Check Point Research (CPR) warns of hacktivist groups falsely claiming successful cyber attacks on both sides
CPR investigated recent claims by three hacktivist groups, AgainstTheWest, KelvinSecurity and Killnet, and proved that their claims were lies. Alleged cyber-attacks on Russia’s largest search engine, Yandex, and two other targets – a Russian nuclear facility and a hack on Anonymous’ website – have been discredited by CPR. These hacktivist groups used a combination of old YouTube videos, public information and copied pages to convince the public of their valiance. CPR urges the public to think twice when hearing of large and successful cyber-attacks, as it suspects numerous more groups are spreading misinformation throughout the current conflict.
One of the most active players in the cyberspace during the war in Ukraine are hacktivists that support either Russia or Ukraine for ideological reasons. Those groups currently create the highest “noise” in the cyberspace around the conflict, but not always the highest damage. As the war between the countries continues, we see a trend that more and more claims about “big successes” of hacktivists groups are either questionable or it is impossible at all to verify them.
While in the past, hacktivists’ successes were mostly in areas of executing DDoS attacks and hacking or defacing small websites of non-significant organizations, during the last week several hacktivist groups claimed successful targeting of high profile organizations. The hacktivists claimed two types of attacks:
- DDoS attacks
- Hacking into networks of sensitive or high profile organizations with aim to leak the data and/ or to disrupt operations
While most of the claims about DDoS attacks seem to be relatively reliable and it was possible to confirm that some of the websites that were claimed as attacked, were actually unavailable, the situation is more complicated in regards to the entities that were allegedly breached. While it is not easy to confirm the claims of those groups, our research reveals that many of the claims are false, and the screenshots and the data from the allegedly breached networks is either old, or were previously published in the past, or just insignificant in many cases.
This trend is relevant to both sides, while we were able to see that some claims of KillNet group on the pro-Russian side are questionable, as well as the claims of AgainstTheWest and KelvinSecurity groups on the pro-Ukrainian side.
Also, it seems that many of the hacktivists groups are more focused on building self-reputation and recieving credit for supporting Ukraine or Russia, than to cause real damage to the countries.
Case Study 1 – AgainstTheWest
AgainstTheWest is a Western-aligned hacktivist group that has been active since October 2021, and previously carried out attacks targeting government and corporate entities tied to the Chinese Communist Party. According to their twitter they decided to disband on February 13th due to lack of motivation and seems the war in Ukraine gave them what they needed. The group announced their return and collaboration with Anonymous, against Russia.
Since the beginning of the war, AgainstTheWest managed very active twitter and telegram accounts, reporting dozens of high end targets in Russia that they breached.
But, checking their claims deeper reveals that for many of the claims there are no solid proofs apart of very generic screenshots that are allegedly from the breached organizations.
One additional organization that AgainstTheWest claimed to breach is Yandex, and they shared files from what they defined as “Yandex’s development portal”.
In this case, we were able to identify that the screenshot and the files that were posted by the group is just a copy of public repository that contains Yandex browser update.
In addition to those questionable claims on the breaches, AgainstTheWest focus a lot on struggles with other hacktivists groups like Anonymous on credit for breaches, and for recognition, not really caring about Ukraine.
Case Study 2 – KelvinSecurity
KelvinSecurity Team defines itself as Private Information Hacker Company. The group published several provocative twitter messages on March 1st about Nuclear Reactor in Joint Institute for Nuclear Research in Russia, trying to make an impression that they breached the reactor. KelvinSecurity published a link to the “monitoring system of Nuclear Reactor in Dubna” together with a “leaked database from the Russian nuclear institute” and the “video from nuclear reactor”.
Verifying this information showed that the published database contains a list of presentations by physicists from different institutes and universities across Russia, with some of their personal information, but no sensitive information apart of it. The information about the monitoring system has been openly available years before the conflict, and the “Internal Nuclear Reactor Video” was already published on the YouTube channel of KelvinSecurity group a year ago.
Case Study 3 – KillNet
KillNet, a pro-Russian group, recently launched a “KillNet Botnet DDoS” service. Last week, the group pushed a campaign against Anonymous group that supports Ukraine.
On March 1st KillNet released a video claiming to have taken down the Anonymous website, as a retaliation for their attacks against Russian websites.
As there is no real official Anonymous website, this attack against a generic Anonymous website appears to be more of a morale booster for the pro-Russian side, and a publicity event for KillNet, gathering followers and fans over news and social media than a real attack.
The same as a there is a fog of war and disinformation in the battle field between Ukraine and Russia, it also happens in the field of cyber-attacks by hacktivists groups, and each claim should be carefully verified before it is taken as a true.
