The past week has seen the coming-together of a ragtag band of what one might term cyber irregulars, determined to aid in the defence of Ukraine by hacking back against Russian invaders, but security experts warn that such direct action is highly inadvisable, definitely illegal, and could cause serious damage in the real world.
Officially, the government of Ukraine itself has led on the creation of a volunteer IT army to conduct cyber attacks against Russian targets in an early initiative that, according to Reuters, is organising on a Telegram channel, and has been tasked with attacking Russian businesses and government bodies. The IT army has reportedly seen some successes in this. According to Wired, more than 175,000 people have signed on.
But the true numbers may be much higher because, unofficially, Kyiv has also been joined in its fight by legions of others including the likes of the Anonymous collective, which is notable for many campaigns of direct cyber action; individual hackers drawn to the conflict; and, so rumour has it, even moonlighting employees of cyber security companies.
Making matters worse is the addition of Russian vigilante hackers to the mix – including the Conti ransomware gang, which was roundly condemned by peers, including BlackCat/ALPHV, after it published statements in support of Russian dictator Vladimir Putin. In a subsequent incident, a pro-Ukraine Conti member has since been leaking the gang’s chat logs, resulting in a deluge of intel for threat researchers.
Either way, however long the attack on Ukraine lasts, it is now clear that civilian-led cyber warfare operations will be a feature of this, and future conflicts, as Pascal Geenens, cyber security threat director at Radware, commented: “IT armies and patriot hacktivists have become the new face of hybrid warfare. They are adding a new dynamic to nation-state attacks.”
Brian Higgins, security specialist at Comparitech, told Computer Weekly: “There will be those who see this as a chance to flex their cyber muscles, using the conflict as dubious justification and with little thought for the consequences.
“There will be those who are genuinely aggrieved and want to do whatever they can to help. There will be those directly affected or involved on either side. There will be those who seek to gain from the situation. And there will be those, hopefully the silent majority, who are content to leave it well alone.”
Collateral damage
“One of the fallouts for organisations and most significant threats is becoming collateral in a proxy war fought by these groups. Now more than ever, organisations across the globe need to take decisive steps to bolster their cyber security resilience,” said Geenens.
Geenens explained the addition of non-Russian and Ukrainian threat actors is making it very difficult to establish what operations are being run by patriotic hacktivists and which by the authorities. He said that even if Russia and Ukraine agree a ceasefire, which seems unlikely at the time of writing, the digital conflict will continue in the hands of third-parties, increasing the risk of damaging spillover.
Geenens described this spillover as “the most significant threat” for organisations, in part because hacktivists have historically targeted organisations whose views don’t align with theirs – Anonymous, for example, is notable for conducting offensive cyber ops against Daesh in Syria, and the anti-LGBTQ+ Westboro Baptist Church. Thanks to the interconnected nature of the global business community, this tendency could make any organisation a target based on who they work with.
To avoid becoming collateral damage in guerrilla cyber warfare, Radware is advising organisations to pay attention to basic elements of security hygiene that will be hopefully familiar to IT teams from more normal times. This includes patching systems against known vulnerabilities, ensuring access controls are enforced with dual or multifactor authentication (MFA), enforcing strong passwords, reviewing and testing backups, enabling DDoS protections, educating staff on phishing attacks, implementing incident response plans, and auditing suppliers.
Gareth Owenson, CTO and co-founder of Searchlight Security, added: “It is [also] recommended that organisations stay ahead of any potential cyber attacks by increasing threat intelligence capabilities. This could include monitoring the deep and dark web for early warning signs of threat actors targeting international organisations – particularly those more susceptible to nation-state attacks that are critical to supply chains.”
Think carefully, then don’t get involved
Ukraine’s inadvertent masterstroke during the war so far has been to control the information narrative in a way that nobody predicted, and as early Russian advances foundered, momentum has gathered behind its president Volodymyr Zelensky.
Global support is rightly behind Ukraine, and it is understandable that many people in the UK, including ethical hackers, may be tempted to offer practical help, but Higgins at Comparitech said that taking direct action against Russian targets is something to be avoided.
“You don’t have the intelligence, it could be a friendly target or a covert asset. You don’t have the field knowledge, you could be attacking the same target as those you’re trying to help. You don’t know the infrastructure or network, you could be impacting civilians, aid agencies or your own side’s supply chain,” he said.
“Whatever the motivation, direct action is not guaranteed to have its desired effect. Military campaigns, whatever their origins, are based on intelligence – what to attack and when – to guarantee the best results and, ultimately, victory. Targets are researched and chosen with specific goals in mind, and attacking forces are supposed to avoid civilians or collateral damage.
“Uncoordinated cyber attacks stand just as much chance of hindering success as they do of helping, and disrupting critical national infrastructure in the midst of a large-scale conflict is almost certainly likely to affect the civilian population disproportionately.”
Yossi Naar, chief visionary officer and co-founder at Cybereason added: “It’s hard to predict what, if any, consequences there are for an unknown attack against someone who is somewhat difficult to get a read on to begin with. This is another example of why an uncoordinated vigilante response of any kind is not the best strategy, its repercussions aren’t considered – nor is its value.
“Anyone can claim, ‘Look at me, I did this – that showed them!’, but did it really? What is the intended result? How does it contribute to the global effort to resolve the situation? Important questions must be asked when considering action and they should follow from a well understood strategy.”
Roger Grimes, data-driven defence evangelist at KnowBe4, also cautioned against off-the-books offensive hacks. “Regardless of intent,” he said, “[it] is fraught with both ethical and legal issues, and, in general, society needs to discourage these attempts. If you rob a bank, you’re a bank robber no matter what your intent.
“It’s also about ethics. You’re either a good and ethical hacker or you aren’t. Early on in life, you decide which you want to be. If you start carving out new reasons why you might be allowed to break laws and ethics to do something, then it becomes easier to do again for a lesser cause,” he warned.
“Today you’re fighting Russian aggression, tomorrow you’re attacking a cable company’s billing representative because you didn’t like a charge on a bill. It’s a slippery slope. And if you’re an ethical hacker, you just don’t hack anyone else without their permission, period,” said Grimes.
Naar at Cybereason summed up: “Any direct response that isn’t coordinated, is by definition without strategy.” Just because one nation or group has the power to act, and that they are aligned against those we perceive to be our enemies, it doesn’t mean that their actions are on our behalf and to our benefit.”