Theories that the war between Russia and Ukraine is rewriting modern warfare with the involvement of third-party cybercriminal groups and hacktivists may be overblown, a new research paper claims.
In a study released this month, six academic researchers from the universities of Cambridge, Strathclyde and Edinburgh argue that while the onset of the war saw notable involvement from groups like the IT Army of Ukraine and others defacing websites or conducting denial-of-service attacks against Russian websites, as well as threats from ransomware groups and other cybercriminals groups on behalf of Russia, that activity has tailed off significantly in the months after the start of the invasion as many participants got “bored” and moved on.
“Our findings indicate that the conflict briefly but significantly caught the attention of the low-level cybercrime community, with notable shifts in the geographical distribution of both defacement and DDoS attacks. However, the role of these players in so-called cyberwarfare is minor, and they do not resemble the ‘hacktivists’ imagined in popular criminological accounts,” wrote authors Anh V. Vu, Daniel R. Thomas, Ben Collier, Alice Hutchings, Richard Clayton and Ross Anderson.
To reach their conclusions, the researchers collected evidence of more than 281,000 web defacement attacks and 1.7 million reflected denial-of-service (DDoS) attacks executed in the two months before the invasion and the four months following, as well as announcements posted on volunteer hacker forums and interviews with unaffiliated pro-Russia and pro-Ukraine hackers who took part in the attacks.
The beginning of the war did kick off intense interest from groups like the IT Army, Anonymous and other volunteer partisan hackers who swore to extend the conflict to the digital arena by shutting down Russian or Ukrainian businesses, governments and critical infrastructure. Further, ransomware hacking groups like Conti made public pronouncements in support of the Russian government while threatening to attack critical infrastructure in Western countries who were opposed to invasion and funneling arms to Ukraine.
The reliance on civilian hackers in a hot war has caused some consternation among U.S. officials, with both NSA Cybersecurity Director Rob Joyce and National Cyber Director Chris Inglis saying in recent months that the U.S. does not endorse vigilante hacktivism, with Joyce saying he worried it could undercut international efforts to pressure countries like Russia to be more accountable for the actions of ransomware groups and other cybercriminals operating within their own borders.
“I think all of us wanted to root for those folks. It was a little bit of a challenge that they were out there launching attacks on another country in an era where we’re trying to hold the Russians accountable for the attacks emanating out of their space, right?” said Joyce at the RSA Conference in San Francisco in June.
However, the researchers argue that alarmist predictions of civilian-directed cyberwar “have not come to pass” and much of the activity they did track amounted to small nuisance attacks against unaffiliated websites and organizations.
“Our analysis challenges ‘cyberwar’ narratives of a cybercrime underground producing organised, motivated, and technically skilled hacktivists. Instead, we find that most budding cyberwarriors used trivial attacks to take down meaningless minor targets and largely got bored after a couple of weeks,” the authors write.
It should be noted that not everybody agrees with the view put forward by the researchers that non-governmental hackers have gone quiet. Intel 471, a threat intelligence company that tracks the infrastructure, communications and activities of cybercriminal groups, has not observed a drop off in interest around the Ukraine-Russia war from non-governmental hackers, with Michael DeBolt, chief intelligence officer, telling SC Media “we are not seeing signs of this interest waning” in recent months.
“We are not seeing a meaningful decline in interest by activists who have aligned themselves to pro-Russian or pro-Ukrainian causes,” said DeBolt. “Since the start of the war, some threat actors operating in the cybercrime underground have pivoted their motivation from purely financial gain to geo-political ends leveraging their tools, infrastructure, and capabilities to advance the cause of whatever side they have chosen.”
He did acknowledge that tracking this kind of activity and its impact can be difficult as it relies, in part, on corroboration from unreliable parties, and that on the whole the cybercrime underground has largely remained unaffected by the conflict and dominated by financially motivated actors who couldn’t care less about geopolitical or ideological goals.
The war has also seen unprecedented involvement from legitimate businesses in the West and other regions, though this assistance has largely been defensive in nature. Still, some have backed up the notion that offensive campaigns carried out by volunteer groups or legitimate businesses and individuals have attempted to impose costs on Russian society without the visibility or ground-level intelligence that nation-states and militaries use to pick strategic and relevant targets.
Oliver Tavakoli, chief technology officer for Vectra AI, which has offered free cybersecurity tooling and monitoring for organizations who may have their digital assets targeted in the fallout of the war, said the explosion of third-party hacks in the wake of the invasion has led to a diffusion of central control has led to “a weird situation where you’re worried about inbound vectors, [but] you’re also worried to a certain degree about becoming an outbound vector and becoming a legitimate target as part of that.”
“What we’ve started seeing, interestingly enough, is within our customer base — which is not in Ukraine — seeing sympathetic parties, employees using the infrastructure of our customers’ environment to start to try to attack what they view to be Russian targets, and without a really high-quality targeting capabilities and a clear understanding of what they’re doing,” Tavakoli told SC Media earlier this month. “So for example, you’d see a Russian website being hosted in a German web hosting company being attacked by servers within a customer network.”