Russian hackers have only one rule – to cause as much damage as possible to the targeted computers, while at the same time promoting Russian state interests.
Russia’s aggression against Ukraine is not only a unique example of an attack on a sovereign state and of the brutality of the Russian army against the civilian population. Since February, the Kremlin has been waging a real digital war on the internet – the first ever official “cyber war”.
Although Russian hacker groups have been carrying out coordinated attacks on computer networks, corporate systems and data warehouses around the world for more than a decade, such cyber-attacks have so far had the “tacit” approval of the Russian state top. After the attack on Ukraine, it became clear that these hackers not only had the financial and technical support of Russian services, but also of many senior officers and experts employed by Russian state institutions.
Cyber attacks by Russian hackers are nothing new. In 2008, various groups based in Moscow and St Petersburg carried out attacks on a number of systems across Europe. Many of these hackers originated from the KGB’s 16th Division, which was involved in creating and spreading computer viruses in the early 1990s. After Vladimir Putin came to power, the various military and intelligence units in the field of ‘communication and information’ were merged into one common system called ‘Information Action’ (IpB, Informatsinoye Protibborstvo). Putin, himself a former KGB officer, knew very well that in the decades to come, information and the media would be one of the main levers, both political and military.
The IPB’s main goal is not actually cyber espionage on foreign countries or companies, but to control the flow of information on the domestic (Russian) internet. The founding document of the IPB itself states that one of its key objectives is “to control the domestic narrative in the media and online and to prevent foreign influence through the dissemination of information”. In fact, this was a continuation of the well-known KGB strategy of controlling the media, the social narrative, as well as preventing the opposition from acting, but now in the digital world. Thus, the Russian FSB intelligence service has at least four ‘hacker teams’ collecting information on domestic bloggers, online journalists and even Twitter users. Under the current Russian telecommunications law, which was further tightened at the end of last year, “any criticism of the Russian state leadership on the Internet, as well as the provision of data and information by state bodies, is considered hostile intelligence activity.”
It all became clear in 2014.
That Russia is playing the “hacker card” hard became clear in May 2014, during the presidential campaign in Ukraine. The Russian group “Fancy Bear”, partly made up of FSB members, hacked the computers of the then candidate Petro Poroshenko, as well as those of Yulia Tymoshenko. The servers of the National Electoral Commission were also attacked, so that the vote counting took several weeks.
After the occupation of Crimea and the unilateral declaration of independence, Russian hackers used various types of “malware” viruses to install images of the former Balaklava naval base in Crimea on users’ computers with the text “Russia is back”.
Fancy Bear has also been linked to a number of other hacking attacks, such as both of French President Macron’s election campaigns, the UK Brexit referendum and even the systems of the Estonian Ministry of Agriculture.
Russian hackers have only one rule in their activities – to cause as much damage as possible to the targeted computers while promoting Russian state interests. Six years ago, the then head of Russia’s IT sector, Andrei Krushkin, declared that “we are working on the Arena system, which will allow thousands of cyber attacks a day all over the world.” Just a few days after this statement, the private data and electronic communications of a number of high-ranking US politicians, such as John Podesta and Colin Powell, were “leaked” online. The attack on the US Democratic campaign and the theft of Hillary Clinton’s emails that same year are also attributed to the Russian group “Fancy Bear”.
On the red notices
Such activities by the Russian services, both the FSB and the GRU military intelligence service, have not gone unnoticed by the international community. The leaders of these groups are on international red lists, as well as on the FBI’s Most Wanted List.
FSB Major Mikhail Gavrilov is considered to be the “brains” behind most of Russia’s cyber-attacks on high-value targets (HVTs). Gavrilov has been involved in the development of computer viruses for more than 20 years and is believed to be the creator of the “Fancy Bear” group. His “right-hand man” is Marat Tyokov, a mathematician and computer cryptography expert. Their superior in the FSB is Pavel Alexandrovich Akulov, who the US services claim is a “direct link” between the Kremlin and Putin’s cabinet, but also with the wider hacker community. Akulov leads the planning of cyber-attacks, the selection of targets and the final execution in technical terms.
One of the main hackers in the Kremlin is a man called “Dmitry Badin”, although this is probably not his real name. Badin is believed to have directed attacks on President Macron’s campaign, as well as on several European institutions in Brussels.
As far as GRU military intelligence is concerned, the most wanted are Major Pavel Frolov, Major Yuriy Adrienko and Artem Pliskin. They form the “core” of the planning of cyber attacks in the military sphere, such as disabling the communications of Ukrainian security forces units, as well as attacks on satellite communications.
At the top of the chain of command of Russian cyber-attack units is most likely Colonel Sergei Vladimirovich Detistov. He is one of the 10 most wanted people in the world and, in addition to the FBI, is wanted by European intelligence services for a series of hacking attacks on European Union systems.
New tasks in Ukraine
In January this year, all these hacking groups were given “new tasks” – to completely disable computer systems in Ukraine, as well as to launch cyber-attacks against countries that have imposed sanctions on Russia, as well as those that are assisting Ukraine militarily.
The new hacking group is simply called “Kill Net”, while the members of the group call themselves “Kill Team”.
The first officially confirmed cyber-attack by this group was the crash of Romanian government websites and services between late April and mid-May this year. Subsequently, the Czech Republic also announced the existence of almost identical activities on its state websites, but the attack was largely thwarted at the time. Just a week later, the websites of institutions in Italy were attacked, compromising the data of more than 150,000 citizens. During the same period, 11 cyber attacks were carried out on systems in Lithuania. At the end of June, the central servers of Norwegian state services were attacked, but it was announced that no citizens data had been stolen or compromised.
On 1 August, the servers of Lockheed Martin, a US company that manufactures military equipment and weapons and is one of the Pentagon’s largest suppliers, were also attacked. The hackers signed themselves as “Kill (Milk)”, a play on words that translates from English as “milk spills”.
All these attacks have one thing in common – they use DDoS attacks or ransomware viruses. A DDoS (Distributed Denial of Service) attack is the term for a cyber attack where the target computer network is “overloaded” with access requests, causing the system to crash and restore to “factory defaults”. It is then very easy for hackers to gain access to the information on the system or even destroy it completely. Ransomware, on the other hand, is a computer virus that usually arrives by email. Unknowingly, employees of public institutions click on an e-mail containing computer code, which then downloads the virus itself from the Internet. Within ten seconds, the user’s computer, as well as all other computers on the network, is disabled, and the hackers usually demand money for the return of the data and access to the system (ransom).
In the case of the Russian group “Kill Net”, the ransomware is not used to gain financial gain, but simply to disable the use of the targeted computers or the entire computer network. To make matters even more dangerous, “Kill Net” has also developed a ransomware virus that “arrives” as a smartphone app, so that mobile devices can be attacked.
The latest cyber-attack by this group took place a few days ago, when computers at US airports Los Angeles International, Chicago O’Hare and Hartsfield-Jackson in Atlanta were disabled. Again, it was a DDoS attack, and the US authorities add that at the same time they attempted attacks on airports in Colorado, Delaware and Illinois. Such attacks can have a significant impact on the safety of air traffic and passengers themselves, as most flight management is now done by computers.
Is the Kremlin also attacking the Balkan countries?
The series of cyber-attacks in the countries of the region in recent months is very similar in structure to the “signature” of Russian hackers. In June, there was a major cyber-attack on the systems of the Republican Geodetic Institute in Belgrade, and in August on the computer systems of the Government of Montenegro. On 22 August, the Montenegrin Ministry of Public Administration announced that a major cyber-attack on state systems was underway and that it was “the most sophisticated cyber-attack on this country ever”. A little later, it was confirmed that several types of cyber-attack were taking place simultaneously, but that the main attack was carried out by a “ransomware” virus. Coincidence or not, these cyber-attacks come at a time of political controversy and calls for the overthrow of the government of Prime Minister Dritan Abazovic and for new elections. France and the US sent experts in early September to help the Montenegrin authorities deal with such attacks.
Although the “Cuba Ransom” hacker group is believed to be behind the attack, few experts believe it is the real culprit. Russian hacker groups are known for using dozens of different names, as well as “zombie computers” from all over the world (a zombie computer is one that is infected with a virus, and which the owner himself does not know is part of a global cyber network attacks).
To make things more interesting, in 2018, some of the main Russian hackers (most likely Detistov and Gavrilov themselves) trained the cyber units of the Iranian Revolutionary Guard and even “lent” them hacking software created in Russia. This “hacker cooperation” continued in the following years and in early 2020 the “Iranian Cyber Army” was created, using many names on the internet such as “Defa”, “Chrome Hawk” and “Gharargah”. The working system of the Iranian hackers is almost identical to that of the Russian hackers, and they have so far claimed responsibility for a number of cyber attacks against the Israeli media and the computer network of the Ministry of Education.
In July, the largest hacking attack on state systems in Albania took place, and after analysing the attack, Microsoft announced that “the attackers are from Iran, with a probability of over 95%”. Information about the attack on systems in Albania was partly published on the “Homeland Justice” website, which is actually physically located in Russia. This information includes electronic communications from the Albanian embassies in Moscow and Athens, and later electronic communications from the Minister of Defence, Nik Pelesi, and the Minister of the Interior, Bledar Cuci. A few days after these revelations, the Albanian government broke off diplomatic relations with Iran.
Alongside all this, it is worth mentioning the massive propaganda campaign on social networks, especially on the pages of the media in the region. The media from Serbia, Bosnia and Herzegovina and Montenegro have been most affected by this campaign. Almost every news item about the conflict in Ukraine contains comments in support of Russia and Putin and against Ukraine in less than a minute. The fact that almost all the comments are the same, on all pages, and that they are ‘written’ by accounts that were opened in March this year and have no publication, tells us that this is in fact a kind of cyber information attack. In addition, thousands of pages have appeared ‘overnight’ on social networks in the region, offering links to news from Russian media, including local media, together with videos and photographs of Russian forces in Ukraine. Some of these pages have tens of thousands of “likes”, and many local users share such posts without questioning their credibility./Al Jazeera
EU is discussing plan to sidestep Hungary’s veto on renewing sanctions 
KRIK: Serbia grants citizenship to Russian agents and war profiteers 
Makeyev: Ukraine continues talks with Germany on Taurus missiles 
Can the EU Extend Russia Sanctions Despite Hungary’s Blackmail? 
Germany’s Merz says Sumy attack ‘war crime’ by Russia 
Zelensky urges Trump to visit Ukraine before deal with Russia