Exclusive
As of: 04/06/2023 4:23 p.m
Websites are being paralyzed across Europe – possibly by pro-Russian hackers. Experts warn of the emergence of a mixed scene of cybercriminals, hacktivists and Russian secret services.
Suddenly nothing worked. Websites and Internet portals nationwide were no longer accessible this week, including the online presence of state ministries and police authorities. They simply collapsed under the load of massive access to the servers. Likewise numerous websites in other European countries. The new Ukraine platform of the German development ministry, which is to be used to organize aid for the country’s reconstruction, apparently just barely withstood an attack.
Such attacks are called denial-of-service, or DDOS for short. In the meantime, a pro-Russian hacker group called “NoName057(16)” has claimed responsibility. The attacks on the websites, the hackers said, were a reaction to Finland’s accession to NATO, which formally took place this week.
Targeting critical infrastructure?
The paralysis of websites through a targeted overload is considered a comparatively simple cyber action. Nevertheless, such attacks point to a trend that IT security researchers and German security authorities have been observing with concern for some time: pro-Russian hacker groups are increasingly emerging who describe themselves as supposed patriots and who openly spoke out in the wake of the Russian war against Ukraine siding with the Kremlin.
Some of these hackers also appear to have recently linked up with cybercriminals who were previously known for attacking companies with ransomware. In coordinated actions, they are now targeting seemingly critical infrastructure in Europe and North America. These are areas in which human lives are at stake.
“Bad Gut Feeling”
So far, the motivation behind it is questionable: whether the hackers really see themselves as patriots loyal to the Kremlin and supporters of the Putin regime, or whether the Russian state is exerting targeted pressure on the cyber mafia and using the hackers as willing tools for its purposes. A third option is also conceivable: a symbiosis of cyber criminals and state actors.
In security circles it is said that they have an “uneasy gut feeling” because something is apparently brewing in the scene of cybercriminals and hacktivists. The assignment of who is behind a specific attack is sometimes more difficult. There is great concern that a dangerous mix of cybercriminals, hacktivists and Russian secret services is emerging, which could no longer just shut down websites or steal data, but also carry out serious sabotage attacks.
merger of hacker groups
One of the main actors so far is the “Killnet” hacker group, which is mainly known for DDOS attacks, i.e. the paralysis of websites. Initially, the hackers sold the attacks as a service. But with the start of the Russian attack on Ukraine on February 24, 2022, they changed their business model. Since then, “Killnet” has obviously been politically motivated and regularly carries out attacks on western targets. These include websites of NATO, European governments or American airports.
In December 2022, “Killnet” joined forces with other, mostly Russian, hacker groups such as “Anonymous Russia” or “Mirai Botnet” and founded an online platform. Malware, cyber services and data leaks are distributed and traded on this platform. There is also an exchange about future attack targets and methods. Former “Killnet” members are also said to have networked with other groups such as “XakNet”, “CyberArmy”, “Beregini” or “NoName057” in order to carry out joint attack campaigns in support of Russia.
Germany is also the focus of the pro-Russian hacker collective. In January, “Killnet” began spreading the hashtag #DeutschlandRIP on social networks. Shortly thereafter, cyber attacks were launched on various targets in the Federal Republic. A Berlin hospital was also affected. Earlier this year, in response to the delivery of Leopard tanks to Ukraine, the hackers published blueprints of the tanks on one of their Telegram channels, along with recommendations on where to shoot.
Connections to secret services
The Federal Office for the Protection of the Constitution (BfV) has also been interested in the hacker groups for some time, which until now have tended to be attributed to cybercrime. The constitutional protectors of the cyber defense are investigating whether these groups are now acting on behalf of Russian secret services – or whether there are even state hackers behind some of the attacks who only want to give the impression that it is an attack by criminals.
For example, the German security authorities looked at the internal communication of the hacker group “Conti”, which announced its support for Moscow shortly after the start of the attack on Ukraine and was then hacked itself. Finally, data sets with the internal communication of “Conti” appeared on the Internet. However, there was no evidence of a direct connection to government agencies in Russia.
With other hacker groups, however, there are indications that there is certainly cooperation with Russian secret services. According to information from the IT security company Mandiant, the hacker group “Xaknet” is said to have published data in several cases within a few hours in the past year that had previously apparently been stolen by the Russian secret service hackers “APT2”, also known as “Fancy Bear”. were. “APT28” is assigned to the Russian military intelligence service GRU and is said to have carried out a cyber attack on the network of the German Bundestag in 2015.
Generate money online
In January 2022, the Russian domestic secret service FSB arrested several suspected cybercriminals from the ransomware group “REvil”, at the time allegedly at the request of the US authorities. In the meantime, however, Western security authorities are saying that the arrests were probably primarily a warning to the Russian hacker scene that the state could intervene at any time. The decisive factor was probably less the pressure from the USA and much more the resentment in China about the hacker attacks by the Russian cyber gangsters.
According to representatives of the German security authorities, it is not surprising that in times of war Moscow is now trying to take advantage of the cybercriminal networks and gangs. And not only to hijack websites, steal information, spread disinformation or sabotage, but also to generate money.
Stealing cryptocurrency or other digital robberies for the Russian state, also to finance armaments projects, as previously known primarily from North Korean hackers, is considered a realistic option in view of the ongoing sanctions. The security authorities are therefore talking about an expected “North Koreanization of Russia”.