In recent weeks leading up to and through the invasion of Ukraine, divisions have formed within the hacker community worldwide. So obvious, in fact, that we may be witnessing a civil war within that community.
Hackers can be divided many ways. The most common is white/black/grey hats. White Hats are “ethical” and general work for corporations, governments or NGOs for the purpose of protecting their employers from the Black Hats. Black Hats who maliciously violate computer security. Both are profit-motivated, but the former does it with legal protection and the latter is considered a criminal, even when working under state sanctions.
Then there is the Grey Hats who may violate laws or typical ethical standards but without malice. Oftentimes, these hackers are called “hacktivists” and for a social or political outcome. White Hats and Black Hats can become Grey Hats depending on where they fall on social and political issues. The Ukraine invasion has become one of those issues with hackers taking sides regardless of the financial motivation.
Anonymous steps up
The most visible example is the public announcement by Anonymous. The grey-hat group declared on Twitter that the “collective is officially in cyberwar against the Russian government. They followed up by taking down the Russian-state controlled international television network RT and Sberbank, Russia’s biggest lender, which is now facing failure.
Other groups have joined Anonymous, including NB65, Ghostsec, AgainstTheWest, and the Belarussian Cyber Partisans. The Ukrainian government has been actively recruiting hackers around the world to create the IT Army of Ukraine, now 175,00 strong, to target Russian and Belarussian infrastructure and finance.
But Russia is not without its cyber allies. The BBC ran a report on one Ukrainian hacker who declared, “I want to help beat Ukraine from my computer.”
The hacker works for a Ukrainian cybersecurity firm and has recruited six other hackers in the country, including two of his coworkers, to take down Ukrainian government websites with DDoS attacks. His work is unsanctioned by the Russian government or known by his employers.
“If my employer found out I would not have a job,” he said. He also said he hoped the Russian government was watching because he would like to be on the payroll. So even a political influence isn’t completely devoid of financial gain.
Internal threats
Last week, Russian-sympathizing hackers emailed 20 bomb threats to schools, hacked into dashboard cameras of an unidentified Ukrainian “rapid response team” and found a way to set up official emails using a Ukrainian government email service. According to the BBC, the hackers plan to use it to carry out targeted phishing attacks.
Dissension within the ranks of black hats is also roiling the waters. The Conti Ransomware Group Conti initially pledged its support for Russia in two statements. On Feb. 25, Conti “officially” announced “full support of the Russian government” shortly after the invasion began. The gang threatened to use “all possible resources” to attack the critical infrastructure of any enemy who organizes “a cyberattack or any war activities.” Shortly after that statement, a dissenting member of the group leaked a year’s worth of Conti internal memos to a threat intelligence company.
(Note: The Conti Ransomware Group is separate from the Conti Group, a project management company in New Jersey.)
Mission creep
The cyberwar is beginning to leak out of Ukraine to other countries. Researchers are reporting a sharp increase in phishing attacks in Western countries (Cyber Protection Magazine has also noted the increase. Microsoft researchers recently detected a new piece of malware, Foxblade, on Ukrainian servers that could leak out to other servers. The malware erases data on servers. Microsoft has issued patches.
And that is representative of the third side of the cyberwar triangle, the white hats. Tech companies like Microsoft are gearing up as Ford Motor did in WWII, but instead of building tanks, the companies are creating public-private partnerships to rapidly respond to cyber attacks.
“We are a company and not a government or a country,” Brad Smith, Microsoft’s president, noted in a blog post issued by the company on Monday, describing the threats it was seeing. “I’ve never seen it work quite this way or nearly this fast. We are doing in hours now what, even a few years ago, would have taken weeks or months.”
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.
UPDATE: Wired reports that the Conti ransomware gang has closed shop over the hack of its communications.
“ The infamous Conti ransomware gang has long been thought to be based in Russia, and last week the group announced its support for the Kremlin’s invasion of Ukraine. Since then, Conti has suffered a series of damaging leaks. A Twitter user with the handle @ContiLeaks dropped about 60,000 messages from Conti’s internal chats on Sunday, revealing details about the inner workings of the organization, including how the group recruits and trains members. Then @ContiLeaks published a second trove that included more than 100,000 more internal messages and files related to accessing the group’s application programming interfaces and source code. By Wednesday, researchers began noticing that Conti was dismantling its infrastructure. It’s not uncommon for ransomware groups to go underground and rebuild under a new name, but the saga shows the severity of the blowback Conti received from pro-Ukraine hacktivists.”
Pingback: How Cybersecurity Businesses are Tackling the Ukraine War - Cyber Protection Magazine