September 28, 2022

Mandiant, a threat intelligence and incident response company run by Google, has revealed that it has found at least three suspected hacktivist groups working in support of Russian interests, likely working with state-sponsored cyber-threat actors, while targeting Ukraine since the Russian invasion began in early 2022.

Mandiant has also discovered limited links between the alleged hacktivist Telegram channels “XakNet Team,” “Infoccentr,” and “CyberArmyofRussia Reborn,” and cyber-threat actors sponsored by the Russian GRU. Analysis is largely based on the introduction of GRU-sponsored APT28 tools into the networks of Ukrainian victims, whose data was later leaked to Telegram within 24 hours of the deletion of APT28, as well as other indicators of fake interactions by moderators and similarities with previous GRU information operations.

It claims to be tracking self-proclaimed hacktivist groups that work in support of Russian interests, that have carried out primarily distributed denial-of-service (DDoS) attacks, and that have leaked stolen data from victim organizations.

Although some of these actors almost certainly operate independently of the Russian state, it has identified a number of so-called hacktivist groups whose facilitators are suspected of being either a front for or in cooperation with the Russian state.

The conflict in Ukraine has also opened up new opportunities to better understand the scope, coordination, and effectiveness of Russia’s cyber programs, including the use of social media by threat actors.

Moreover, platforms like Telegram were used before the invasion to influence perceptions of imminent Russian military movements and were widely used by both Ukraine and Russia to influence both international and domestic audiences.

The sources for this piece include an article in TheHackerNews.