Activity

The Dark Web and the Russia-Ukraine War

The dark web is a world of information. In some places, it is also a trap. A Russian man who typed “Kremenchuk” into a darknet search engine found himself inside a virtual reality of propaganda and extortion.

The war in Ukraine is amplifying what is already a “background malicious cyber activity”, according to experts.
Hacker Collectives

The war between Ukraine and Russia has prompted hackers with clear political interests to declare war in cyberspace. In the darknet, hacker collectives have emerged to support either side, and in doing so have dark web links
taken advantage of cyber tools to attack websites, steal data, and censor information.

The conflict has also brought a number of darknet marketplaces to the forefront. Many of the darknet’s criminal gangs operate marketplaces that sell stolen credit cards, hacking tools and other cybercrime products, but they are now in a fight for market share with each other. Analysts say that the demise of Hydra—the largest marketplace for illegal digital goods—created a vacuum, and multiple new markets quickly popped up to fill it.

As a result of the conflict, darknet marketplaces have expanded their product lines to include services that can help users evade legal punishments. For example, several Russian-speaking darknet markets now offer services to help users evade authorities and avoid jail time by changing their IP address.

A group of darknet hackers known as Killnet has been at the forefront of the conflict. The collective first emerged at the start of this year, offering to take down websites for a fee by flooding them with traffic, a tactic known as a distributed denial-of-service (DDoS) attack. Killnet then turned into a patriotic mercenary hacking crew, promising to target Ukrainians and their supporters. The collective is believed to be behind DDoS attacks on the Ministry of Defense, Ukraine’s state-backed news service and other government websites.

Other hackers have been less focused on political interests but have still taken advantage of the conflict to attack sites and steal data. One cybersecurity expert has hacked into the database of Russia’s largest dark web drug market, dubbed Solaris, and has published the information of dealers and addicts. The cybersecurity expert also broke into the cryptocurrency wallets of Solaris’s master wallet and diverted crypto payments to a Ukrainian humanitarian charity.

A variety of hacker tactics have been employed in the conflict, including social engineering campaigns designed to gain initial network access and extract sensitive information. Wiper malware—designed to erase data—has also been used to destroy or disable systems and disrupt business continuity and operational plans.
APT Groups

The Russia-Ukraine conflict has brought out a host of hacker groups, some siding with Ukraine and others supporting Russia. These groups are using cyber attacks to gain leverage against each other or conduct espionage. They are also targeting critical infrastructure and carrying out DDoS attacks to disrupt services.

The war has also drawn in APT groups and other cybercrime groups that have changed their allegiance to support Russia’s interests. For example, the Conti ransomware group recently announced its full support for the Russian invasion of Ukraine. This was likely motivated by patriotic emotions or the desire to retaliate against Western “warmongers.”

Other APT groups, such as APT1, have shifted their tactics and targets to align with Russia’s strategic objectives. APT1 has stolen hundreds of terabytes of data from organizations across industries in English-speaking countries. The group is able to infiltrate networks by stealing credentials and exploiting web bugs, gaps in security tools, and spear phishing targeting employees with privileged access.

APT7 has moved away from purely financial targets and is now focused on intellectual property theft. The group is known to target businesses with large amounts of data and projects that could make them competitive in their industry. APT7’s attack methodologies include lateral movement, leveraging compromised infrastructure to infiltrate another organization under the same parent company, and taking advantage of vulnerabilities in third-party software.

While APT groups can often be difficult to detect, understanding their tactics and behavior can help organizations protect against them. The Flashpoint Intelligence Platform provides detailed Finished Intelligence reports and threat actor chatter on many of the world’s best-known APT groups, helping organizations detect their activity.

In addition, the platform provides curated IoCs that can be used in a threat modeling tool to identify potential APT indicators. These IoCs can be found on the GitHub repository. For more information on APT threats and how to protect against them, sign up for a free trial of the Flashpoint Intelligence Platform today. It’s easy to use and provides the visibility you need to identify risky behaviors. The trial is available for all types of organizations, regardless of the size or location of their network.
DDoS Attacks

The Russia-Ukraine war has impacted hacker forums and the dark web, with some groups taking sides. The most visible impact has been the increase in DDoS attacks targeting Ukraine and other entities supporting Kiev. These attacks have impacted both Ukrainian government websites and the services of private companies and individuals that support the country. This has resulted in a loss of access and damaged reputations. In addition, the increased DDoS activity has made it more difficult for victims to regain control of their data after being hit by this malicious activity.

Some groups, such as the LockBit ransomware group, have opted to remain apolitical in their attacks and are not taking sides in the conflict. However, other hacktivist nationalist groups have embraced the opportunity to influence the conflict’s narrative and use it as an excuse for their attacks. These attacks have been in the form of hack-and-leak campaigns with sensitive data that has been used as a pivot for more destructive cyberattacks. Mandiant, a cybersecurity incident response firm, has observed this shift in the way hackers are approaching their work.

The dark web is a network of websites only accessible via special software, known as Tor. It has a long history of brisk illegal commerce in pornography, weapons and drugs. But it has also become an ecosystem of hackers and a repository for illegal data dumps.

But with the outbreak of the war, the dark web has taken on a new meaning. It is now a battleground for the clash of geopolitical interests, with the Russia-Ukraine war having an impact that goes beyond the infamous marketplaces of Kraken and Solaris.

A hacker collective named Killnet has shifted its tactics since the start of the war, changing its business model from selling DDoS attacks to offering patriotic mercenary services to target Ukraine and its supporters. The group has claimed responsibility for the attacks on Skylink, a satellite communications network owned by entrepreneur Elon Musk and the White House, both of which were targeted because of their support for Ukraine.

But the Russia-Ukraine war is also having an effect on a wider set of hackers, many of whom are apolitical and simply looking to make money. The conflict has sparked a new wave of political activism among them, and some are starting to take sides in the conflict. Binary Defense analysts will continue to monitor Dark Web forums for any new developments.
Support for Russia

The war between Russia and Ukraine is causing ripples across the dark web. Cybercriminal groups, hacktivists, and other individuals have begun declaring their allegiance to either Ukraine or Russia in forums and in other online spaces. Some of these declarations have been accompanied by a rise in malicious activity against Ukraine-related targets, such as attacks on websites, doxing, and ransomware infections.

In addition, the conflict has seen the proliferation of a variety of propaganda campaigns by both sides. According to security provider Trustwave, these campaigns use “a throw-the-spaghetti-at-the-wall-to-see-what-sticks kind of approach” to spread misinformation and manipulate public opinion. For example, pro-Russian influence operations have depicted Ukraine as rife with Satanists and terrorists and denied documented atrocities by Russian soldiers in Bucha and the bombing of a maternity hospital in Mariupol.

Cyber attacks have also escalated since Russia’s invasion of Ukraine in February 2022, with many of these attacks targeting Ukrainian sites and infrastructure. Some of these attacks have been responded to by Ukraine-based counterattacks. According to Mandiant, the number of destructive cyber attacks rose to a high in the weeks after the conflict began and then dropped off.

However, despite this drop in destructive attacks, the overall volume of compromised card-not-present data offered for sale on dark web marketplaces has increased since the start of the war. This is likely due to the fact that international arrests, seizures, and disruptions to supply chains have disrupted the business model of commodified cybercrime in Russia.

A Russian-speaking darknet market called Matanga has also sprung up to serve Russians fleeing Ukraine, as well as other areas in Eastern Europe and the Balkans. It offers a similar buying system to the bigger, more popular marketplaces like BlackSprut and Mega. Matanga primarily sells cathinones, which are white, synthetic stimulants that mimic cocaine and MDMA.

Some individual hackers are taking a more direct role in the war, with one such case involving a Milwaukee-based cybersecurity expert named Alex Holden. In a play at digital Robin Hood, the individual hacked into the Russian-based Solaris drug marketplace and diverted crypto payments that would otherwise go to dealers and site owners to a Ukrainian humanitarian charity.