![](\"https:\/\/media.wired.com\/photos\/6268910d9dd12de41282672b\/master\/pass\/Russia-Hacked-Unprecedented-Scale-Security-464228495.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Matt Burgess| Date: Wed, 27 Apr 2022 11:00:00 +0000<\/strong><\/p>\n Matt Burgess<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n The orders are<\/span> issued like clockwork. Every day, often at around 5 am local time, the Telegram channel housing Ukraine\u2019s unprecedented \u201cIT Army\u201d of hackers<\/a> buzzes with a new list of targets. The volunteer group has been knocking Russian websites offline using wave after wave of distributed denial-of-service (DDoS) attacks<\/a>, which flood websites with traffic requests and make them inaccessible, since the war started.<\/p>\n Russian online payment services, government departments, aviation companies, and food delivery firms have all been targeted by the IT Army as it aims to disrupt everyday life in Russia. \u201cRussians have noticed regular hitches in the work of TV streaming services today,\u201d the government-backed operators of the Telegram channel posted following one claimed operation in mid-April.<\/p>\n The IT Army\u2019s actions were just the start. Since Russia invaded Ukraine at the end of February, the country has faced an unprecedented barrage of hacking activity. Hacktivists<\/a>, Ukrainian forces, and outsiders from all around the world who are taking part in the IT Army have targeted Russia and its business. DDoS attacks make up the bulk of the action, but researchers have spotted ransomware that\u2019s designed to target Russia and have been hunting for bugs in Russian systems, which could lead to more sophisticated attacks.<\/p>\n The attacks against Russia stand in sharp contrast to recent history. Many cybercriminals and ransomware groups have links to Russia and don\u2019t target the nation. Now, it\u2019s being opened up. \u201cRussia is typically considered one of those countries where cyberattacks come from and not go to,\u201d says Stefano De Blasi, a cyber-threat intelligence analyst at security firm Digital Shadows.<\/p>\n At the start of the war, DDoS was unrelenting. Record levels of DDoS attacks were recorded during the first three months of 2022, according to analysis<\/a> from Russian cybersecurity company Kaspersky. Both Russia and Ukraine used DDoS to try to disrupt each other, but the efforts against Russia have been more innovative and prolonged.<\/p>\n Ukrainian tech companies transformed the puzzle game 2048<\/em><\/a> into a simple way to launch DDoS attacks and have developed tools to allow anyone to join the action, irrespective of their technical knowledge. \u201cThe more we use attack automation tools, the stronger our attacks,\u201d reads a message sent to the IT Army Telegram channel on March 24. The channel's operators urge people to use VPNs to disguise their location and help avoid their targets\u2019 DDoS protections. Toward the end of April, the IT Army launched its own website<\/a> that lists whether its targets are online or have been taken down and includes technical guides. (The IT Army did not respond to a request for comment.)<\/p>\n \u201cWe have made good strong hits, and a lot of websites don't work,\u201d says Dmytro Budorin, the CEO of Ukrainian cybersecurity startup Hacken. When the war started, Budorin and colleagues altered one of the firm\u2019s anti-DDoS tools, called disBalancer, so it could be used to launch DDoS attacks.<\/p>\n While Kaspersky\u2019s analysis says the number of DDoS around the world has returned to normal levels as the war has progressed, the attacks are lasting for longer\u2014hours rather than minutes. The longest lasted for more than 177 hours, over a week, its researchers found. \u201cAttacks continue regardless of their effectiveness,\u201d Kaspersky\u2019s analysis says. (On March 25, the US government added Kaspersky to its list of national security threats<\/a>; the company said it was \u201cdisappointed\u201d with the decision<\/a>. Germany\u2019s cybersecurity agency also warned against using Kaspersky\u2019s software<\/a> on March 15, although it didn't go as far as banning it. The company said it believed the decision<\/a> was not made on a technical basis.)<\/p>\n Matt Burgess<\/span><\/span><\/p>\n Morgan Meaker<\/span><\/span><\/p>\n Sabrina Weiss<\/span><\/span><\/p>\n Budorin says DDoS has been useful for helping Ukrainians contribute to the war effort in other ways than fighting and says that both sides have improved their attacks and defense. He admits DDoS may not have a huge impact on the war, though. \u201cIt doesn't have a lot of effects with respect to the end goal, and the end goal is to stop the war,\u201d Budorin says.<\/p>\n Since Russia began its full-scale invasion, the country\u2019s hackers have been caught trying to disrupt power systems in Ukraine<\/a>, deploying wiper malware, and launching predictable disruption attacks against the Ukrainian government<\/a>. However, Ukrainian officials now say they have seen a drop in activity. \u201cThe quality decreased recently as the enemy cannot prepare as much as they were able to prepare,\u201d Yurii Shchyhol, the head of Ukraine\u2019s cybersecurity agency, the State Service for Special Communication and Information Protection, said in a statement on April 20. \u201cThe enemy now mostly spends time on protecting themselves, because it turns out their systems are also vulnerable,\u201d Shchyhol said.<\/p>\n Budorin says that, beyond pivoting his company\u2019s technology to help launch DDoS attacks, it also created a bug bounty program for people to find and report security flaws in Russian systems. More than 3,000 reports have been made, he says. He claims this includes details of leaked databases, login information, and more severe instances where code can be run remotely on Russian systems. The company validates the vulnerabilities and passes them on to Ukrainian authorities, Budorin says. \u201cYou don't go through the main door,\u201d he says. \u201cYou go through the regional offices. There are so many bugs, so many open windows.\u201d<\/p>\n While cyberwarfare throughout the conflict may not have been as obvious or have the impact some predicted, many incidents may happen without publicity or outsider knowledge. \u201cI think the most sophisticated operations going on right now are espionage\u2014to find out what the opponent is trying to do, wants to do, and will do next,\u201d De Blasi says. \u201cWe may have to wait years before we discover anything about that.\u201d<\/p>\n Visibly, hacktivists and others attacking Russia have obtained and published hundreds of gigabytes of Russian data and millions of emails<\/a>\u2014the files may help unravel parts of the Russian state. But other attacks are happening, says Lotem Finkelstein, director of threat intelligence and research at Israeli cybersecurity company Check Point.<\/p>\n In early March, a new kind of ransomware was discovered. While most ransomware groups have links to Russia\u2014something that has proved costly for the Conti ransomware group<\/a> when it backed Putin\u2014the new ransomware was designed to go after Russian organizations. \u201cI, the creator of RU_Ransom, created this malware to harm Russia,\u201d the code\u2019s ransom note says, according to an analysis<\/a> by security firm Trend Micro. The malware can spread as a worm and can wipe systems of data, although as of early March researchers had not yet spotted its use in the real world. \u201cThis is very rare to see the ransomware that targets Russia specifically,\u201d Finkelstein says, adding that Check Point is working on new research that shows how Russia has been targeted throughout the war. \u201cRussia is now experiencing attacks that they are not used to seeing,\u201d Finkelstein says.<\/p>\n While cyberattacks against Russia have increased, there are hints that this may push the country further down the path of internet isolation. For the past few years, Russian officials have talked of creating its own sovereign internet and breaking away from the global system<\/a>. When the DDoS attacks started, Russia appeared to geofence government websites<\/a>, and at the start of March, according to national media reports<\/a>, the country\u2019s Ministry of Digital Development told websites to improve their cybersecurity measures and keep control of their own domain names.<\/p>\n \u201cI believe that full disconnect from the internet would still be an extreme approach, even now,\u201d says Lukasz Olejnik, an independent cybersecurity researcher and consultant. \u201cFurthermore, the government is apparently still in a kind of self-denial, acting as if nothing significant was happening due to the cyberattacks, or even due to the Western sanctions, too.\u201d Despite this denial, Olejnik says, the country is still \u201cdoubling down\u201d and pushing toward its long-term goal of a sovereign internet.<\/p>\n