Army of thousands of hackers threatens Russia with constant attacks

“We are creating an IT army,” Mykhailo Fedorov, Ukraine’s secretary of digital affairs, wrote on Twitter on February 26. Two weeks after the Russian invasion, the leader promised tasks for “digital talents“ from all over the world. Fedorov offered up a Telegram link for a group that earlier this week reached more than 300,000 members. Anyone can join, and the group’s leaders have offered up a steady stream of ideas for specific attacks, from blocking webpages of Russian railroad companies to analyzing emails obtained through hacking members of the Russian parliament or regional Russian governments. “Please lend us a hand. We’ll make a group chat to share creative ideas and take on the information war. Everyone can join,” a Telegram message says.

The hacker collective Anonymous has also joined the strategy. Since the conflict began, its members have proposed and executed attacks of varying levels of success. One such attempt involved barraging the restaurant review section on Google Maps Russia and Belarus with messages about the invasion, in order to directly inform Russian citizens about the war. There is no evidence that the action was successful, but Google announced that it would limit the service: “Due to a recent increase in content submitted to Google Maps related to the war in Ukraine, we have implemented additional protections to monitor and prevent content that violates our Maps policies, including the temporary blocking of new reviews, photos and videos in Ukraine, Russia and Belarus,” sources from the company said.

Anonymous is also credited with hacking hundreds of surveillance cameras in Russia to release messages against the invasion of Ukraine and “incite civilians to combat” the Kremlin, according to a Bloomberg reporter. They hacked the screens of electric-car charging stations in Moscow to display messages such as “Putin is an asshole” and “Glory to Ukraine.” And they coordinated a massive spam campaign to randomly email Russians about “the truth about the war in Ukraine.”

Anonymous is an open, unstructured organization. To join the organization, potential members need only claim to be part of it. EL PAIS asked a Twitter account, which was created in 2020 and has tens of thousands of followers, if it was the “official” Anonymous account: it isn’t the biggest account, but it tweets daily about Ukraine. The account responded: “We are all a team. There is no official Anonymous.” That decentralization allows for any individual or organization to operate underneath the organization’s name.

“They don’t have a well-defined strategy, because, among other things, the very idea of the group is that they don’t even know who the others are. Anyone can be part of Anonymous as long, as they take on its values,” explains Andrea G. Rodriguez, a researcher focused on emerging technologies at the European Policy Center in Brussels.

Anonymous’s work has inspired many similar groups. A Belarusan group called Cyber Partisans announced at the beginning of the conflict that it had sabotaged train services that transported Russian troops in Belarus, though its exact reach is not known. And some also support Russia: Conti is a similar group dedicated to ransomware – a kind of malware program that takes control of a system and releases it only after the user provides a ransom payment. An unknown Twitter account leaked more than a year’s worth of Conti chats, which announced the group’s support of the Russian invasion. No one knows for sure who is behind them, though the Twitter account claims to be managed by a “Ukrainian patriot” cybersecurity researcher.

This growing amalgam of groups may have unforeseen consequences. “It doesn’t have much of a precedent,” says Lukasz Olejnik, cybersecurity researcher and ex-cyberwar advisor for the International Red Cross Committee in Geneva. In the case of the Ukrainian cyberwar, he adds, “it seems to be led from above, but it’s not clear whether the real effects of these activities have any significant contribution to the armed conflict.”

It’s not clear, either, which countries harbor Anonymous cyber-activists or what level of coordination they really have. Regional subgroups, however, are known. In Spain, for example, the recent hacktivism report from the National Cryptology Center (CCN-CERT), the branch of the Spanish intelligence service dedicated to cybersecurity, identified three such groups: Anonymous Spain, Anonymous Catalonia and the 9th Anonymous Company, which calls itself La Nueve. “We make up a finite perspective of the much wider concept of Anonymous, which escapes all definition,” La Nueve said in an interview published on their Tumblr.

Despite the spectacular nature of the video in which Anonymous announced Operation Russia, its real capacities are limited. “They are more saboteurs than anything else. On paper, they don’t have the means to carry out a serious cyberattack, like entering the Kremlin’s systems, blocking an electric network or taking control of the Russian control center for the drones used in Ukraine,” Rodríguez explains.

“It seems like so far there haven’t been any high-impact cyberattacks,” Olejnik says. “Except maybe two, one of which is the supposed blocking of the internet via KA-SAT satellite the day the invasion began. The other significant effect is the supposed interruption of refugee processing, due to the cyberattack that erased border control’s information systems,” the day before the invasion, he says.

The CCN-CERT report maintains that the hacktivist scene in Spain “is made up of individuals with null or low technical training as cyberthreats, with weak or nonexistent collective coordination and group identity, and motivated fundamentally to achieve notoriety through mentions on social media.” According to the institution, the threat is just as weak on an international level.

Is a government behind it all?

Hacktivist groups have a reputation for being cyberspace justice warriors, which brings them respect among the hacker community and the general population. It’s no coincidence that Anonymous, the most famous group, uses as its identifying image the Guy Fawkes mask used in the movie V for Vendetta, for millennials a symbol of resistance against tyranny. That prestige appeals to those who want to carry out cyber attacks without revealing their identities. The group’s anonymity makes its members interchangeable. It’s not known whether any country’s secret services have passed themselves off as hacktivists to cover up an attack. But government-funded hacker groups, known as APTs, are known to exist.

It happened in 2017 in Ukraine. The Russian group Voodoo Bear released the virus NotPetya, originally designed to affect the most common accounting software in the former Soviet Republic. The virus later spread across the planet. The group also carried out a series of attacks to sabotage telecommunication networks, using the name F Society, a fictional group of cyber activists from the TV series Mr. Robot. According to Adam Meyers, intelligence head at CrowdStrike, that was the first time that the APT executed a false-flag attack.

A decade before, in 2007, Estonia suffered a series of cyberattacks that blocked the country’s digital infrastructure when the authorities decided to move a Soviet monument to a less-visible part of the capital city of Tallinn. Though the attacks came from hundreds of personal computers located in dozens of countries, coordinated on internet forums, NATO suspected that Moscow was behind the operation. The Kremlin has always denied it.