Russia-Ukraine War: Role of Hacktivists Vastly OverestimatedCriminal Underground Briefly Assisted But Quickly Grew Bored, Researchers Find
The role and impact of criminal hackers and hacktivists in the Russia-Ukraine war has been vastly overestimated.
So say a team of researchers who reviewed attacks that pro-Ukraine and pro-Russia hacktivists claim to have carried out following Russia's February invasion of Ukraine.
The hacktivist attacks, which the researchers largely ascribe to the "low-level cybercrime community," appeared to only involve "minor," nuisance-level efforts - mostly website defacements and distributed denial-of-service attacks - and also appeared to have quickly petered out, the researchers write in a new paper, "Getting Bored of Cyberwar: Exploring the Role of the Cybercrime Underground in the Russia-Ukraine Conflict."
The researchers cataloged a number of such efforts since the war began:
- Web defacement: 281,000 attacks;
- Reflected DDoS incidents: 1.7 million attacks;
- Hacktivist groups: 441 announcements and 58,000 replies.
They say such efforts surged at the beginning of the conflict before rapidly diminishing.
"Our main finding is that there was a clear loss of interest in carrying out defacements and DDoS attacks after just a few weeks," write Anh V. Vu, Daniel R. Thomas, Ben Collier, Alice Hutchings, Richard Clayton and Ross Anderson. Their findings are based in part on interviews with website defacement participants.
"Contrary to some expert predictions, the cybercrime underground's involvement in the conflict appears to have been minor and short-lived; it is unlikely to escalate further," write the researchers, who variously hail from the University of Cambridge, University of Strathclyde and/or University of Edinburgh.
The attackers do not appear to have attempted to target, or been tasked with targeting, anything with significant strategic value. The researchers say that "rather than targeting critical infrastructure, there were mass attacks against random websites within '.ru' and '.ua'. We can find no evidence of high-profile actions of the kind hypothesized by the prevalent narrative."
Moscow Not Organizing Criminals
This isn't the first time that experts have questioned the real-world impact of criminals on the war.
Despite calls for the criminal underground to assist the Russian government, there has been no government-level coordination, such as marshaling ransomware groups and disseminating target lists, says the operational security expert known as the grugq.
Russia's law enforcement and intelligence agency establishment - including the GRU, FSB and SVR - "does not look at the ransomware guys as providing any sort of military technologies or military capacity that they can use," he said in a May 23 conference presentation titled "The Dynamics of Russian Cyberwar."
Russian criminals, meanwhile, are often self-styled Mafiosi who aren't predisposed to work for free on behalf of the motherland or who at least want to project that sort of "tough guy" image, he said.
As a result of these factors, he added, including "the desire to make money rather than to do patriotic stuff, the misunderstanding of the civilian cyber capability that exists and the various other problems that the Russians have with utilizing their ransomware teams means that essentially, we're not seeing any of these more interesting capabilities being deployed."
Hacktivism: 'Expressive Delinquency'
Meanwhile, the hacktivist IT Army marshalled by Ukraine, designed to recruit not only concerned citizens but also computer-skilled criminals and others with hacktivist leanings, also had a "mixed" impact on Russian networks and computer systems, the "Getting Bored of Cyberwar" authors say. They say that "the targets they promoted were seldom defaced although they were often subjected to DDoS attacks."
The involvement of individuals acting as hacktivists on both sides of the conflict alarmed Western intelligence officials, who cautioned that such efforts violate international cybersecurity norms and could blur the battlefield, with civilians potentially being treated as combatants (see: Ukraine's 'IT Army' Call-Up: Don't Try This at Home).
But the researchers say that defacements were akin to spray-painting propaganda in an abandoned shopping center. Similarly, "the DDoS campaigns by the cybercrime underground contributed around as much to the war as going to your local supermarket and hiding the vodka under the frozen peas," they write. "These are trivial acts of solidarity, teenage competition and expressive delinquency, not a contribution to the armed conflict in any real sense."
From a morale standpoint, however, the pro-Ukraine IT Army arguably had an impact, in terms of helping to disseminate propaganda and messaging that promotes Ukraine's cause, as well as giving an outlet to individuals who want to help. Indeed, the researchers say that the "cultural expression" such efforts provided, as well as their "soft power" impact in the context of a broader "information war," are of interest, not least when viewed as part of youth culture.
Ukrainian Government: Hacktivists Not a Threat
Ukrainian officials have previously dismissed the impact of Russian hacktivist efforts, saying that Moscow-backed nation-state attackers pose the biggest challenge, rather than hacktivists groups publicly organized using Telegram channels.
"When we're talking about serious and well-planned operations that require a lot of human resources and technically advanced tools and financial resources, obviously they will be organized in stealth mode in order to gain as much effect and impact on our infrastructure as possible," Victor Zhora, deputy head of Ukraine's cyber agency, told Information Security Media Group in a recent interview.
Rather than DDoS attacks or defacements, "wipers continue to be the biggest challenge, together with exfiltration of data or sowing chaos and subversion with the use of cyberattacks," he said (see: Ukraine's Cyber Defense: Wipers Remain 'Biggest Challenge').