Analysts at IT security firm Mandiant have investigated some hacktivist groups on Telegram. They found links to the Russian-federation/">Russian military intelligence service GRU. The Telegram channel administrators and group leaders were either controlled directly by the GRU or cooperated with the service. However, individual group members are certainly traveling independently of Russia.

In particular, researchers have focused on three Russian-speaking groups coordinated via Telegram since the start of the Russian invasion of Ukraine: XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn. In doing so, they came across clear indications that the moderators of the groups had a connection with the Russian state. This includes the analysis of the chronological course of system intrusions and data leaks in Ukrainian organizations.

Adobe and all its news at NAB 2022

• TAGS
• adobe

Self-proclaimed hacktivists

The group members considered themselves hacktivists. However, due to state control by Russia’s military intelligence service, there can be no question of this. The groups essentially carried out DDoS attacks, website defacements and data theft intrusions, Mandiant explains in the analysis.

Mandiant assumes that the groups’ moderators coordinate their operations with the Russian secret services. The fact that tools from the well-known GRU-backed cyber gang APT28 were found in the networks of the Ukrainian victims contributes to the impression. In addition, the data stolen during the break-ins was published on Telegram within 24 hours of the deletion activities by APT28 – the cyber war against Ukrainian organizations started in February with such wiper malware. Other indications are inauthentic activities by the moderators and similarities to previous GRU operations.

Tight gangs of cybergangs

The IT security researchers have also found connections between the XakNet team and the pro-Russian cyber gang KillNet. These also indicated that XakNet and KillNet coordinated some of their actions. KillNet emerged around the end of June with DDoS attacks on Lithuania. XakNet team moderators are likely working at the behest of the Kremlin, Mandiant concludes that a leak from the group included a tool from APT28 that is very unique. The moderators are either GRU officers or work directly with the GRU APT28 officials.

From CyberArmyofRussia_Reborn, Mandiant assumes that the moderators at least coordinate their activities with APT28. The timing of data release and the group’s association with XakNet, although the nature of this relationship is unclear, suggest this. The main goal of the channel is defamation, making it into press releases and influencing politics.

The Telegram channel Infoccentr, on the other hand, was launched in early March and is dedicated to pro-Russian (dis)information campaigns, the analysts explain. The pro-Russian group members fought against anti-Russian and pro-Ukrainian currents on social networks and other information channels. The moderators coordinated their actions at least with APT28, which the researchers conclude from the timeline of data leaks and the gangs with XakNet.

Tracking down the links between so-called hacktivists and Russian spy and attack groups can help victims assess the risk of compromise and prepare themselves and their customers for potential data breaches — and mitigate some of the impact, Mandiant says. The company is also observing other groups and expanding its findings, for example on the goals and links between KillNet, FromRussiaWithLove (FRWL), DeadNet, Beregini, JokerDNR (alternative spelling JokerDPR) or RedHackersAlliance.