Mandiant identifies 3 hacktivist groups working in support of Russia

Researchers are tracking multiple self-proclaimed hacktivist groups working in support of Russia, and identified 3 groups linked to the GRU.

Mandiant researchers are tracking multiple self-proclaimed hacktivist groups working in support of Russia, and identified 3 groups linked to the Russian Main Intelligence Directorate (GRU).

The experts assess with moderate confidence that moderators of the purported hacktivist Telegram channels “XakNet Team,” “Infoccentr,” and “CyberArmyofRussia_Reborn” are coordinating their operations under the control of the GRU.

The so-called hacktivist groups conducted distributed denial-of-service (DDoS) and defacement attacks against Ukrainian websites, but the experts believe that they are a front for information operations and destructive cyber activities coordinated by the Kremlin.

The experts discovered that some APT28 tools were used to compromise the networks of Ukrainian victims, whose data was subsequently leaked on Telegram within 24 hours of wiping activity by APT28.

The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

Mandiant identified at least 16 data leaks from threat actors claiming to be hacktivists, four of which coincided with wiping attacks conducted by Russia-linked cyberespionage group APT28.

“Mandiant has only observed the use of CADDYWIPER and ARGUEPATCH by APT28, although we note that others have publicly attributed some CADDYWIPER deployments to Sandworm.” reads the report published by Mandiant. “In two incidents, Mandiant observed APT28 conduct wiper attacks, which were followed, within 24 hours, by data from the victims being leaked on Telegram. In both instances APT28 deployed ARGUEPATCH, which dropped CADDYWIPER.”

Mandiant researchers are not able to determine the composition of these groups and their exact degree of affiliation with Russian military intelligence. 

“While the exact nature of the relationship is unclear” states the report, “it likely falls into one of two general possibilities:

• GRU officers may directly control the infrastructure associated with these actors and their activities may be a front for GRU operations, similar to the relationship between the GRU and the false persona Guccifer 2.0.
• The moderators respectively running these Telegram channels may directly coordinate with the GRU; however, the moderators may be Russian citizens who are not Russian intelligence officers. There are multiple possible configurations through which this dynamic could manifest, including but not limited to initial GRU support for third parties to establish the channels or subsequent links established after initial channel creation.

Experts believe that the moderators of the XakNet Team channel are directly supported by APT28, based on XakNet’s leak of a technical artifact APT28 used in the compromise of a Ukrainian network. The unique nature of this technical artifact suggests that the moderators of XakNet Team either are GRU intelligence officers or work directly with the GRU APT28 operators.

“Russia’s February 2022 invasion of Ukraine created unprecedented circumstances for cyber threat activity. This likely is the first instance in which a major cyber power potentially has conducted disruptive attacks, espionage, and information operations concurrently with widespread, kinetic military operations in a conventional war.” Mandiant concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)

[adrotate banner=”5″]

[adrotate banner=”13″]