A new generation of sophisticated hackers is emerging from the Russian war in Ukraine as activist-minded operators get hands-on cyberwar training that could be used outside the conflict, the cyberintelligence firm Recorded Future warns.
Throughout the war’s first year, Recorded Future analyst Alexander Leslie said his team has observed hackers sharing tools and teaching legions of new followers as the company constantly monitors them through the use of data analytics and scraping tools.
“We’re very concerned that there is now a new generation of threat actors who are motivated by the conflict, who have real-world, hands-on cyberwar experience that if they were to turn to financially motivated cybercrime, the transition would be rather simple,” Mr. Leslie said.
Cyberattacks leveraging “hacktivists” swelled in March 2022, soon after Russia’s invasion of Ukraine on Feb. 24, according to a report from Recorded Future published Friday. Such crowdsourced digital attacks involve a central activist hacker sharing a hit list to throngs of devoted followers, who victimize targets while the lead actor claims responsibility for the ensuing damage and chaos.
The firm said it identified about 1,000 entities as victims of hacktivist activities spread across Russia, Ukraine, the U.S., Belarus, France, Latvia, Poland and elsewhere in the year since the war began, though it noted that the exact number may be far higher.
Mr. Leslie, the report’s lead analyst, said his team has seen pro-Russian and pro-Ukrainian hacktivists share tools, attack techniques and malware that would be dangerous if deployed in a different context, such as by a financially motivated ransomware attacker.
SEE ALSO: Ukraine’s richest man pursues his own battle with Kremlin over losses
To analyze digital threats and the actors behind them, Recorded Future uses a natural language processing system, language analysis, optical character recognition analysis for images, and other tools to scrape digital sources.
On the Ukrainian side of the digital war are groups such as the IT Army of Ukraine and Anonymous. The pro-Ukrainian hacktivists conducted hack-and-leak operations, ransomware and data extortion, website defacements, and distributed denial of service attacks (DDoS) that overwhelm websites with traffic, according to Recorded Future.
The IT Army of Ukraine has nearly 200,000 followers of its account on Telegram. Recorded Future said its roots trace back to Ukraine’s minister of digital transformation, Mykhailo Fedorov.
Recorded Future tracked about 100 pro-Russian hacktivist groups during the war’s first 100 days. Killnet emerged as the leader in the war’s first year. Just five major pro-Russian hacktivist groups remained as of Feb. 10.
“The vast majority of these groups, the ones that we point to in the report, conduct like one DDoS attack. They attack an airport in the United States or one Ukrainian government entity, and then their account is suspended on social media and you never hear of them again,” Mr. Leslie said. “And I think this was a little bit ‘clout chasing.’ I think this was a little bit for media attention to pile on.”
Some of the disappearing pro-Russian hackers appear connected to a Russian “brain drain” of information technology workers. Some have fled to more hospitable nations and others have been conscripted into military service in Russia, according to Recorded Future’s report.
Other cyberattackers on the digital battlefield have experience in cybercriminal gangs. Google said last week that it saw former members of the Conti ransomware gang, which has hit U.S. infrastructure, repurpose their techniques to aim at Ukraine under the banner of UAC-0098.
Recorded Future believes the national security threat posed by pro-Russian hacktivists has been limited so far to their ability to cause panic and spread Russian propaganda.
The danger posed by the ongoing cyberbattles is more widespread. CrowdStrike head of intelligence Adam Meyers said he thinks Russia is preparing for a spring offensive that will use cyberwarfare capabilities, and he foresees cyberespionage aimed at countries neighboring Ukraine.
U.S. officials have credited the federal government’s work with technology companies such as Microsoft for the absence of cyberwar spreading in devastating fashion throughout the Western world. The National Security Agency told The Washington Times this month that its “power collaboration” with tech companies to eradicate malicious cyberoperations had a big impact in Ukraine.
Recorded Future said it has worked with the U.S. government, but it would not explain which agencies.
Ukraine and Recorded Future’s partnership on cybersecurity is long-standing. The two signed a formal memorandum of cooperation in December 2022 for the cyberintelligence firm to protect critical infrastructure inside Ukraine.