/c/1688942657/1333438. ———. 2022. Check the links. March 17. Accessed November 23, 2022. https://t.me/ killnet_reservs/159. ———. 2022. Do not listen our enemies! September 21. Accessed January 2, 2023. https://t.me/killnet_reservs/2749. ———. 2022. Do not t-shirts from this website! September 15. Accessed January 1, 2023. https://t.me/killnet_reservs/2661. ———. 2022. Fake accounts. Edited by Author’s Archive. April 25. ———. 2022. Fake KillNet account with many followers. Author’s Archive, June 28. ———. 2022. Fake support account! 27 September. Accessed December 16, 2022. https://t.me/killnet_reservs/2869. ———. 2022. False account of Killnet. Archive, Author’s, March 3.

Hackers Gather Public Trust and Recognition

185

———. 2022. Fraudsters stole from volunteers. September 19. Accessed January 2, 2023. https://t.me/killnet_reservs/2716. ———. 2022. Hackers’ cooperation against Lockheed Martin. August 10. Accessed December 30, 2022. https://t.me/killnet_reservs/2283. ———. 2022. Is Galkin back? August 28. Accessed December 25, 2022. https://t. me/killnet_reservs/2475. ———. 2022. KillMilk: My story. September 22. Accessed November 22, 2022. https://t.me/killnet_reservs/2858. ———. 2022. KillNet’s statement for European media. no. 13(9). Edited by J Sweet. April 25. ———. 2022. Nevzorov website turned down! May 13. Accessed November 13, 2022. https://t.me/killnet_reservs/1275. ———. 2022. Our attack is ended. August 10. Accessed January 13, 2023. https://t. me/killnet_reservs/2291. ———. 2022. Our birthday is today! November 13. Accessed December 24, 2022. https://t.me/killnet_reservs/3499. ———. 2022. Our joined attack on Rutor. August 15. Accessed October 20, 2022. https://t.me/killnet_reservs/2356. ———. 2022. Our new ally: Stop-NATO group. April 17. Accessed May 12, 2022. https://t.me/killnet_reservs/595. ———. 2022. Our response to online blackmailers. July 26. Accessed November 29, 2022. https://t.me/killnet_reservs/2204. ———. 2022. Our survey about NATO and the U.S. February 28. Accessed November 20, 2022. https://t.me/killnet_reservs/20. ———. 2022. Our thoughts about this war. March 22. Accessed May 12, 2022. https://t.me/killnet_reservs/232. ———. 2022. Our warriors were banned from Zhykov’s bar! December 3. Accessed January 13, 2023. https://t.me/killnet_reservs/4123. ———. 2022. Please, write complaints on this account! June 3. Accessed January 2, 2023. https://t.me/killnet_reservs/1717. ———. 2022. Post about Ukraine. Edited by Julia Sweet. Author’s Archive, February 26. ———. 2022. Pugacheva is back?! August 29. Accessed December 25, 2022. https://t.me/c/1688942657/676581. ———. 2022. Putin’s birthday! October 7. Accessed January 10, 2023. https://t.me/ killnet_reservs/2978 . ———. 2022. Someone sells t-shirts with our logo on AliExpress. September 15. Accessed January 1, 2023. https://t.me/killnet_reservs/2660. ———. 2022. The European Parliament website was attacked. November 29. Accessed November 29, 2022. https://t.me/killnet_reservs/3721?comment=1203637. ———. 2022. To our officials and oligarchs! We need money! September 25. Accessed December 25, 2022. https://t.me/killnet_reservs/2829. ———. 2022. Utro Dagestan: A full report. September 27. Accessed January 13, 2023. https://telegra​.ph​/Kto​-ustraivaet​-besporyadki​-v​-Dagestane​-09​-27.

186

Chapter 4

———. 2022. Vesna. September 21. Accessed December 2, 2022. https://t.me/ killnet_reservs/2750. ———. 2022. We are busy! August 29. Accessed December 25, 2022. https://t.me/ killnet_reservs/2472. ———. 2022. We are celebrating! November 5. Accessed November 30, 2022. https://t.me/killnet_reservs/3364. ———. 2022. We hacked the car service in retaliation. July 5. Accessed November 29, 2022. https://t.me/killnet_reservs/2071. ———. 2022. We initiated a new offensive campaign. July 31. Accessed December 30, 2022. https://t.me/killnet_reservs/2184. ———. 2022. We killed his website! December 3. Accessed January 13, 2023. https://t.me/killnet_reservs/4125. ———. 2022. We promise to defend CIS Internet. February 28. Accessed December 23, 2022. https://t.me/killnet_reservs/18. ———. 2022. What is Rutor? August 15. Accessed October 12, 2022. https://t.me/ killnet_reservs/2350. ———. 2022. What will Poland do? March 23. Accessed December 22, 2022. https://t.me/killnet_reservs/239. ———. 2022. Zelensky gave an interview. April 27. Accessed January 12, 2023. https://t.me/killnet_reservs/601. ———. 2023. A survey about a mobilization. September 13. Accessed January 2, 2023. https://t.me/killnet_reservs/2636. Writer from the Center. 2022. Is mobilization coming?! September 12. Accessed January 2, 2023. https://t.me/killnet_mirror/2207. ———. 2022. Utro Dagestan is rich! September 26. Accessed January 13, 2023. https://t.me/killnet_mirror/2303. XakNet. 2022. Be careful of false mobilization chats! September 27. Accessed January 2, 2023. https://t.me/xaknet_team/373. ———. 2022. Our final statement about the Kropyva hacking. May 25. Accessed December 24, 2022. https://t.me/xaknet_team/229. XakNet Team. 2022. Everyone can help us to conduct attacks. March 4. Accessed December 20, 2022. https://t.me/xaknet_team/17. ———. 2022. Fake news. September 11. Accessed December 23, 2022. https://t.me/ xaknet_team/350. ———. 2022. KillNet discredited itself. Edited by Julia Sweet. Author’s Archive, November 11. ———. 2022. Our cooperation with KillNet. March 4. Accessed April 21, 2022. https://t.me/xaknet_team/21. ———. 2022. Our DDoS attacks on two Ukrainian websites. March 2. Accessed December 22, 2022. https://t.me/xaknet_team/12. ———. 2022. Our donations. September 30. Accessed December 24, 2022. https://t. me/xaknet_team/376. ———. 2022. Our email for communication. March 6. Accessed April 5, 2022. https://t.me/xaknet_team/41.

Hackers Gather Public Trust and Recognition

187

———. 2022. Our last hacking. March 31. Accessed January 12, 2023. https://t.me/ xaknet_team/127. ———. 2022. Our old friend help us to conduct DDoS attacks. May 9. Accessed December 23, 2022. https://t.me/xaknet_team/155. ———. 2022. Our report for Dmitry Gusev. November 22. Accessed November 26, 2022. https://t.me/xaknet_team/430. ———. 2022. Real facts about KillNet. Edited by Julia Sweet. Author’s Archive, November 08. ———. 2022. Stop this fight! November 14. Accessed December 23, 2022. https://t. me/xaknet_team/409. ———. 2022. Ukrainian Internet providers. March 6. Accessed December 1, 2022. https://t.me/xaknet_team/27. ———. 2022. We are back! May 5. Accessed December 23, 2022. https://t.me/ xaknet_team/148. ———. 2022. We did not accept it! Edited by Julia Sweet. Author’s Archive, November 6. ———. 2022. We hacked the SBU. October 24. Accessed December 23. https://t.me/ xaknet_team/398. ———. 2022. We hacked Vinfast​.ne​t. March 6. Accessed November 10, 2022. https://t.me/xaknet_team/30. ———. 2022. We warn the Chanel brand. April 1. Accessed December 26, 2022. https://t.me/xaknet_team/141. ———. 2022. XakNet statement. March 28. Accessed March 30, 2022. https://telegra​ .ph​/Do​-novyh​-vstrech​-03​-28. Zakharova, Maria. 2022. A note about a closure of Chanel stores in Russia. April 1. Accessed December 25, 2022. https://t.me/MariaVladimirovnaZakharova/2313. ———. 2022. The European Parliament decision. November 23. Accessed November 29, 2022. https://t.me/MariaVladimirovnaZakharova/4192. Zarya. 2022. Cooperation with KillNet. July 2. Accessed December 23, 2022. https://t.me/informZarya/348. ———. 2022. Documents from the state archive. July 11. Accessed December 24, 2022. https://t.me/informZarya/371. ———. 2022. Our fifth attack. May 16. Accessed December 23, 2022. https://t.me/ informZarya/214. ———. 2022. Our further work. October 26. Accessed December 23, 2022. https://t. me/informZarya/487. ———. 2022. Our next target. December 31. Accessed January 1, 2023. https://t.me/ informZarya/632. ———. 2022. Our travel to the Donbass area. November 21. Accessed December 23, 2022. https://t.me/informZarya/548. ———. 2022. The attack on the Ukrainian Archive. July 7. Accessed December 23, 2022. https://t.me/informZarya/359. ———. 2022. The archive leak. July 12. Accessed December 24, 2022. https://t.me/ informZarya/378.

188

Chapter 4

———. 2022. The FSB professional day. December 20. Accessed December 30, 2022. https://t.me/informZarya/631. Zhykov, Sergey. 2022. The issue is resolved. December 3. Accessed January 13, 2023. https://t.me/sezhukovrv/456.

Chapter 5

Hackers’ Attacks Who Is the Main Target—Ukraine, Europe, or the United States?

The cyberwar is predominantly fought by two major sides: Russia and Ukraine. While several international hacking groups openly declared their adherence to Ukraine in this conflict, the opposition’s cyber front was presented by KillNet, XakNet, From Russia with Love (FRWL), People’s Cyber Army, and other groups, which could present a real menace to Western states and Ukrainian digital entities. As mentioned earlier, the research predominantly relied on the information aired on eight hackers’ accounts. For the statistics about the conducted cyber offensives, the data was collected on these hackers’ social media accounts on Telegram: Joker DPR, XakNet, FRWL, People’s Cyber Army, NoName057(16), KillNet, and its affiliates. Given the fact that RaHDIt did not provide public information about cyberattacks on its Telegram account, this group was excluded. The study did not embrace data from the Beregini group; this team mostly revealed documents and concealed information about conducted hacking offensives. Undoubtedly, the group launched cyberattacks on private and state-run digital Ukrainian entities, but it was impossible to track the timeline of Beregini’s cyber strikes. Even though data from Joker DPR was gathered, its accuracy is questionable due to the unclear way attacks were announced without reference or connection to dates. In some cases, it was difficult to determine a concrete victim of Joker’s strikes. Hence, the study only incorporated cyberattacks where their date and target were found. It is necessary to clarify the situation with the two associates of KillNet— Zarya and Anonymous Russia. The former left KillNet and the latter joined the KillNet brand a few months after its own independent activities. The research calculated Zarya’s attacks in a separate category after its announcement about its separation from KillNet, while every cyber offensive before this separation was considered as an action of KillNet’s. A similar approach 189

190

Chapter 5

was undertaken for Anonymous’s data: every cyber incident launched by this group before it merged with KillNet counted as an Anonymous attack, whereas any strike conducted after this date was identified as a KillNet strike. The statistical timeframe was from February 24, 2022, to December 31, 2022. Because the hackers repeatedly stated they did not expose information about their every strike, the study collected public records or posts from hackers’ Telegram accounts; taking the hackers’ words for granted, the study did not search for evidence that a cyber incident occurred or check a victim’s website to see if it was operational. There were five major categories for the hackers’ targets: the United States, Ukraine, the European Union (EU), the United Kingdom, and other countries. The category “other countries” includes any state excluding the United States, EU, the United Kingdom, and Ukraine. In addition, the study tracked the frequency of cyberattacks on these five categories, the types of strikes, and if possible, the damage to their victims. Of eight hacking groups, three hacking organizations—Joker DPR, XakNet, and Zarya, picked exclusively Ukrainian targets for their cyber raids. Worth noting is the fact that the former KillNet associate, Zarya, participated in foreign attacks only when it was a part of KillNet. Since their separation, the Zarya team focused on Ukrainian digital entities. Having been merely a cyber hooligan,1 Anonymous mischievously attacked websites in Belarus and even the Russian Federation prior to its linking with the KillNet brand. Five Russian hacking groups—FRWL, NoName057(16), KillNet, People’s Cyber Army, and Anonymous Russia, preferred a diverse landscape for their cyber activities, driven by their political agenda and political momentum. They targeted websites from the EU, the United States, and other foreign countries. However, there was a significant difference between these groups which must be mentioned: their tools for cyber striking. KillNet and Anonymous Russia relied on DDoS attacks. Along with DDoS strikes, People’s Cyber Army, NoName057(16), FRWL, and Zarya deployed more sophisticated attacks. In summer of 2022, FRWL impressed the Telegram audience with its own newly created but not yet used virus, as further updates about this malware were not provided by the hacking team. Another hacking team, XakNet, which is considered to be one of the most advanced and experienced groups, specialized in conducting more damaging cyber hacks.

TARGET #1: UKRAINE Previously, Ukraine faced multiple cyberextortions from Russian hackers, so the escalation of the situation in the winter of 2022 forced them to undertake safety measures to protect the state from cyber strikes. Addressing technical

Hackers’ Attacks

191

vulnerabilities, on February 17, the Parliament of Ukraine revised the state law about data protection and allowed critical government information to be relocated into public cloud services, including foreign ones (Smith 2022). Before the military invasion on the ground, Ukrainian digital entities experienced a hit from destructive malware named FoxBlade, which was a data wiper (Lakshmanan 2022). Within several days after the beginning of the war, Google offered protection services such as Project Shield and Cloudflare to private and state agencies in Ukraine at no cost. As an answer to the expanding cyberthreat emanating from Russia, these services have defended Ukrainian users from DDoS attacks. According to Cloudflare, more than 50 state entities with around 130 domestic domains, 54 non-profit local organizations, which provide assistance for refugees, food aid, investigative journalists recording war crimes, and other organizations, experienced persistent pressure from cybercriminals (Starzak 2022). In March 2022, Google DDoS protection registered more than 150 Ukrainian organizations, including the Ministry of Internal Affairs, Ministry of Foreign Affairs, Liveuamap, and other entities (Lapienyte 2022). The number of Ukrainian users has increased on a daily basis because, like the Russian Federation, cyber anarchy has become an undeniable part of Ukraine. Since February 24, 2022, according to the Ukrainian authorities, Russian hackers launched 1,655 offensives in total on various Ukrainian websites, where 557 cyber strikes were launched against online government branches (Reuters 2023). As the State Cyber Protection Center of Ukraine detected, in comparison with the 2021 cyber statistics, there were 2.8 times the number of cyber offensives in 2022, whereas “the number of information security events falling under Malicious Code and Phishing categories grew by 18.3 and 2.2 times, respectively” (State Cyber Protection Center 2023). In fact, Ukraine was a target for every Russian hacker group, which they attacked on a regular basis to underline their authentic goal for the Telegram audience. Between February 24 and December 31, 2022, the scrutinized hacking groups were responsible for 1,610 strikes on Ukrainian entities, or 37% of all cyberattacks conducted by the hackers. This means Ukraine was the second favorite target for the Russian hackers, but it was not the first. These hacking teams were very active in the springtime, deploying 35% of the total number of cyber strikes during that time. In the summer and fall seasons, approximately 27% of cyber offensives were launched, but their activities slowed down significantly (10%) in December 2022. In light of a similar declining trend for cyberattacks on Europe, this decline could be explained by the upcoming holiday time, as many hacker teams were busy preparing to celebrate the New Year and Christmas. Three hacking teams targeted Ukrainian websites more actively than other groups: People’s Cyber Army,

192

Chapter 5

KillNet, and NoName057(16). Fifty-seventy percent of all cyberextortions against Ukraine was initiated by the People’s Cyber Army, whereas the KillNet brand claimed 23% of the strikes and the NoName057(16) group—12%. XakNet, Joker DPR, Zarya, and FRWL managed approximately 8% of all Ukrainian cyberattacks collectively. For the few first days of the war, Russian cyber units applied their cyber weapons and Beregini coordinated missile attacks on some Ukrainian targets in February, whereas KillNet and some other hacking groups established their social media accounts on Telegram. In fact, the first hacking group which entered and declared its appearance in a public space became KillNet. Its staffers, along with their powerful equipment, were prepared for an illicit IT service, but the onset of the conflict changed the group’s priorities. Issuing numerous provocative statements toward Anonymous, KillNet was the first group which began DDoS attacks on Ukrainian entities on February 27, 2022. Its hackers argued that they knocked seven websites offline including the Pravy Sektor (Right Sector), the Ukrainian National Assembly (unso​.in​​ .ua), and the website for the president of Ukraine (president​.gov​​.ua) (KillNet 2022). Allegedly, these websites, turned off by DDoS strikes, were out of commission between 1 and 12 hours. Looking for limits to its abilities, KillNet claimed a DDoS strike against the Ukrainian cyber police’s website (cyberpolice​.gov​​.ua) on March 6, 2022 (We are KillNet 2022). To overwhelm this digital platform with malicious requests, the hacking team, including the founders of KillNet and Zarya, united with three other Russian hackers; one of whom was not known, and was not affiliated with other strikes, unless he changed his initial name. The other two participants provided DDoS services for Internet users and managed their Telegram channels. According to the hackers, their strike, which started at about 5 p.m. on March 6, crashed cyberpolice​.gov​​.ua on the same day, and for twenty-four hours the website was not available. The Ukrainian cyber department did not provide comments about this attack. In March 2022, People’s Cyber Army, NoName057(16), and XakNet joined this anti-Ukrainian cyber hunting. In contrast with the Russian media websites which were defaced and showed their audience anti-war statements, Ukrainian websites attacked by NoName057(16), went offline without any note from the attackers. In March 2022, NoName057(16) claimed a number of disruptions on news portals such as segodnya​.u​a, RBC Ukraine, urk​.ne​t, u24​.u​a, dou​.u​a, and other sites. Many of these media platforms faced cyberextortion several times in March. Encouraged by numerous hits against media portals, NoName057(16) sent threats to Ukrainian and U.S. websites: Rumors are in the air: Europe has a serious concern about unleashed Russian hackers. Our group is not alone fighting against the Ukrainian Russophobic

Hackers’ Attacks

193

propaganda .  .  . Our DDoS capabilities grow exponentially. Our group will reach everyone who hates Russia in Kiev or Washington. We will get every source of poisonous lies and propaganda. (NoName057(16) 2022)

It is a worldwide trend that the potential of DDoS attacks has become more powerful, where the strength of the toughest strike increased up to 2.851% between 2017 and 2020 (Palmer 2020). Usually, the Russian hackers did not disclose useful information about their attacks, predominantly reducing their communication with their audience by an announcement of a successful strike, sometimes presenting a new service (malware), or asking about financial support. However, the information about the potency of NoName057(16)’s botnet army was revealed by its victim. On March 24, 2022, a popular Ukrainian media website named Charter97 was shut down. Its Facebook outlet informed the public that at 8 a.m. local time, unidentified hackers directed a huge amount of traffic from various Internet-connected devices, and the website received approximately seventy million requests in less than twenty-four hours (Charter97 2022). According to the attacker, this website did not work for more than one day (NoName057(16) 2022). In total, in March 2022, the hacking team, which exclusively targeted Ukrainian media sources during this month, hit forty-seven Ukrainian media sources. Apparently, these hacks were successful. For instance, on March 12, the website fakty​.u​a, which became NoName057(16)’s target, warned its readers: Dear readers, our site along with other news outlets, which try to deliver truthful information about the full-scale Russian invasion in Ukraine and courage of Ukrainian troops, are under continuous powerful DDoS attacks. Russians are responsible for these attacks. As part of a hybrid war, these strikes aim to prevent access of Ukrainians to reliable news. (NoName057(16) 2022)

Later, a domestic judiciary portal (sud​.​ua) which covers news and updates in the Ukrainian legal system redirected its audience to the portal’s social media accounts on Telegram and Facebook: “Our portal experiences technical issues caused by DDoS attacks” (NoName057(16) 2022). In May, two industrial facilities’ websites were shut down by NoName057(16). On May 16, the Ukrainian state-owned company, Antonov, which is a branch of the corporation Ukroboronprom and specializes in air cargo transportation, became a victim of a DDoS strike. As a result, its website (antonov​.c​om) stopped functioning and demanded technical assistance (NoName057(16) 2022). In four days, another Ukrainian factory “RaPiD,” producing radio devices, transducers, and sensors, located in Chernihiv, lost control over its own website due to a cyberattack, and in several days, IT

194

Chapter 5

professionals removed the damage caused by the Russian hackers (NoName057(16) 2022). In 2022, the NoName057(16) team repeatedly launched cyber offensives against Ukraine, picking versatile targets from news and national political movement portals to industrial facilities. From the group’s establishment on Telegram from March 2022 to May 31, 2022, NoName057(16) publicly declared that it had made 113 strikes on Ukrainian websites. Since June 2022, the group exercised its DDoS botnet on European online entities, widening the geography of its victims. As a result, the NoName057(16) team’s attention to Ukraine lowered. In July, it did not disturb Ukrainian websites whatsoever. However, in November 2022, NoName057(16) returned to its Ukrainian targets, as the hackers claimed to have shut down forty-seven websites. From March and up to July 2022, KillNet and its affiliates Legion and Zarya ran more than 105 extortion campaigns against Ukrainian organizations and services. For instance, on March 3, the second-largest Ukrainian telecom provider “Vodafone” was hit by KillNet’s DDoS strike, and KillNet informed its followers that Vodafone’s website was knocked offline for four hours (We are KillNet 2022). Worth noting is the fact that telecom providers were always a target for cybercriminals, and as the war began in February, cyberextortions just intensified. However, cyberattacks caused serious technical issues for small Ukrainian providers such as Triolan, Vinasterisk, Viasat, and others (Brewster 2022). As it was previously stated, in March, XakNet hacked four telecom providers, including Viasat, whose database was seriously damaged (XakNet 2022). As bloodshed on the ground was unfolding, the Russian hackers did not abandon their attempts to obliterate Internet connection in Ukraine. Allegedly, for several weeks in July, the Zarya team had access to the Ukrainian Internet provider “UarNet” (uar​.n​et). Zarya claimed the end of the provider’s extortion on July 25, stating: “We are done with UarNet. And we can declare about our successful strike which was finished by multiple defacement attacks on more than 100 Ukrainian private and government websites” (Zarya 2022). According to Zarya’s Telegram posts, approximately 300 GB worth of data was stolen, but the threat actors did not clarify the digital platform or platforms from which they took this data. Further, Zarya’s followers observed a part of the UarNet database which was released in two portions between July 25 and July 27, 2022. On the path to reaching independence from KillNet, the Zarya team began to establish direct ties with other hacking teams. For Zarya, XakNet became the most notable connection with the Russian-speaking cyberspace. On July 12, 2022, both groups claimed a successful hack on the Ukrainian State Archival Service, whose official website (archives​.gov​​.ua) was defaced, and showed a video of a Russian blogger impersonating the president of Ukraine

Hackers’ Attacks

195

(Zarya 2022). According to the perpetrators, they hacked even subdomains of the State Department. They successfully pulled out plenty of archival data from its official website, but XakNet and Zarya did not disclose the exact size of the stolen data. Promising to publish more information, five data files with more than 1,500 MB were posted on the hackers’ Telegram outlets for public access (Zarya 2022). While KillNet specialized in DDoS attacks, this group, which began its path from DDoS strikes, switched to more sophisticated hacks. Apparently, this operational switch is directly connected to the surge of Zarya’s hacking skills. As mentioned earlier, a significant portion of cyberextortions in Ukraine was organized by the People’s Cyber Army group. Using DDoS attacks as a cover and inviting its followers to join its attacks, its hackers were sometimes able to penetrate a victim’s system and pull out information. This group was responsible for several data leaks. At the beginning of its activity, People’s Cyber Army claimed its first data leak, as it and XakNet launched a joint cyberattack on the Government Contact Center, ukc​.gov​.​ua. As a result, the group released several documents with personal details of the Center’s staffers and a description of this state facility, including its employees’ logins and passwords. The freshest records were made in April 2022. Besides the personal database of the Center’s staffers, the leak contained customer records such as names, phone numbers, emails, addresses, and even people’s requests (People’s Cyber Army 2022). The Ukrainian delivery service (novaposhta​.​ua), established in 2001 and which provides domestic and international services, became the People’s Cyber Army’s target on May 31 (Leaks 2022). There was a significant bulk of stolen information—40,881 unique email addresses and 68,707 phone numbers, along with addresses and other personal records (Leaks 2022). Some information had been just recently posted, dating back to January 2022, whereas other records matched with records from earlier leaks. Previously, Nova Poshta company’s database appeared on the Dark Web when someone tried to sell 2 files containing user records, one with 500,000 records and the other with 18 million (Tsentsura 2018). People’s Cyber Army did not try to monetize the stolen data, spreading it via Telegram. In 2022, the litany of its victims kept growing, and on October 3, the national ticket service, Maestro Ticket System, and Kontramarka were added to the list (People’s Cyber Army 2022). Initially, the Kontramarka company did not confirm the attack, which affected the majority of its customer’s accounts. But the hackers assured the company of the partial obliteration of the websites’ information and dissemination of an email which had a note from the hackers: Hi, a no longer respected MTicket user. As the company representative, we are hurrying to inform every user about the cyber breach of our servers by the

196

Chapter 5

pro-Russian hacking group People’s Cyber Army. Users’ personal data was leaked to the Internet . . . We are asking you to stop contacting the company! The defeat of Ukraine is around the corner .  .  . Best regards, Maestro Ticket System. (People’s Cyber Army 2022)

As a result, the company confirmed the cyberextortion but rejected the data leak: Dear friends, at this very moment, we are fighting back against the hacker attack from incompetent Russians . . . you may have received a letter of questionable content. But there is no reason to worry: your ticket data is stored on Amazon servers. (People’s Cyber Army 2022)

As the hackers claimed to leak around four million transactions and some credit card numbers, the company assured its customers that sensitive financial information was not stored on the website and the attackers could not reach it. People’s Cyber Army packaged up personal information about approximately 2 million registered users, including their names, phone numbers, addresses, dates of birth, and emails; the size of the stolen database was approximately 30 MB, and 16 MB of data was released at no cost on Telegram (Leaks 2022). Also, this hacking team placed this database in its closed Telegram account, which was established exclusively for data storage. In a couple of days, Ukrainian IT specialists restored both websites. XakNet, the most experienced and skillful hacking group, opened its public Telegram channel and announced full access for thirty-nine Ukrainian government authorities, many of whom were in the Odessa region (XakNet 2022). Along with the full access, XakNet defaced these websites with the following message: We remember the tragedy in Odessa on May 2, 2014.2 Also, we remember the eight-year-lasting torture of Donetsk and Lugansk People’s Republics. We are asking the Ukrainian authorities not to repeat this bloody experience! Ukrainians, stop being mesmerized by Western propaganda! Many Ukrainian soldiers and civilians are dead, and the Ukrainian Armed forces use Ukrainian citizens as shields from the Russian Army. (XakNet 2022)

The hacking team did not collect much data from the compromised entities, as the group only placed the Odessa authorities’ passwords and logins on the Internet. Apparently, XakNet attempted to draw public attention to their political statement rather than the digital entities’ destruction. While XakNet got full control over local government sites, its hackers could not breach two government websites—the president of Ukraine and the Ministry of Defense, disturbing their operations with massive DDoS strikes.

Hackers’ Attacks

197

In less than two weeks after a cyberattack on the president of Ukraine and the Ministry of Defense websites, XakNet carried out a defacement attack on the bank “Ukrainian Capital” (XakNet 2022). The bank’s website, ukrcapital​ .com​.​ua, showed XakNet’s video message, where the hackers claimed ownership of the attack, stressing that XakNet launched this strike as “a retaliation for fascists’ demands to steal money from Russian citizens” (XakNet 2022). Further, in case money was confiscated from Russian citizens’ accounts, XakNet threatened to attack every Ukrainian bank and deplete every bank account. Within a couple of hours, the bank’s IT team removed this video message, placing instead a pro-Ukrainian statement asking to support the military forces (XakNet 2022). From March 17 to May 20, 2022, XakNet was inside the court​.gov​​.ua website, the Supreme Court of Ukraine. As XakNet’s team worked on this target, another Russian hacking team, whose name was not disclosed, carried out a defacement strike on this platform. However, IT specialists, who took care of this attack and deleted the hackers’ statement, did not notice the presence of XakNet (XakNet 2022). For reasons unknown, XakNet, which claimed to pull out plenty of sensitive data, did not leak the Court’s database in 2022. Its Telegram account just published several screenshots of documents written in Ukrainian. However, in six months, the hacker group dropped data stolen from Ukraine’s Ministry of Finance (XakNet 2022). This leak, which included more than one million documents, marked a new entry in a long list of massive data breaches. According to XakNet, who roamed inside the department for several months, the leak contained official emails, passwords, logins, personal information about its employees, instructions, correspondence with foreign state entities, and other information. Alongside these leaks, this group was responsible for three other data breaches from the Stock market agency (smida​.gov​​.ua), insurance firm “Express Insurance” (e​-insurance​.in​​.ua), and the credit company “Express Credit” (express​-credit​.in​​.ua). Even though the study excluded RaHDIt from the statistics, its activity must be mentioned. This hacking group presented the personal information of Ukrainians who were associated with various military facilities. As the hackers stated in their posts on Telegram, the group hacked Ukraine’s state departments such as the National Guard, the Ministry of Defense, Cyber Police, Ukrainian Security Service, and military educational facilities, to reach needed personal details. Nonetheless, at the beginning of March 2022, Russian media wrote about “the huge cyber success” of RaHDIt’s hackers, who “compromised 755 government websites” including rural authorities in the Dnipropetrovsk, Donetsk, and Odessa regions (Gafyrova 2022). Within the Russian-speaking cyberspace, there were at least three screenshots circulating with RaHDIt’s statements for Ukrainian Armed Forces and civilians in Russian and Ukrainian. On one of the state websites of the Dnipropetrovsk

198

Chapter 5

region, the hackers placed the following statement, presented as a statement from the Russian Army: Current events will be discussed by several generations, but there is only one truth. It is obvious that this war is a result of a presence in politics of corrupt, greedy, and reckless politicians, who are careless about their own people and their needs . . . Nowadays, we have a chance to return everything that we lost for eight years, obliterate neo fascists’ burden and falseness, and establish a foundation for our bright future . . . We ask local residents to stop supporting radical and nationalist groups, and save your lives. Ukrainian troops! Put your weapons down! Do not shoot Russian troops, save your lives . . . We guarantee polite treatment. (Yaplakal 2022)

However, the group did not have a public account, and it did not claim its hacks, which made it impossible to track its cyber operations. In June 2022, several Telegram outlets detected files with 701 SVU officers’ personal information on one of its foreign forums (Leaks 2022). In this file, there were 11,055 records with phone numbers, names, addresses, ranks, positions, and links to officers’ social media accounts, which were previously published on the hacker group’s website NemeZida (Leaks 2022). In 2022, RaHDIt also collected and posted photos and personal information of approximately 1,500 staffers of Ukraine’s Foreign Intelligence Service, thousands of records about Ukrainian soldiers captured by the Russian Forces, members of the IT Army of Ukraine, and other sensitive information. Hacking the Ukrainian Delta System As already mentioned, Joker DPR focused on hacking Ukrainian digital entities. The analysis of Joker’s outlet content suggested that this hacker gathered a huge portion of information via open sources. Together with hacks of state and private websites, Joker DPR breached social media accounts and chats on various platforms. Allegedly, Joker DPR maintained a network of various personal female and male profiles which had long-lasting memberships in Ukrainian chats, including closed ones. Through these chats, open sources, and other resources, Joker DPR collected and generated personal information about Ukrainian military staffers and transferred it to the affiliated Telegram channel, Solnzepek. In November, Joker DPR impressed the Russian-speaking audience with his most significant achievement in 2022. On November 1, 2022, the DPR hacker Joker claimed a successful attack on the Delta situational awareness system. A Ukrainian IT team worked on this system for several months and presented its results at the TIDE Sprint event on October 25, in Virginia Beach. Its crew contained representatives from the Ministry of Defense,

Hackers’ Attacks

199

the Center of Innovations and Defense Technologies Development, and the Ministry of Digital Transformation. At a particular developmental stage, NATO IT specialists entered the project (Urbanska 2022). In light of this, it is important to underline that in July 2022, after meetings with NATO experts, Ukraine received Multilateral Interoperability Program membership, which gave Ukraine an opportunity to be a part of technological cooperation with the NATO states (The Ministry of Defence of Ukraine 2022). Apparently, since that time, foreign IT specialists developed close ties with the Ukrainian Delta team. Worth noting is that the Delta creators made it compatible with NATO technical standards. Moreover, the platform was tested at the NATO CWIX events in 2019 and 2020 (Halchynskyi 2021). Nonetheless, this innovative project did not find support from military officials, who placed it on hold in 2021. In the introductory note for the TIDE Sprint event, the minister of Digital Transformation, Mykhailo Fedorov, stressed that the Ukrainian IT team had worked on advancing digital war technologies and made an unprecedented breakthrough (Fedorov 2022). Its goal was to reach “complete informational awareness on the battlefield” (Fedorov 2022). This “awareness” refers to a map updated in real time, the number of enemy forces, their locations, military capabilities, fuel stations, fortifications, and other critical information. Worth noting is the fact that this interactive system contains information about the Ukrainian Forces, its units, and strategic objects. With its assistance, every military brigade can connect and cooperate with each other. The information gathered on this system is crucial for military units, commanders, pilots, and even mobile medical teams. The military received an opportunity to examine the interactive real-time battlefield view, which enhanced planning and sped up tactical decisions. It is a significant advantage over the Russian Forces. Since the beginning of the war, the Delta platform has been successfully tested against the Russian Forces. Initially, the Delta team provided defense for the Ukrainian capital, Kiev (Urbanska 2022). As its technical capabilities and effectiveness increased, the system began to cover other regions and widen the number of participants. As has been mentioned, Fedorov made the presentation about the Delta system on October 25. Later, on October 31, the hacker “Joker DPR” got upset over Ukrainian footage. It is not known when this footage was recorded and how the hacker got it. In this video, a Ukrainian serviceman advertises the Delta system’s unique characteristics (Joker DPR 2022). Zooming in and out of the map, the officer humiliated his Russian counterparts, who used oldfashioned paper maps, while the Armed Forces of Ukraine relied on modern technologies. The hacker found this suggestion offensive and promised to reveal something encouraging to his Telegram followers soon. The next day,

200

Chapter 5

Joker DPR announced an efficacious strike on the battlefield real-time monitoring system (Joker DPR 2022). To prove the attack, the hacker aired a video with his online manipulations inside what appeared to be the Delta program (Joker DPR 2022). Under this video, Joker DPR placed a long message where he disclosed the name of the main Delta supervisor, his personal information (emails, his passport number, and addresses), location, and a few technical parameters. The hacker argued that the base was in Dnepropetrovsk, Ukraine. Purportedly, the system relied on Google authentication and used two open sources, a file sync and share applications Nextcloud and Element (RIA News 2022). Additionally, Joker stated that he was not the only one who tried to hack the Delta monitoring platform. According to him, the KillNet group kept Delta on its hit list too. As the statement shows, this attack was not the only demonstration of Joker’s professional skills. He wanted to support the Russian Army, which had experienced one defeat after another on the battlefield. Joker DPR mentioned that he was the one who committed the attack, but he did not disclose any details. It remains unknown if the hacker really provided the Delta keys to the military, because the Russian officials kept quiet. With regard to this hacking, there are a few questions that are raised: When was the attack conducted?; How long has the Russian military used this system?; Why did the hacker announce the attack? The questions seem very intriguing. Logically, there are two scenarios: the hacker fabricated the attack, or Joker DPR declared the hacking when he lost access to the Delta system. If the hacking was conducted, the question about its duration becomes essential. Perhaps he hacked the Delta platform for a short period of time, after which his presence was quickly detected, and the Ukrainian Delta specialists reinstated its security. The hacker then immediately declared his success. In another scenario, Joker DPR hacked the resource a while ago, and provided its keys to the Russian military (local military units, their commanders, etc.). When access to the Delta system was lost, the hacker advertised his achievement. For this patriotic pro-Russian hacker, announcing his hacking for reputation or self-satisfaction is doubtful. However, most certainly this hacking was not done to pursue personal goals. The reaction of the Ukrainian authorities to the information about the attack was immediate and straightforward. On the same day when Joker DPR announced his action, the Ministry of Defense issued a statement rejecting the hacking incident: “no unauthorized penetration has been recorded” (The Ministry of Defense of Ukraine 2022). The department labeled the claim to be a part of the anti-Ukrainian informational campaign. According to the statement, it was a premeditated psychological

Hackers’ Attacks

201

“misinformation attack” against Delta in the aftermath of its presentation at the TIDE Sprint conference in the United States (The Ministry of Defense of Ukraine 2022). Further, the Ukrainian Ministry reassured its citizens that the Delta platform was operating without interruption on its regular schedule. While the Ministry rejected the hacking claim, the Facebook post of the Ukrainian journalist and Cenzor​.n​et editor-in-chief, Yuriy Butusov, divulged more intriguing details about the hidden cyber battles. Aligning with the Ministry of Defense’s explanation, he pointed out two short but successful enemy security breaches inside the Delta platform in August 2022. The journalist stated the obvious—that Russian intelligence service agents were continuously attempting to hack the cell phones and computers of Ukrainian military staffers; according to him, Russian agents repeatedly used social media and email phishing, spreading infected links (Butusov 2022). Two Ukrainian servicemen from the Kharkov and Krivoy Rog regions infected their devices with Russian malware, providing hackers entry to the Delta monitoring system. Nevertheless, to prevent unauthorized entries, the Delta founders established multi-facet protection, where every user has his own access level; some information is available for commanders, but not for troopers (Butusov 2022). In August, during a thirteen-minute period, the pro-Russian hackers were inside Delta, but they could operate only within the victims’ data access (Butusov 2022). Therefore, not much critical information was leaked; moreover, this information became outdated very swiftly, as the situation on the battlefield was highly dynamic. However, Butusov’s story was not supported by other evidence or testimonies from Ukrainian officials. Joker DPR dropped the ball when he claimed he hacked the Delta system but nevertheless called Yuriy Butusov a liar. However, the hacker credited the journalist for admitting cyberattacks in general (JokerDPR, Butusov’s statement 2022). In two days, another response was issued, where Joker DPR agreed with Butusov, admitting that the attacks on Delta occurred in August. However, the attacker claimed that the system was open for hackers much longer than thirteen minutes: “my hackers hacked Delta in August. All other information is audaciously false. . . . Butusov also lies that they gained access only for 13 minutes and only regarding the southern part of Ukraine” (JokerDPR 2022). Further, Joker DPR rejected the claim about successful phishing attacks and the involvement of two Ukrainian officers: We did not use phishing for the hacking as you wrote . . . We penetrated the Delta platform and further, we found these individuals within Delta . . . In addition, we went to see and left gifts with other Delta users who have the following logins: VadimFox, Santiago, Boris, Metodist, Balamut, Odessa, ofelia20, etc. (JokerDPR 2022)

202

Chapter 5

At the end of the statement, he left provoking phrases, where the hacker advised “American experts to conduct an investigation” of the platform, because its Achilles’s heel was at the Ukrainian end. A few days later, many pages of Delta’s alleged inner information became available on Telegram with free access. Leaking these documents, Joker DPR tried to undermine circulated doubts about the veracity of the breach and stop himself from turning into a laughing stock. The reaction from the Russian side was exuberating and encouraging but not without its share of bitter criticism. To clarify its stance on this cyberattack, the research picked and scrutinized the six most popular media resources: Vzglyad (Vz​.​ru), Moscovsky Komsomolez (MK), Lenta​.r​u, Russia Today (Russian), RIA News, and Rossiyskay Gazeta (RG). The following questions were tested: What are their primary sources about the attack? Which country developed the Delta system? What entity benefited from this hack? In the absence of the Russian authority’s assertions about the Delta breach, their articles about the hacking incident repeated each other with heavy citations from the widely shared Joker interview for RIA News and Daniil Bessonov’s post (RIA News 2022). Within these outlets, there was not an agreement about the origin of the Delta system. Following Joker’s assertion, five out of six media outlets emphasized the U.S. origin of the hacked Ukrainian platform. For instance, Darya Fedotova, the MK journalist, wrote that “the Joker DPR group announced an attack on the American DELTA command and control program, which is actively used by the Ukrainian military” (Fedotova, Hackers reported about an attack on the Delta system 2022). On the RG website, the article named the Delta platform an American gift to Ukraine and stressed that the cyber operatives of “the allied forces” undermined its reliability and reputation (Valagin 2022). At the end of the article, its author made the brisk conclusion that the Ukrainian Army should switch to old-fashioned methods (phones, paper maps, etc.) rather than overwhelmingly rely on modern technologies (Valagin 2022). Interestingly, the only news resource which propagated the Ukrainian origin of Delta was RIA News (RIA News 2022). Despite references to this RIA article, other newspapers mainly ignored this fact (Fedotova, Hackers reported about an attack on the Delta system 2022; Ivanova 2022; Russia Today 2022). Predictably, the Russian media platforms highlighted huge benefits for the Russian Army due to this cyberattack. In the interview for the MK newspaper, the military expert, Alexey Leonkov, stated that the Russian Army received plenty of useful information, but it did not contain a plan of future actions (Fedotova, Interview with A. Leonkov 2022). Through this successful hack, the Russian military specialists received an opportunity to learn about the U.S.-made system, which Ukraine got to

Hackers’ Attacks

203

experiment with prior to its global implementation (Fedotova, Interview with A. Leonkov 2022). Nevertheless, Russian media did not start to piece together the behind-thescenes facts of Joker’s claim (Ivanova 2022; Russia Today 2022; Valagin 2022). While the Russian media left critical thinking aside, its readers and Telegram users raised a few questions (Russia Today 2022). People wrote and reacted to the claim in the comment sections of Russia Today, Vzlyad​.r​ u, Oleg Tzaryov, Wagner’s Club, IzoLenta, Rogozin’s and other social media accounts on Telegram and Vkontakte. Public concerns were voiced by the former Ukrainian Deputy and member of the Party of Regions, Oleg Tzaryov, and a member of the State Duma from the Just Russia (Spravedlivaya Rossiya) party, Anatoliy Wasserman. Both political figures rejected the rationale behind the publicity of the Delta attack (Tzaryov 2022; Wasserman 2022). The former Ukrainian politician admitted that the breach was extremely good news, but the unnecessary publicity could undermine its benefits (Tzaryov 2022). While Oleg Tzaryov provided a short post about the breach, Anatoliy Wasserman went beyond just a brief note. Wasserman aired an article where he stressed: My only hope is that the information from Delta has been used in our interests. For the future, I insist that we, civilians should learn about successful cyberattacks against our enemies only after all information received could be applied and has become irrelevant. (Wasserman 2022)

With bitter sorrow which can be read between the lines, the author stressed that the Latin idiom of “praemonitus, praemunitus” (forewarned is forearmed) turns out to be brilliant advice that must be followed: “The less the adversaries know about our successes, the more effectively our Army crushes them. Now, after the public claim, the adversary’s team is working hard to enhance Delta’s protection and its information flows” (Wasserman 2022). There are no other famous figures from academia or politics who tried to scrutinize the attack and express their opinion. In general, pro-Russian Telegram bloggers and news channels demonstrated a similar approach. Worth noting is that this aggression has increased the popularity of not only pro-war media and TV figures such as Vladimir Solovyev and Armen Gasparyan, but a number of previously unknown or less popular bloggers and individuals (many of them professional journalists and even politicians); they are war journalists and analysts such as Semen Pegov,3 Dmitriy Vasiletz,4 Podolyaka,5 Vladlen Tatarsky,6 and others. To determine their stance toward the Delta hacking, the study scrutinized the following Telegram outlets: Rudenko,7 Semchenko,8 Tatyana Montyan,9 Gasparyan,10 WarGonza (Semen Pegov), Vladlen Tatarsky, Dmitriy Vasiletz,

204

Chapter 5

Yriy Podolyaka, Solovyov,11 Sladkov,12 Kotsnews,13 Wagner’s club,14 Mria,15 Anna-News,16 Rybar,17 Readovka,18 Ostashko Important,19 Poddubny,20 and IzoLenta.21 Some of these entities are primary sources, others, secondary. In addition, the overwhelming majority of the channels are interconnected, which helps their admins to receive and spread information at an incredible pace. Of nineteen Telegram outlets, nine channels made reposts from each other, Joker’s, or Bezsonov’s Telegram channels. Three outlets added their own description to the original post, while the other five outlets did not change the original message at all. However, neither of these three accounts included new details to their modified posts. Compared to the Russian newspapers, which aired articles with citations to the primary sources, the Telegram channels made reposting with minimal revision or no modification. Worth noting is that neither the newspapers nor the Telegram news sources followed up on this important news, nor did they do extra research on Ukrainian, global, or domestic entities. Despite the claim of the Ukrainian Defense Ministry about the Russian coordinated informational attack, this news was not adequately prepared, presented, or propagated. Russian officials missed this news in their accounts and did not comment on such a critical issue. The war in Ukraine has provided plenty of news every single day; for the Russian-speaking audience, the Delta breach became just another short-lived episode in a sea of informational influxes. Interestingly, the relatively modest and shallow coverage for this hacking was outweighed by wide attention from Russian sources to the breach of Valerii F. Zaluzhnyi’s Instagram account. For Russian media, the leak of controversial correspondence of the Ukrainian Commander-in-Chief seemed if not more important, at least more curious. On November 3, 2022, the proRussian hacker claimed to breach Zaluzhnyi’s Instagram page. The Commander-in-Chief’s followers were confused by two new pictures. To begin with, Joker DPR changed the profile picture for the popular photo of Russian president Putin riding on a bear with the Russian flag on its background (Joker DPR 2022). Then, the followers were surprised by the Joker’s picture in a military outfit with the following description: I confirm that Joker DPR breached the Delta system. Initially, the bewildered followers decided that it was a joke. The controversial post even received 594 “likes” and plenty of positive comments (Joker DPR 2022). After a while, the Instagram users realized that Zaluzhnyi’s account was run by somebody else, and not its owner. To prove the breach, the hacker made several videos of the account’s content. He recorded Zaluzhnyi’s messages with three women, and comments under the post with the Joker’s picture. For Joker DPR, this action was an attempt to repair his wavering reputation; by this showy attack, the hacker made a public statement about his or his team’s abilities.

Hackers’ Attacks

205

Unfortunately, Valerii F. Zaluzhnyi’s emotional reaction to this leak confirmed Joker’s claim. The reaction was so irrational that when Zaluzhnyi regained control over his account, he did not remove the Telegram link to the Joker DPR account for a while (Joker DPR 2022). Announcing the breach, Zaluzhnyi wrote the following post: Cynical animals do not have moral restrictions! Having been unable to defeat us on the battlefield, they strike at our children and families. The easiest possible way is to hack my personal account, which is not affiliated with my job. Here are only pictures of children and family. You brag by doing this. Instead of children and family, you show yourself—murderers. This attack proves the fact that orcs must be destroyed! We will kill them all! (Beregini 2022).

Returning back to the Delta breach, 50% of pro-Russian hacker groups also missed the information about the Delta attack. However, KillNet and its affiliates, Legion and Anonymous Russia, and along with Beregini, expressed their opinion. While Anonymous Russia’s response was neutral, Beregini underlined its previous cooperation with Joker DPR and added new details about the Ukrainian Delta team. In contrast, KillNet’s group account unloaded harsh critiques on Joker DPR: I have repeatedly examined hacker data leaks. People who hide behind the Joker nickname are really good and made more for our victory than all hacktivists could do. But I have to mention my regrets . . . Any data after its leak is not valuable anymore. Its value vanished.  .  .  . Are you crazy in Donetsk? If one department used this data in full, this does not mean the data became useless for others . . . Any information can be used multiple times . . . Learn to work clandestinely and without clueless publicity . . . I repeat again: you are really good (in general); but in this particular case, you are idiots . . . . (Pisar iz Shtaba 2022)

Apparently, this reaction was prompted by Joker’s mocking of KillNet, which was unfortunate in its attempt to breach the Delta system. KillNet’s emotional, juvenile response with bold name-calling prevented future cooperation and coordination of their actions. Thus, the pro-Russian hacker “community” does not demonstrate unity, rather it demonstrates rivalry, tenseness, and jealousy. TARGET # 2 EUROPE, THE UNITED KINGDOM, AND THE UNITED STATES For Russian hackers, members of the EU became the most desirable target, as they launched 2,448 cyber strikes on European digital entities between February 24 and December 31, 2022. This equals 57% of all attacks carried

206

Chapter 5

out by Russian hackers, which is approximately 20% higher than the number of cyber offensives in Ukraine during the same period. As stated earlier, not all hacking groups carried out strikes against foreign websites; for instance, XakNet specifically underlined this feature in its public posts and interviews. So did Beregini and Joker DPR. Another hacking group, Zarya, focused exclusively on Ukrainian entities after getting its independent status from KillNet. On the contrary, in terms of KillNet’s brand-building perspective, the EU was very important, so the proportion of EU targets in KillNet’s profile was significant (1,640 websites). While KillNet claimed responsibility for 67% of all cyber offensives launched by the hacking groups on European digital platforms, NoName057(16) took the second position with 723 strikes (29.5%). In total, the other two groups—People’s Cyber Army and FRWL were responsible for less than 3% of all cyberattacks in that timeframe. Worth mentioning are the activities of Anonymous prior to its affiliation with KillNet. Its hacking team began experimenting with European strikes shortly after its establishment, and up to September 2022, Anonymous Russia hit 24 (0.9%) digital European entities. As a KillNet branch, this group became a frontrunner for launching cyber extortions in the EU under the umbrella of the KillNet brand. Similar to what happened in Ukraine, an overwhelming majority of the cyberattacks (46%) were conducted in the springtime in 2022, whereas in the summer and fall seasons, hackers’ pressure on the EU was reduced by more than 20%. While between March 1 and May 31, 2022, there were 1,137 strikes, the Russian hacking groups organized 1,147 attacks between June 1 and November 30, 2022. In December 2022, their activity was relatively slow, dropping to 6.6% or 164 strikes, carried out predominantly by NoName057(16). In the fall of 2022, People’s Cyber Army targeted, on average, seven European websites, but in December 2022, it claimed only four attacks. A similar dwindling trend was presented by KillNet, which attacked, on average, ninety-eight websites per month between September 1 and November 30, 2022. However, in December, only thirteen websites in the EU were targeted by the KillNet team. As suggested previously, this trend can be explained by the upcoming holiday season, when even Russian propaganda is diverted from continuously bombarding the population with political news, opinions, and analyses. The first victim of KillNet in the EU became Poland, when a news portal, polandhub​.p​l, was hit two days after the onset of the conflict in Ukraine (We are KillNet 2022). KillNet claimed its hackers attacked this news website because the Polish government decided to close airspace for Russian airlines starting from February 25, 2022 (Wilczek 2022). On Facebook, the Polish prime minister, Morawiecki, stated: “I have ordered the preparation of the resolution of the council of ministers which will lead to the closure of the

Hackers’ Attacks

207

airspace over Poland to Russian airlines” (Reuters 2022). It was unclear why KillNet decided to strike a website where Polish news and advertisements were published in Russian, and apparently, Polish society was barely even informed about this retaliatory cyberattack. After several openly aggressive posts about Poland, the hacker group returned to cyberextortions on Polish websites in less than twenty days. On March 23, a KillNet video said that it would encrypt the “country’s information systems,” if Poland dragged NATO into this ongoing conflict between Russia and Ukraine (We are KillNet 2022). This threatening video message was supported by the cyber strike on the National Bank of Poland (We are KillNet 2022). In fact, after this video, KillNet initiated a chain of cyberattacks on Poland. On March 25 and 26, the official websites of the Polish Supreme Court and the Investment and Trade Agency were hit by cyberattacks. As the hacking team claimed, more than 20 gigabytes of data were stolen from the paih​.gov​​.pl server and published on a web storage space (We are KillNet 2022). In April, several European states were targeted by KillNet hackers, including France, Germany, Latvia, and others. Looking for wide publicity, the hackers issued a statement for Europe: For 10 days we launched attacks in ten countries (Poland, Germany, Czech Republic, Estonia, USA, UK, France, etc.). In these countries, security for critical infrastructure has become a problem. It cannot be solved in a month or even a year. European cybersecurity specialists do not control the situation, and they are not ready for cyber confrontation. We show how easy it is to spread mess and inconvenience in common citizens’ lives. The European authorities do nothing to protect sensitive information . . . tomorrow we will come after your country! (We are KillNet 2022)

Apparently, encouraged by successful attacks, the hackers emphasized that they would continue attacking private and state-run European organizations. Interestingly, KillNet underlined that its hackers launched attacks on French digital entities, but the group did not provide screenshots to prove this claim. However, on March 3, 2022, KillNet carried out a DDoS strike on Emmanuel Macron’s platform (en​-marche​​.fr), which was shut down for several hours. As the KillNet team underlined, French IT specialists stopped this strike in nineteen hours (We are KillNet 2022). A politically motivated campaign against the Baltic states began with a DDoS attack on the Ministry of Foreign Affairs of Latvia (We are KillNet 2022). It was launched on March 21, coming after the detention of Kirill Fedorov, a local blogger of Russian origin in Riga, the capital of Latvia (TASS 2022). While the hackers attacked the state entity, the Russian

208

Chapter 5

authorities tried to express their concern over Fedorov’s arrest by police on March 17, 2022: We are outraged by yet another fact of gross violation of fundamental human rights in Latvia, where a well-known Internet blogger Kirill Fedorov was recently detained for his assessments of the Russian special military operation in Ukraine. Riga once again demonstrates its international commitments regarding freedom of speech and access to information, which it has subscribed, in fact, mean nothing to it. (TASS 2022)

After several months of his detention, in March 2023, Russian media resources detected the blogger walking in Moscow (News​.​ru 2023). Further, the Baltic states were repeatedly targeted by the Russian hackers. In May, a branch of KillNet called Legion coordinated a politically motivated strike on Latvian colleges, taxi services, tourist agencies, fitness clubs, domestic Internet providers, and the following state departments: the Ministry of International Affairs (mfa​.gov​​.lv), Constitutional Court (satv​.tiesa​.gov​​ .lv), and the Supreme Court (at​.gov​​.lv) (We are KillNet 2022). In the summer of 2022, numerous cyberextortions in the Baltic states continued because their governments undertook measures to remove Soviet monuments and hampered the transportation of some goods to the Russian region of Kaliningrad (Hoppner 2022; Rosenberg 2022). In August, when Estonian authorities began to remove Soviet monuments, KillNet initiated another cyberextortion campaign as a retaliatory action for the decision of the Estonian government (Euronews 2022). Its hackers claimed to target more than 200 digital Estonian platforms run by private and state organizations. Confirming KillNet’s DDoS avalanche, Luukas Ilves, the under-secretary for digital transformation at the Ministry of Economic Affairs and Communications, underlined that these cyber strikes were “largely unnoticed” and though there were “some brief and minor exceptions, websites remained fully available throughout the day” (Luukas Ilves 2022). FRWL and NoName057(16) joined KillNet’s anti-Baltic mission at that time. Infuriated by the blockage of the Kaliningrad region, NoName057(16) disseminated emails written in English within the Baltic states: As a part of the Russian hacker community, we strongly recommend you send a message to your politicians and authorities of your country. The message about solving the transit cargo problem from Russia to Russia’s Kaliningrad region. Otherwise, Lithuania will become an IT ‘reservation’. We will definitely have enough skills and knowledge to send your information infrastructure to the Stone Age. Please think about it and find the right solution. Best regards, @ NoName057(16).22 (FRWL 2022)

Hackers’ Attacks

209

The hackers addressed this email to the Lithuanian railway company, LTG, which is a national state-owned entity, in June 2022. According to the NoName057(16) hackers, this company responded to the group: In response to your request to LGT Company to influence the Government of the Republic of Lithuania in order to revoke EU sanctions on the transfer of cargo freight to Kaliningrad, we kindly inform you: so called “Russian hacker community” go f . . . yourself23 (FRWL 2022).

This response enraged the sender and other Russian hackers, who decided to accelerate cyberattacks on the state’s digital entities. Worth noting is Avast’s research about NoName057(16)’s strikes on European websites, which were not very efficacious, as “the group’s success rate” was 40%: We compared the list of targets the C&C server sends to the Bobik bots to what the group posts to their Telegram channel. Websites hosted on well-secured servers can withstand the attacks. Around 20% of the attacks the group claims to be responsible for did not match the targets listed in their configuration files. (Avast 2022)

On July 1, FRWL, which appeared within the Russian-speaking cyberspace in June 2022, warned the Norwegian authorities that they were going to launch a cryptovirus named Somnya, which was created by the FRWL team (FRWL 2022). This threatening statement was made after the Norwegian authorities confirmed a transfer of another portion of military equipment to Ukraine in June 2022 (CNN 2022). It remained unknown if the hacking group released this malware. Moreover, FRWL did not mention this cryptovirus in its public posts. The United Kingdom could have proven to be an engaging target to the Russian hackers in light of the continued British support for Ukraine and political statements made by U.K. officials. However, during the presented timeframe, only two hacking groups—KillNet and NoName057(16), openly declared cyberattacks on U.K. websites. These hacking teams were responsible for eleven DDoS strikes (0.25%), while the Russian hacking groups conducted 4,295 cyber offensives. Between February 24 and December 31, 2022, four hacking groups— KillNet, NoName057(16), People’s Cyber Army, and FRWL—decided to perform cyber offensives against U.S websites. While NoName057(16), People’s Cyber Army, and FRWL were responsible for 8 actions, KillNet organized the other 196 cyber strikes, which were predominantly DDoS attacks. In fact, 5% of all cyberattacks launched by the analyzed hacking teams at that period targeted private and state-run U.S. organizations.

210

Chapter 5

Following through on its anti-American vendetta, KillNet24 started with a DDoS attack on Bradley International Airport in Windsor Locks, Connecticut, on March 28, 2022. In a Telegram post written in English, the hackers claimed they disrupted its operation: It is temporarily impossible to purchase a ticket, we apologize to Joe Biden. This action is not terror, but a hint that the United States government is not the master of millions of lives in Europe. When the supply of weapons to Ukraine stops, attacks on the information structure of your country will instantly stop! America, no one is afraid of you.25 (We are KillNet 2022)

Remarkably, on May 11, 2022, after a strike on Lviv’s local government website, People’s Cyber Army announced a DDoS attack on the White House, asking its chat members to be prepared for collective action (People’s Cyber Army 2022). However, the hackers did not air screenshots with an image of a failed website as they usually did, and further, People’s Cyber Army did not launch cyber offensives on U.S. websites for several months; in November 2022, its hacking team declared its second attack on the United States. At this time, People’s Cyber Army temporary shut down a website run by the private military company “Mozart” whose members operated in Ukraine fighting against the Russian Forces (Newton 2022). The Mozart Group did not confirm the cyberattack. Thus, these two observations suggest that the attack on the official website of the White House was an unfortunate experience for the People’s Cyber Army hackers, who apparently learned their lesson and preferred to attack targets outside the United States. Alongside the United States, Ukraine, the EU, and the United Kingdom, the hacking teams sometimes carried out attacks on other states. However, the proportion of these attacks is insignificant, less than 1%. For instance, in the summer of 2022, KillNet’s affiliate, Zarya, declared successful attacks on several websites in Columbia, including its state college (casb​.edu​​.co). Through the college website, Zarya received access to a significant amount of worthwhile data, which was published on Telegram in July 2022 (Zarya 2022). In September, it was Japan’s turn to be a target for the Russian hackers. KillNet’s hackers claimed attacks on twenty-three Japanese websites, including the online social networking service, Mixi, and the state portal e-Gov (e​-gov​.go​​.jp) (We are KillNet 2022). For the Russian hackers, digital entities in the EU appeared to be the most desirable target, as they launched 2,448 (57%) cyber offensives out of a total of 4,295, which were carried out between February 24 and December 31, 2022. Ukraine became the second favorite target, as its cyberspace was attacked 1,610 times, with 37% of all cyberattacks conducted by Russian hacking teams. While the United Kingdom’s online platforms were not very

Hackers’ Attacks

211

interesting to the hackers, the U.S. state and private websites survived 204 strikes (5%). It is unknown why Russian hackers mostly ignored the United Kingdom. In the case of the United States, the majority of the hacking teams preferred to refrain from attacking its websites because the United States was not a very easy target. Because it has been a popular target for various hackers for decades, domestic IT specialists have been well trained and are ready to protect U.S. cyberspace.

NOTES 1. Anonymous Russia is described as a “cyber hooligan” because initially, the group conducted cyberextortions on domestic private and state organizations. According to the so-called Russian hackers’ code, this behavior is unacceptable. 2. On May 2, 2014, forty-eight people were killed during clashes between Euro Maidan and pro-Russian protestors in Odessa, Ukraine. 3. Semen Pegov is a Russian journalist born in Smolensk in 1985. Prior to relocation to the Donbas region in 2022, he worked for various media resources such as Life​ .r​u. In 2019, the journalist presented his documentary about the Donbas leader and the first head of the DPR, Alexander Zakharchenko, called “His stronghold.” Nowadays, Pegov has propagated his new media project “WarGonzo,” which has a high popularity among the Russian-speaking population. By November 2022, Pegov’s Telegram channel attracted 1,300,000 people. 4. Dmitryi Vasilez is a Ukrainian public figure born in 1986. He is a businessman, journalist, and the leader of the “Derzhava” political party. His location remains unknown since the start of the war in February 2022, but given his open pro-Russian stance, Vasilez is most likely somewhere in the Russian Federation. Nowadays, he works on his Telegram account, where Dmitryi Vasilez explains the ongoing conflict, reports news, and analyzes the economic situation. His Telegram outlet has more than 460,000 followers. 5. Yriy Podoliaka is one of the most popular bloggers in Russia. He has released his analytical reviews on the Donbas conflict and the war in Ukraine. His hometown is Suma, Ukraine. Since 2014, he has resided in the Russian Federation. His Telegram audience is about 2,800,000. 6. His real name is Maksim Fomin. His family is from the Donbas region. The forty-year-old war journalist is also a mercenary for the Vostok battalion. He does not disclose information about his personal life. According to some sources, Maksim Fomin has a criminal record in Ukraine. 7. Andrey Rudenko is a VGTRK reporter. He has worked for the state-controlled media company. 8. Aleksander Semchenko is a well-known Ukrainian political scientist who was previously a frequent guest for various political TV shows (“Time Will Tell,” “60 Minutes,” and “Sunday Evening”) on Russian TV channels. His current location is not disclosed.

212

Chapter 5

9. Tatyana Montyan is a famous Ukrainian lawyer and member of the Kyiv Bar Association. For a long time, she had a law practice in Kiev where she was known for handling the most difficult cases. She is well known for her pro-Donbas stance. Nowadays, Montyan is actively involved in humanitarian work. She established and has managed a humanitarian network across the post-Soviet region. Also, Montyan has maintained several social media outlets on YouTube, Telegram, and other platforms with a significant number of followers. 10. Armen Gasparyan, who was born in Moscow, is an anchor on Sputnik Radio. In the 2000s, he worked at the Mayk Radio station. Gasparyan is a prolific author. Worth noting is that he was a member of the authors’ team which created a history textbook for Russian public schools. In May 2022, he was included in the U.K. sanction list. 11. Vladimir Solovyov is a Russian journalist who has been a TV host of the “Evening with Vladimir Solovyov” show. For many years, his program has had a good rating on the TV channel “Russia-1.” In 2022, The United States and the European Union imposed sanctions against the TV host. 12. Sladkov is a fifty-six-year-old VGTRK anchor. Among the Russian audience, he became very popular for war reports from battlefields in the Donbas region. In November 2022, Sladkov’s Telegram account gathered up to 1,000,000 followers. 13. The Telegram channel “Kotznews” was established by Aleksander Koz. He is a journalist for the Moscovsky Komsomolets (MK​.​ru). There are more than 650,000 subscribers. 14. Wagner’s Club is a Telegram account created and affiliated with the mercenary group called Wagner. This military group was established and sponsored by a Russian businessman, Evgeniy Prigozhin. 15. MRIA is a Pro-Russian news and analytical network, which has a few outlets on YouTube, Telegram, Dzen, and Vkontakte. Its founders are former Ukrainian reporters who air two live broadcasts twice a day. The network’s customer base has grown on a regular basis. Indeed, its YouTube channel has around 280,000 subscribers. 16. Anna-News is a news network dated back to 2011. Initially, its main office was in Abkhazia, but later, it was relocated to Moscow. Its original name “Abkhazian Network News Agency” was replaced with “Analytical Network News Agency.” 17. Rybar is a non-profit analytical source, whose expertise focuses on ongoing conflicts in various parts of the world. It was established by Russian and Ukrainian military enthusiasts who publish their materials via an only Telegram outlet. By November 2022, its audience reached 1,000,000. 18. Readovka is a news network which airs news and analytical articles. It grew out of a Vkontakte public page to a network with a website and social media outlets. Readovka was established in Smolensk in 2017. 19. The Ostashko Important Telegram channel is affiliated with a website of Political Russia. Ruslan Ostashko, an anchor of the First TV channel, is the founder of this news network. Its YouTube outlet broadcasts live streams on a regular basis and invites Russian experts to discuss the current crisis.

Hackers’ Attacks

213

20. Evgeny Poddubny is the chief of the VGTRK branch in the Middle East. He is an author of several documentaries. Today, Evgeny Poddubny works in Ukraine, covering news from the frontlines. 21. IzoLenta is a news network that focuses on daily live streams with various experts, politicians, TV anchors, teachers, etc. Its coverage includes several social media platforms: Vkontakte, YouTube, and Telegram. Also, its team manages a website to sell brand merchandise. 22. This quotation has an original writing style and grammar choice. 23. This quotation has an original writing style and grammar choice. 24. One of the most notorious attacks claimed by KillNet was the cyberattack on Lockheed Martin, the U.S. global security and aerospace company. Chapter 3 contains details about this action. 25. This quotation has an original writing style and grammar choice.

REFERENCES Avast. 2022. NoName057(16) Pro-Russian hacker group targeting sites in Ukraine and supporting countries with DDoS attacks. September 6. Accessed November 5, 2022. https://press​.avast​.com​/noname05716​-pro​-russian​-hacker​-group​-targeting​ -sites​-in​-ukraine​-and​-supporting​-countries​-with​-ddos​-attacks. Beregini. 2022. Zaluzhnyi’s reaction on the Joker’s breach. November 4. Accessed November 24, 2022. https://t.me/hackberegini/1095. Brewster, T. 2022. “Bombs and hackers are battering Ukraine’s Internet providers. ‘Hidden heroes’ risk their lives to keep their country online.” Forbes​.co​m. March 15. Accessed November 24, 2022. https://www​.forbes​.com​/sites​/thomasbrewster​ /2022​/03​/15​/internet​-technicians​-are​-the​-hidden​-heroes​-of​-the​-russia​-ukraine​-war/​ ?sh​=43b71ade2884. Butusov, Y. 2022. Delta hacking incident. November 1. https://www​.facebook​.com​ /butusov​.yuriy. Charter97. 2022. Charter97​.o​rg is undergoing a powerful DDOS attack. March 23. Accessed November 22, 2022. https://charter97​.org​/ru​/news​/2022​/3​/23​/460309/. CNN. 2022. Norway says it will send long-range rocket artillery to Ukraine. June 29. Accessed November 5, 2022. https://edition​.cnn​.com​/europe​/live​-news​/russia​ -ukraine​-war​-news​-06​-29​-22​/h​_a3d​b386​8e6e​914a​8929​77d7​aed749492. Euronews. 2022. Estonia to remove Soviet-era monuments to ensure public order. August 16. Accessed November 5, 2022. https://www​.euronews​.com​/2022​/08​/16​/ estonia​-to​-remove​-soviet​-era​-monuments​-to​-ensure​-public​-order. Fedorov, M. 2022. Address of vice prime minister and minister of digital transformation @FedorovMykhailo. October 25. Accessed October 26, 2022. https://media​ .act​.nato​.int​/record/​~8f1e0a7d7d. Fedotova, D. 2022. Hackers reported about an attack on the Delta system. November 1. Accessed November 9, 9. https://www​.mk​.ru​/politics​/2022​/11​/01​/vzlom​-sistemy​ -upravleniya​-voyskami​-na​-ukraine​-vyyavil​-slabye​-mesta​-vsu​.html.

214

Chapter 5

———. 2022. Interview with A. Leonkov. November 2. Accessed November 11, 2022. https://www​.mk​.ru​/politics​/2022​/11​/02​/shtaty​-nachali​-testirovat​-na​-ukraine​ -novuyu​-sistemu​-upravleniya​-vsu​-konvergenciya​.html. FRWL. 2022. NoName057(16) sends emails to the Baltic states. July 1. Accessed November 4, 2022. https://t.me/frwl_team/125?single. ———. 2022. Somnya is waiting for you, Norway. July 1. Accessed November 5, 2022. https://t.me/frwl_team/102. Gafyrova, M. 2022. Russian hackers breached Ukranian state websites. March 2. Accessed December 15, 2022. https://ura​.news​/news​/1052536431. Halchynskyi, S. 2021. The unit is dissolved. January 13. Accessed October 22, 2022. https://www​.facebook​.com​/imPtah. Hoppner, S. 2022. Former USSR states dismantle the Soviet past. August 18. Accessed November 4, 2022. https://www​.dw​.com​/en​/goodbye​-ussr​-former​-communist​-states​-dismantle​-the​-past​/a​-62853233. Ivanova, O. 2022. Joker tells about Delta hacking. November 1. Accessed November 9, 2022. https://vz​.ru​/news​/2022​/11​/1​/1184878​.html. Joker DPR. 2022. Claim about hacking. Vol. F. no. 2. November 1. https://t.me/ JokerDPR/208. ———. 2022. “Telegram post.” Video about the Delta. Vol. F. no. (C)1. October 31. https://t.me/JokerDPR/207. ———. 2022. Zaluzhnyi’s Instagram account is hacked! November 3. Accessed November 24, 2022. https://t.me/JokerDPR/231. JokerDPR. 2022. Butusov’s statement. Vol. (F). no. 4. November 2. ———. 2022. My response to Y.Butusov. November 3. https://t.me/JokerDPR/226. KillNet. 2022. We turned down several websites. February 27. Accessed December 12, 2022. https://t.me/killnet_reservs/13. Lakshmanan, R. 2022. Microsoft finds FoxBlade Malware hit Ukraine hours before Russian invasion. March 1. Accessed November 22, 2022. https://thehackernews​ .com​/2022​/03​/microsoft​-finds​-foxblade​-malware​-hit​.html. Lapienyte, J. 2022. Google offers free DDoS protection to Ukrainian organizations. March 13. Accessed December 30, 2022. https://cybernews​ .com​ /news​ /google​ -offers​-free​-ddos​-protection​-to​-ukrainian​-organizations/. Leaks. 2022. Huge data leak from Maestro Ticket System. October 4. Accessed December 3, 2022. https://t.me/dataleak/2766. ———. 2022. Our update for the SVU leak. June 14. Accessed December 15, 2022. https://t.me/dataleak/2643. ———. 2022. People’s cyber army claims another hack. May 31. Accessed December 3, 2022. https://t.me/dataleak/2667. ———. 2022. Personal information of 701 SVU officers circulated on the Internet. June 3. Accessed December 15, 2022. https://t.me/dataleak/2629. ———. 2022. Update for the Nova Poshta leak. June 2. Accessed December 3, 2022. https://t.me/dataleak/2668. Luukas Ilves. 2022. Recent DDoS attacks on Estonia. August 17. Accessed November 5, 2022. https://twitter​.com​/luukasilves​/status​/1560105665636569089.

Hackers’ Attacks

215

News​.r​u. 2023. Fedorov, arrested in Latvia, is now in Moscow. March 18. Accessed March 19, 2023. https://news​.ru​/moskva​/arestovannyj​-v​-latvii​-avtor​-russkoyazychnogo​-youtube​-kanala​-nashelsya​-v​-moskve/. Newton, S. 2022. Mozart Group: The counter to Russia’s infamous Wagner Group mercenaries. April 7. Accessed December 25, 2022. https://www​.forces​.net​/ukraine​ /ex​-us​-special​-forces​-commander​-sets​-ukraine​-based​-military​-training​-centre. NoName057(16). 2022. Antonov​.c​om stops working! May 16. Accessed November 23, 2022. https://t.me/noname05716/169. ———. 2022. Attack on fakty​.u​a. March 12. Accessed November 21, 2022. https://t. me/noname05716/8. ———. 2022. Charter97​.o​rg does not work! March 24. Accessed November 23, 2022. https://t.me/noname05716/38. ———. 2022. The factory Rapid is our target. May 20. Accessed November 23, 2022. https://t.me/noname05716/175?single. ———. 2022. The website sud​.​ua is offline. March 20. Accessed November 22, 2022. https://t.me/noname05716/32. ———. 2022. We will reach our enemies! March 13. Accessed November 23, 2022. https://t.me/noname05716/12. Palmer, D. 2020. DDoS attacks are getting more powerful as attackers change tactics. September 29. Accessed December 23, 2022. https://www​.zdnet​.com​/article​/ ddos​-attacks​-are​-getting​-more​-powerful​-as​-attackers​-change​-tactics/. People’s Cyber Army. 2022. A couple of questions for MTicket. October 3. Accessed December 3, 2022. https://t.me/CyberArmyofRussia_Reborn/1278. ———. 2022. MTicket service was hacked! October 3. Accessed December 23, 2022. https://t.me/CyberArmyofRussia_Reborn/1270. ———. 2022. Our next target is USA. May 11. Accessed November 6, 2022. https://t. me/CyberArmyofRussia_Reborn/332. ———. 2022. The government contact center is our target. April 2. Accessed December 3, 2022. https://t.me/CyberArmyofRussia_Reborn/55. Pisar iz Shtaba. 2022. Response to Joker DPR. November 1. https://t.me/ killnet_mirror/2600. Reuters. 2022. Poland to ban Russian airlines from its airspace from midnight. February 25. Accessed November 3, 2022. https://www​.reuters​.com​/world​/europe​/ poland​-ban​-russian​-airlines​-its​-airspace​-midnight​-2022​-02​-25/. ———. 2023. Ukraine blames Russia for most of over 2,000 cyberattacks in 2022. January 17. Accessed January 17, 2023. https://www​.reuters​.com​/world​/europe​/ ukraine​-blames​-russia​-most​-over​-2000​-cyberattacks​-2022​-2023​-01​-17/. RIA News. 2022. The hacker explains how he attacked Delta. November 1. Accessed November 7, 2022. https://ria​.ru​/20221101​/vzlom​-1828420857​.html. Rosenberg, S. 2022. Kaliningrad: Russia warns Lithuania of consequences over rail transit sanctions. June 21. Accessed November 5, 2022. https://www​.bbc​.com​/ news​/world​-europe​-61878929. Russia Today. 2022. The hacker told about the Delta attack. November 1. Accessed November 7, 2022. https://russian​.rt​.com​/ussr​/news​/1068755​-haker​-dzhoker​-ukraina.

216

Chapter 5

Smith, B. 2022. Defending Ukraine: Early lessons from the cyber war. June 22. Accessed November 21, 2022. https://query​.prod​.cms​.rt​.microsoft​.com​/cms​/api​/ am​/binary​/RE50KOK. Starzak, A. 2022. The latest on attacks, traffic patterns and cyber protection in Ukraine. December 12. Accessed January 1, 2023. https://blog​.cloudflare​.com​/ ukraine​-update/. State Cyber Protection Center. 2023. Report: The number of recorded cyber incidents almost tripled in 2022. February 16. Accessed February 17, 2023. https://cip​.gov​ .ua​/en​/news​/u​-2022​-roci​-kilkist​-zareyestrovanikh​-kiberincidentiv​-virosla​-maizhe​ -vtrichi​-zvit. TASS. 2022. Russia demands immediate release of blogger Kirill Fedorov in Latvia — diplomat. March 22. Accessed November 3, 2022. https://tass​.com​/society​ /1425757​?utm​_source​=search​.brave​.com​&utm​_medium​=referral​&utm​_campaign​ =search​.brave​.com​&utm​_referrer​=search​.brave​.com. The Ministry of Defence of Ukraine. 2022. MIP membership. July 12. Accessed November 6, 2022. https://www​.mil​.gov​.ua​/news​/2022​/07​/12​/ukraina​-stala​-asoczijovanim​-chlenom​-programi​-tehnologichnogo​-spivrobitnicztva​-zbrojnih​-sil​-krain​ -nato​-oleksij​-reznikov/. The Ministry of Defense of Ukraine. 2022. Russian propaganda attacks the IT system of situational awareness of the Armed Forces of Ukraine. November 1. Accessed November 6, 2022. https://www​.mil​.gov​.ua​/en​/news​/2022​/11​/01​/russian​ -propaganda​-attacks​-the​-it​-system​-of​-situational​-awareness​-of​-the​-armed​-forces ​ -of​-ukraine/. Tsentsura, K. 2018. Personal data of 500,000 Nova Poshta clients allegedly leaked to dark web. February 8. Accessed December 4, 2022. https://www​ .databreaches​.net​/personal​-data​-of​-500000​-nova​-poshta​-clients​-allegedly​-leaked​ -to​-dark​-web/. Tzaryov, Oleg. 2022. The Delta platform was hacked. November 1. Accessed November 11, 2022. https://vk​.com​/oleg​.tsarov​?w​=wall170184267​_241274. Urbanska, Tatiana. 2022. Interview with Yaroslav Gonchar. October 10. Accessed October 23, 2022. https://www​.unian​.ua​/war​/aerorozvidka​-v​-ukrajini​-yak​-pracyuyut​-operatori​-droniv​-na​-viyni​-interv​-yu​-z​-yaroslavom​-goncharom​-12010002​ .html. Valagin, A. 2022. The allied forces hacked the command and control system of Ukraine. November 1. Accessed November 1, 2022. https://rg​.ru​/2022​/11​/01​/soiuznye​-sily​-vzlomali​-sistemu​-upravleniia​-vojskami​-vsu​.html. Wasserman, A. 2022. NATO conducts tests on Ukrainians. November 7. Accessed November 11, 2022. https://ren​.tv​/blog​/anatolii​-vasserman​/1042905​-nato​-provodit​ -testy​-na​-ukraintsakh. We are KillNet. 2022. Bradley International Airport is our target! March 28. Accessed November 5, 2022. https://t.me/killnet_reservs/344. ———. 2022. Cyber police of Ukraine sleeps! March 6. Accessed November 23, 2022. https://t.me/killnet_reservs/94. ———. 2022. Emmanuel Macron’s website is offline! March 3. Accessed November 3, 2022. https://t.me/killnet_reservs/65.

Hackers’ Attacks

217

———. 2022. Fedorov was arrested in Riga! Our retaliation is here. March 21. Accessed November 3, 2022. https://t.me/killnet_reservs/227. ———. 2022. Our retaliatory strike on Poland. February 26. Accessed November 3, 2022. https://t.me/killnet_reservs/8. ———. 2022. Our statement for Europe. April 21. Accessed November 3, 2022. https://t.me/killnet_reservs/703. ———. 2022. Our warning is out. March 23. Accessed November 4, 2022. https://t. me/killnet_reservs/248. ———. 2022. Over 20GT of data are in our hands! March 26. Accessed November 3, 2022. https://t.me/killnet_reservs/304. ———. 2022. Video message for Poland. March 23. Accessed November 3, 2022. https://t.me/killnet_reservs/244. ———. 2022. Vodafone was offline for 4 hours. March 3. Accessed November 24, 2022. https://t.me/killnet_reservs/61. ———. 2022. We are waiting for a coordinated attack. May 12. Accessed November 3, 2022. https://t.me/killnet_reservs/1263. ———. 2022. We attacked Japan. September 6. Accessed December 6, 2022. https://t.me/killnet_reservs/2492. Wilczek, M. 2022. Poland to ban Russian airlines from its airspace. February 25. Accessed November 3, 2022. https://notesfrompoland​.com​/2022​/02​/25​/poland​-to​ -ban​-russian​-airlines​-from​-its​-airspace/. XakNet. 2022. Here is a list of the hacked websites in Ukraine. March 2. Accessed December 3, 2022. https://t.me/xaknet_team/3. ———. 2022. Our message was placed on hacked websites. March 2. Accessed December 4, 2022. https://t.me/xaknet_team/5. ———. 2022. So far, there is a list of our attacks. March 28. Accessed November 23, 2022. https://t.me/xaknet_team/113. ———. 2022. The bank removed our video from its website. March 11. Accessed December 4, 2022. https://t.me/xaknet_team/63. ———. 2022. The Supreme Court of Ukraine is our target! May 20. Accessed 4 December, 2022. https://t.me/xaknet_team/188. ———. 2022. We carried out the defacement attack on a bank. March 11. Accessed December 4, 2022. https://t.me/xaknet_team/49. ———. 2022. We finished the hack of the Ministry of Finance. November 21. Accessed December 5, 2022. https://t.me/xaknet_team/421?single. ———. 2022. We hacked the bank in Ukraine. March 11. Accessed December 4, 2022. https://t.me/xaknet_team/48. Yaplakal. 2022. Russian hackers breach many websites on gov​.u​a. March 3. Accessed December 15, 2022. https://www​.yaplakal​.com​/forum1​/topic2405830​.html. Zarya. 2022. A video is for the State Archive. July 12. Accessed November 23, 2022. https://t.me/informZarya/357. ———. 2022. Archival data files are for you! July 12. Accessed November 23, 2022. https://t.me/informZarya/371?single. ———. 2022. Here is the data from the Columbian State College. July 7. Accessed December 6, 2022. https://t.me/informZarya/354. ———. 2022. UarNet was hacked! July 25. Accessed November 25, 2022. https://t. me/informZarya/391.

Conclusion

Previously, conflagrations between states have always been conducted by various and timely weaponry, from cannons and bows to modern missiles and firearms. However, technical breakthroughs have added the cyber dimension to modern geopolitical conflicts. The current war between Russia and Ukraine has given rise to numerous cyber strikes, carried out by state-controlled and non-state hacking groups and units. Ukrainian and Russian media portals, banking systems, government, and commercial websites have been repeatedly vandalized and crashed with the very real possibility that their data would be stolen and, later, would appear floating on social media or Dark Web markets. Because the cyber world is not subject to any physical boundaries, hacker teams and lone-wolf hackers from across the globe actively engaged in this crisis, drawn in by the chaotic online environment and the potential to commit crimes with impunity. Their motivations can be purely ideological and semi-altruistic or extremely pragmatic and profit-driven; the war in Ukraine helped numerous hacking teams hide their real intentions behind showy support of either Ukraine or Russia when they carried out attacks in the name of financial profit. The landscape of “cyber warriors” was diverse, with many participants still hiding in the shadows and remaining unknown. It should be underlined again that this book examined only the part of the Russian hacker community which fit into the research’s analytical frame. So, given the complex picture of online agents, the cyberspace of both states became a training ground for hackers, where hackers learned new skills and flexed their muscles. The consequences of this cyberwar affect both the commercial and government sectors of dozens of countries, and there is no guarantee that these hackers will not decide to go after more lucrative targets in Europe and the United States after the extensive practice they’ve had so far. Not only will Russian hacking teams launch strikes, but hackers from 219

220

Conclusion

various parts of the world, including the European Union and the United States. In addition, from now on, it will be standard practice for hacktivists to engage in military conflicts all over the globe. Since the first months of the conflict, concerns about the hacker’s fervent activities were on the rise. In May 2022, Abigail Bradshaw, head of Australia’s Cyber Security Center, underlined that the number of engaged hacking entities from both sides of the conflict increased exponentially, and warned the global community that the public engagement in that cause by the actors, and the capacity for that to actually introduce extreme unpredictability and opportunities for spillover and actually for wrongful attribution—and retribution and escalation .  .  . in our world is . . . highly problematic. (Schwartz 2022)

In response to the unfolding conflict, cybercrime statistics showed a significant surge in unlawful online activities (Belson and Woolbright 2022; CrowdStrike 2023; Lopez and Shattuck 2022; Radware 2022). In fact, before 2022, cybercrime had constantly increased across the globe, but the “special operation” in Ukraine fueled it even further. Heeding the disturbing cyber trends, the World Economic Forum, conducted in January 2023 in Davos, Switzerland, recognized cybersecurity as one of the most crucial sectors, which demanded a global response. Moreover, according to the 2023 Global Cybersecurity Outlook report, 93% of surveyed cyber leaders and 86% of business leaders expected a “catastrophic” cyber avalanche during the next two years (Dal Cin and Jurgens 2023). Previous estimates made in 2020 which expected the global cybercrime cost would soar from $3 trillion in 2015 to $10.5 trillion by 2025, can be corrected not only due to the Covid-19 pandemic and economic difficulties, but the war in Ukraine (Fareed 2022). Hacktivists and hackers who started to increase their activities after February 24, 2022, complicate this situation by forcing not only online government networks to enlarge their cybersecurity expenses but also small businesses from remote rural areas far from the conflict zone. Undoubtedly, for many small business owners who already struggle to survive, these expenses will be barely affordable, especially in the long run. By the end of 2022, these Russian hacking groups expanded their activities across the globe and their influence over Russian society. They not only learned the most effective ways to communicate and mobilize the public, but the hackers willingly stayed in contact with the media and openly discussed problems of government “cyber units” with politicians. Some hacking groups created an articulated brand identity with a recognizable symbolic culture and timely brand promises. As their brand promises were supported by widely known cyber strikes against European, Ukrainian, and American digital entities, the hacker groups enjoyed raised awareness and

Conclusion

221

more trust from the public. As a result, Telegram users were ready to assist the hackers in their cyberattacks as well as participate in hackers’ fundraising initiatives. Some groups paid in cryptocurrencies to volunteers, who participated in their cyber strikes. Other groups did not pay their volunteers and rarely asked for public assistance. Before the attacks, the initiators provided the strike toolkit for every volunteer. For instance, in May 2022, volunteers from Telegram, brought by KillNet, helped XakNet to conduct a powerful DDoS strike on the Ukrainian digital system Kropyva. Responding to hackers’ self-presentation as non-profit and patriotic, in 2022, their followers responded to several initiatives to gather money for military units fighting in Ukraine and for orphanages in Russia. Apparently, the number of volunteers who assisted with cyberattacks was much larger than the number of people who donated money. In fact, in 2022, the hacking groups had seen substantial growth of their membership as public interest in their activities continued to soar. It should be underlined that while Ukrainians have their own cyber front and cyber volunteers whose efforts are praised and promoted via the Western and Ukrainian media, Russian society does not have similar cyber “warriors,” and this gap was filled by cybercriminals such as KillNet, People’s Cyber Army, NoName057(16), and other hacking entities. Within Russian cyberspace, a few hacking brands appeared; some teams failed to advance their brands, while other groups were able to thrive. Among the brands that were able to flourish, KillNet can be named the most recognizable hacking brand which became an umbrella for other less successful brand-building hacking teams. With more than 90,000 followers and numerous articles about their strikes in European and American media outlets, KillNet whose team tried to compete with the worldwide fame of Anonymous, is a serious player in the Dark Web. Its team actively managed its social media presence, maintained a consistent symbolic culture, had close engagement with its followers and influencers, and, in general, worked out an effective brand strategy. KillNet was not the first hacking team known to Russian society. Before its appearance, Conti, REvil, Fancy Bear, and other hacking teams made newspaper headlines, petrifying the imagination of ordinary people. However, putting aside productivity and skill, none of the previously famous hacker groups are stuck in society’s collective memory. Instead, KillNet became a brand and a symbol of virtual patriotism. It appeared and presented itself in a flashy manner at the right time. Unveiling some of the mystery surrounding hackers and exploiting the public’s conception of hackers as being almighty, this team gave value to its “customers.” Even though the group had very questionable efficacy as a hacker entity, Russian society would remember KillNet and, perhaps, a few other groups rather than Conti, REvil, or Fancy Bear.

222

Conclusion

From the government’s perspective, within Russian society, a new form of activism, called hacktivism, was formed, ideologically shaped, and has accumulated recognition, influence, and a financial foundation. For now, the hackers have expressed unequivocal support for the state and its military. However, their support is not unconditional, especially for the government and numerous bureaucrats, as posts full of grief toward Russian officials showed. In addition, it is worth recalling that politicians refrained from clarifying the status of hacktivists despite public demand to do so. If the government decides to prosecute the hacktivists, this action will lead to unpredictable consequences and the hacktivists could turn against the authorities. Interestingly, joining the unfolding race to create a recognizable hacker brand, the hacking groups built a coalition of hacktivists without a competitive attitude. Mainly, they did not want to unite under one name but were ready to assist and cooperate with each other. Moreover, by positioning themselves as patriotic entities, these groups gathered and maintained considerable support for each other via mutual reposting and advertising. This allowed the hacker teams to advance their brand names and agendas and gain a number of followers and in some cases improve their financial situation. Among the scrutinized hacking groups or IT-oriented communities, KillNet was the only brand which intentionally and relentlessly looked for intergroup cooperation. Proposing ideological unity and support for cyber offensives, it contacted every hacking entity which emerged on Telegram via private message and underlined its pro-Russian political position. This desire to establish cooperation could be dangerously productive if KillNet ever found a skillful or inventive IT partner. As the study shows, there are many groups which conducted mutual cyber strikes, complementing each other with specialized knowledge and technical capacity, but this intergroup cooperation had a random and temporary character, especially in 2022. Worth noting is the fact that the full-scale coordination of the hackers’ cyberextortion was nonexistent in 2022, and so the Russian hackers’ attacks were mainly spontaneous and random. This conclusion is stemmed from the analysis of the presented hacking groups which were not state-sponsored and were not a part of Russian intelligence agencies. However, this conclusion does not contradict the widely circulated claims about the existence of Russian government cyber units which performed cyberextortion against Ukraine and its allies. Even though the groups which are the subject of this research cannot be considered a “cyber front” due to their limited cooperation and lack of coordination, the hackers did not reduce the intensity of their cyber aggressions, launching numerous strikes and trying to gain a strategic advantage. Moreover, their targeting strategy was driven by news, Russian propaganda, statements from European or U.S. politicians about Russia, articles

Conclusion

223

with unpleasant facts and critical content, and other unplanned events. For the majority of the hackers, situational specifics of any event connected to Russia, its government, or the “special military operation” served as an appropriate motive to begin a cyberattack. Among impulsive strikes, hacking teams such as XakNet, From Russia with Love, Beregini, Joker DPR, KillNet, and Zarya conducted serious, preplanned attacks on Ukrainian, European, and American websites. Many officials and IT analysts underlined that the launched cyber extortions on Ukrainian, European, and other targets were insignificant in terms of their professionalism and as a result, not very effective (Recorded Future 2023; Lewis 2022). Weighing the risks of cyber strikes conducted by hacktivists, even the Russian-based company “Kaspersky” highlights that “most of the time, attacks conducted by these groups have a very limited impact on operations but may erroneously be reported as serious incidents and cause reputational damage” (Kaspersky Lab 2022). It is likely that the actual impact of these cyber offensives has not been apparent yet. Moreover, in 2022, the hackers continuously shaped and increased their IT skills so that even the upcoming deficit of computer equipment due to the imposed sanctions on Russia would not be a serious obstacle for them. Heeding their acute antiWestern attitude, which has been solidified by their participation in the current cyberwar, some of these individuals will be a very serious and dangerous threat. The hacking groups publicly acknowledged that their members were actively engaged in highly illegal actions that would be punished sooner or later, and their pro-Russian patriotic views would not be taken into consideration if the Russian authorities decided to persecute the groups. Nevertheless, looking for legalization in Russia, the hacker groups sent numerous explicit signs to the governmental departments that they would be glad to develop a relationship. Following the same logic, they openly supported the erratic political initiatives of the Russian politicians to insert active hacking groups into the legal landscape. The research underlines that their willingness to cooperate with the authorities and pro-Russian political views does not allow us to conclude that the Russian hacking groups were an FSB project. It is plausible that sooner or later some of these groups will be under the control of the authorities.

REFERENCES Belson, D., and J. Woolbright. 2022. In Ukraine and beyond, what it takes to keep vulnerable groups online. June 2022. Accessed May 23, 2023. https://blog​.cloudflare​.com​/in​-ukraine​-and​-beyond​-what​-it​-takes​-to​-keep​-vulnerable​-groups​-online/.

224

Conclusion

CrowdStrike. 2023. CrowdStrike report 2023. March 3. Accessed May 23, 2023. https://www​.crowdstrike​.com​/global​-threat​-report/. Dal Cin, P., and Jeremy Jurgens. 2023. The 2023 global cybersecurity outlook report. January. Accessed May 23, 2023. https://www3​.weforum​.org​/docs​/WEF​_Global​ _Security​_Outlook​_Report​_2023​.pdf. Fareed, Sam. 2022. Cybercrime will cost $10.5 trillion annually in 2025. May 22. Accessed May 23, 2023. https://www​.cybercert​.ca​/cybercrime​-will​-cost​-10​-5​-trillion​-annually​-in​-2025/. Kaspersky Lab. 2022. Reassessing cyberwarfare: Lessons learned in 2022. December 22. Accessed May 24, 2023. https://securelist​.com​/reassessing​-cyberwarfare​-lessons​-learned​-in​-2022​/108328/. Lewis, James A. 2022. Cyber war and Ukraine. June. Accessed August 12, 2022. https://csis​-website​-prod​.s3​.amazonaws​.com​/s3fs​-public​/publication​/220616​ _Lewis​_Cyber​_War​.pdf​?VersionId​=S​.iEK​eom7​9Inu​gnYW​lcZL​4r3Ljuq​.ash. Lopez, M., and C. Shattuck. 2022. Adversaries continue cyberattack onslaught with greater precision and innovative attack methods according to 1H2022 NETSCOUT DDoS threat intelligence report. September 27. Accessed May 12, 2023. https:// www​.netscout​.com​/press​-releases​/adversaries​-continue​-cyberattack​-onslaught​ -greater. Radware. 2022. Radware H1 2022 report: Malicious DDoS attacks climb. August 17. Accessed May 23, 2023. https://www​.globenewswire​.com​/news​-release​/2022​ /08​/17​/2499768​/0​/en​/Radware​-H1​-2022​-Report​-Malicious​-DDoS​-Attacks​-Climb​ -203​.html. Recorded Future. 2023. The annual report 2022. March 2. Accessed May 24, 2023. https://go​.recordedfuture​.com​/hubfs​/reports​/ta​-2023​-0302​.pdf. Schwartz, Mathew J. 2022. Russia-Ukraine War: 7 cybersecurity lessons learned. May 11. Accessed January 23, 2023. https://www​ .bankinfosecurity​ .com​ /russia​ -ukraine​-war​-7​-cybersecurity​-lessons​-learned​-a​-19057.

Index

Akhmetov, Rinat, 87, 88 AliExpress, 148 Anonymous, 5–12, 16, 18, 21, 23, 27, 31, 33, 59–61, 71, 72, 74, 75, 77, 78, 84, 90, 99, 100, 104, 105, 126, 131, 136, 140, 151–53, 167, 168, 174, 189, 190, 192, 205, 206, 221. See Gomel, Belarus Arestovych, Oleksii, 87 Bear.IT.Army: Department Z, 59, 145, 164 Belarus, 6, 21, 27, 60, 61, 190 Belarusian Cyber Partisans, 5 Beregini, 51, 52, 55, 56, 61, 63, 65, 77, 78, 81–83, 90, 99, 136, 150, 154, 155, 167, 168, 189, 192, 205, 206, 223 Bitcoin, 3, 27, 100, 105 bot, 5, 80, 82, 83, 92, 93, 133, 156 Bumgarner, John, 1

96, 102, 127–29, 131, 132, 135, 145– 47, 149–52, 158, 173, 174, 190–96, 207–10, 221 Deanon Club, 104, 152, 153, 167 Delta, 52, 53, 198–205 Delyagin, Michael, 163, 165 Donbas, 29, 51, 52, 56, 99, 136, 139, 148, 154, 158, 164, 172, 173 Donetsk, 5, 51, 52, 78, 196, 197, 205 Estonia, 164, 207 European Parliament, 131, 132 Eurovision, 128, 129

CarbonSec, 152 Central Election Commission, 28 Chanel, 12, 130, 131 Conti, 221 Crimea, 9, 15, 16, 25, 29, 30, 83, 97

Facebook: Meta, 8, 13, 55, 69, 70, 82, 193, 201, 206 Fancy Bear, 2, 221 FSB, 3, 4, 7, 20–22, 156, 157, 167, 169–72, 223 From Russia with Love (FRWL), 52, 62, 63, 76–78, 80, 81, 84, 86, 87, 89, 90, 96, 99, 127, 128, 135, 136, 140–42, 151, 155, 157–59, 162, 167, 168, 170, 171, 173, 189, 190, 192, 206, 208, 209

Darknet, 27, 33, 51, 58, 102, 104, 114, 170, 174 DDoS, 4, 6, 8, 9, 11, 12, 15–25, 28–33, 60–64, 75, 79, 83, 85, 88, 91–93, 95,

Ghostsec, 5 Gomel, Belarus, 60, 61 GRU, 2, 4, 167 Gusev, Dmitry, 58, 163–65 225

226

Index

Instagram, 14, 53, 144, 173, 204 IT Army of Ukraine: IT Army of volunteers, 13, 32, 78, 198 Joker DPR, 51–55, 65, 77, 78, 81, 83, 90, 99, 104, 105, 136, 155, 157, 167, 168, 189, 190, 192, 198–202, 204–6, 223.See Delta, Zaluzhnyi Kaliningrad, 85, 208, 209 Kaspersky Lab, 30, 33, 223 Kharkov, 12, 63, 95, 201 Kiev, 1, 24, 138, 140, 156, 193, 199 KillMilk, 58, 59, 80, 97, 102, 103, 105, 138, 144, 151–55, 158, 164, 171 KillNet, 51, 52, 58, 59, 61, 63, 71, 74–77, 79, 80, 82, 84–86, 90–97, 99– 105, 128, 131–40, 143–45, 147–54, 157–62, 164, 166–70, 172, 174, 189, 190, 192, 194, 195, 200, 205–10, 221–23. See also Mirai, KillMilk Kolomoisky, Ihor, 87 Kremlin​.r​u, 18, 19, 75 Kropyva: Nettle, 91, 92, 149, 159, 167, 221 Latvia, 21, 164, 207, 208 Lavrov, Sergei, 5 Legion, 59, 128, 129, 147, 149, 194, 205, 208 Lithuania, 85, 144, 164, 208, 209 Lockheed Martin, 151, 152, 155 LulzSec, 72 Lviv, 147, 210 Medvedev, Dmitry, 132, 142 Ministry of Digital Development, 19–22, 31, 33 Mirai, 59, 94, 145 mobilization, 32, 90, 155–57, 159–62, 171, 175 Moscow, 3, 12, 25, 26, 28, 32, 97, 128, 134, 138, 143, 160, 170, 172, 173, 208 Mozart Group, 168, 210

NATO, 3, 23, 24, 127, 137–39, 157, 161, 175, 199, 207 NB65, 5, 22, 23 Nemesis: Nemezida, NemeZida, 64, 77, 78, 82, 84, 154, 198 Nevzorov, Aleksander, 144, 145 NoName057(16), 52, 62, 63, 76–79, 82, 84, 88, 90, 92, 93, 99, 135, 136, 145–47, 157, 164–69, 189, 190, 192–94, 206, 208, 209, 221 Panetta, Leon, 1 Parliament of Ukraine, 191 People’s Cyber Army, 52, 64, 65, 74, 76–78, 82, 83, 90, 93, 99, 135, 136, 155–57, 161, 162, 166–68, 171, 189– 92, 195, 196, 206, 209, 210, 221 Peskov, Dmitry, 4, 19, 27, 75, 143 Phoenix, 149, 151, 152, 174 Poland, 3, 5, 9, 85, 88, 134, 138, 144, 206, 207 Poroshenko, Petro, 87 Putin, Vladimir, 5, 7, 8, 10, 12, 14, 17, 18, 24, 25, 27, 28, 103, 132, 134, 144, 155, 159–61, 170, 204 QIWI, 104, 105, 167, 168 RadiS, 59 Red Hacker Alliance, 72 REvil, 3, 4, 57, 163, 169–71, 221 Rogozin, Dmitry, 23, 138, 143, 203 Rosatom, 23 Roscosmos, 22, 23, 138 Roskomnadzor, 14, 16, 18, 22–24, 26, 70 Rostelecom, 12, 20, 30 RT, 6–9, 69, 70, 75, 171, 202, 203 Rusian Angry Hackers did it (RaHDIt), 52, 63, 64, 77, 78, 82, 90, 99, 136, 154, 167, 168, 189, 197, 198. See also Nemesis, Nemezida, NemeZida Russian celebrities, 142, 143, 145 Russian Duma: State Duma, 18, 22, 58, 75, 165, 203

Index

227

Russian Hackers Team, 59 Russian Ministry of Defense, 18, 75 Russian Orthodox Church, 97 Russia Today, 6–10, 69, 70, 75, 171, 202, 203 Rusvesna. See mobilization Rutube, 6

United States, 1–5, 9, 21, 29, 76, 88, 137, 139, 144, 151, 171, 189, 190, 201, 205, 210, 211, 219, 220

Sberbank, 30, 31, 102, 104, 105 Security Service of Ukraine, 150 Sobchak, Ksenia, 98, 143–45 Sputnik, 6–10, 69, 70 Stuxnet, 1

Wagner, 103, 168, 203, 204

TASS, 7, 10 Tatarsky, Vladlen, 203 Telegram, 9, 14, 19, 20, 32, 53–65, 69–73, 76, 77, 79–84, 87–104, 106, 125–27, 130–36, 138, 139, 142, 143, 145–47, 149, 155–58, 161, 167, 168, 170, 172–75, 189–99, 202–5, 209, 210, 221, 222 Twitter, 5, 22, 23, 26, 55, 69–71, 131 United Kingdom, 9, 190, 205, 209–11

Viasat, 194 Vkontakte, 14, 60, 70, 71, 95, 101, 133, 203

XakNet, 52, 57, 58, 61, 63, 71, 74–77, 80, 82–84, 87, 88, 90–93, 96–100, 105, 127, 128, 130, 131, 134–37, 140–42, 145, 149–51, 153–55, 157, 158, 161–71, 189, 190, 192, 194–97, 206, 221, 223 Yandex, 6, 172 YouTube, 6, 8, 55, 58, 69, 70, 144 Zaluzhnyi, Valerii, 53, 204, 205 Zarya, 52, 59, 61, 79, 90, 94, 99, 102, 127, 128, 149, 150, 154, 164, 169, 170, 189, 190, 192, 194, 195, 206, 210, 223 Zelensky, 13, 14, 89, 136, 139, 141

About the Author

Dr. Julia Sweet earned her degrees in history at the Novgorod State University, Russia. Later, she graduated with a PhD in Global Affairs from Rutgers University. In the dissertation research, she examined the online terrorist network (2013–2018) in the Russian cyberspace. Previous publications reflect her interest in social media, cybercrime, political marketing, online extremist networks, and social media movements.

229