Google Sees Russia Coordinating With Hackers in Cyberattacks Tied to Ukraine War

Officials in the U.S. and Europe have warned throughout the war that Russian hackers could lash out against Ukraine’s allies by targeting critical infrastructure and governments with cyberattacks, but so far that has largely failed to materialize.

Over the past few months, Google’s Mandiant cybersecurity group has observed apparent coordination between pro-Russian hacking groups—ostensibly comprising patriotic citizen hackers—and cyber break-ins by Russia’s military intelligence agency, or GRU. In four instances, Mandiant says it observed hacking activity linked to the GRU in which malicious “wiper” software was installed on a victim’s network.

The initial wiper software caused disruption by destroying computer systems across the organization. Then, the hacktivists entered the picture. After each of these hacks—within 24 hours of the wiping—the hacktivist organizations have published data stolen from the same organizations.

Three pro-Russian hacktivist groups have been involved, according to Mandiant, which was acquired by Google in a deal that closed earlier this month. They are called XakNet Team, Infoccentr and CyberArmyofRussia_Reborn.

Combined with the other activity related to the war, this has created an unprecedented situation, Mandiant said, in a report on the hacktivists set to be released on Friday. “We have never previously observed such a volume of cyberattacks, variety of threat actors, and coordination of effort within the same several months,” the report states.

A representative with Russia’s embassy in Washington didn’t respond to requests seeking comment, but Russia has denied that it is involved in hacking.

Hacktivist groups represent a way for Russia to project an enhanced and more menacing online presence, said

Michael S. Rogers,

the former head of the National Security Agency who is now an operating partner at the venture-capital firm Team8 Labs Ltd.

“The Russian government is trying to generate more capacity,” he said. “These groups are attractive because they give them a measure of plausible deniability.”

John Hultquist, vice president of intelligence analysis at Mandiant, said now that XakNet has established itself as a hacktivist group, it could be used as a cover for a more-serious cyber operation directed by Russian intelligence. “These actors can’t be taken lightly,” he said of the GRU. “They are capable of turning out the lights.”

The evidence isn’t a smoking gun, but the repeated links between the GRU-linked attacks and the hacktivists “are hard to ignore and they suggest the relationship isn’t incidental,” Mr. Hultquist said.

This past spring, the Department of Homeland Security issued an alert naming XakNet (pronounced hack-net) and another group known as Killnet as possible threats to U.S. infrastructure. It also warned that the war in Ukraine could result in an uptick in attacks from criminal and hacktivist groups.

Killnet has attacked a range of entities, including targets in Japan, Italy, Norway, Estonia, and Lithuania with distributed denial of service, or DDoS, attacks that attempt to overwhelm servers with internet traffic, security researchers say. The group appears to act, at times, in concert with XakNet, Mr. Hultquist said.

Killnet has granted interviews with Russian media in recent months, and researchers say that the media attention—reinforcing the idea that Russia’s war has gained popular support—may be a more important objective than any cyber disruption. “They’re very loud, but they’re a small annoyance at best,” said Vlad Cuiujuclu, an analyst with Flashpoint, a cyberthreat-intelligence company.

But there have been a handful of incidents targeting the U.S. In July, Congress.gov, the official provider of congressional legislation information, was knocked offline for about two hours by a DDoS attack, according to a spokesman for the Library of Congress, which operates the website. “The Library’s network was not compromised, and no data was lost as a result of the attack,“ the spokesman said.

In August, Killnet said it was launching an attack against U.S. defense contractor

Lockheed Martin Corp.

, and around the same time it dumped documents it said were taken from Gorilla Circuits, a defense industry contractor based in San Jose, Calif., that manufactures circuit boards.

A spokesman for Gorilla Circuits confirmed that the company had experienced a security incident months earlier—in the fall of 2021. “In accordance with applicable law, Gorilla Circuits provided written notification of the incident to individuals and entities whose information was potentially involved,” he said. “Since then, Gorilla Circuits has not experienced another security incident.”

A Lockheed Martin spokesman said, “We face threats every day from sophisticated adversaries around the world and regularly take actions to increase the security of our systems and to protect our employee, customer and program data.”

Hacktivist groups have been around for more than a decade. Russian hacktivists launched a devastating online attack against Estonia in 2007 after Estonia removed a Soviet-era statue from its national capital, Tallinn. Banks, government websites and media companies were disrupted for about a week.

Jonas Skardinskas, director of cybersecurity management at Lithuania’s national cyber agency, said Lithuania has experienced at least two waves of denial of service against government agency websites that began in June of this year. But the attacks—some of which Killnet claimed responsibility for launching—were unusual because they were unfocused and never reached a crippling level, but persisted over a long duration.

“They were intended to be more annoying than disruptive,” Mr. Skardinskas said in an interview.

Still, officials have reason for concern. Gert Auväärt, a top cybersecurity official in Estonia, said in an interview in Tallinn last week that the small Baltic country was targeted with a wave of DDoS attacks in August following the removals of its remaining Soviet war memorials. Killnet claimed responsibility for the attacks, which some officials said were the most extensive since the 2007 digital siege.

Estonia successfully repelled the attack, Mr. Auväärt said, but Western officials were surprised by the level of traffic involved in the attempt, which peaked at over 200 gigabytes per second of data—an amount far higher than the normal single-digit amounts involved in denial of service attacks.

“When discussing this with our allies, both here in Europe and also across the Atlantic, these numbers were impressive to all of them,” Mr. Auväärt said.

Write to Robert McMillan at [email protected] and Dustin Volz at [email protected]

Officials in the U.S. and Europe have warned throughout the war that Russian hackers could lash out against Ukraine’s allies by targeting critical infrastructure and governments with cyberattacks, but so far that has largely failed to materialize.

Over the past few months, Google’s Mandiant cybersecurity group has observed apparent coordination between pro-Russian hacking groups—ostensibly comprising patriotic citizen hackers—and cyber break-ins by Russia’s military intelligence agency, or GRU. In four instances, Mandiant says it observed hacking activity linked to the GRU in which malicious “wiper” software was installed on a victim’s network.

The initial wiper software caused disruption by destroying computer systems across the organization. Then, the hacktivists entered the picture. After each of these hacks—within 24 hours of the wiping—the hacktivist organizations have published data stolen from the same organizations.

Three pro-Russian hacktivist groups have been involved, according to Mandiant, which was acquired by Google in a deal that closed earlier this month. They are called XakNet Team, Infoccentr and CyberArmyofRussia_Reborn.

Combined with the other activity related to the war, this has created an unprecedented situation, Mandiant said, in a report on the hacktivists set to be released on Friday. “We have never previously observed such a volume of cyberattacks, variety of threat actors, and coordination of effort within the same several months,” the report states.

A representative with Russia’s embassy in Washington didn’t respond to requests seeking comment, but Russia has denied that it is involved in hacking.

Hacktivist groups represent a way for Russia to project an enhanced and more menacing online presence, said

Michael S. Rogers,

the former head of the National Security Agency who is now an operating partner at the venture-capital firm Team8 Labs Ltd.

“The Russian government is trying to generate more capacity,” he said. “These groups are attractive because they give them a measure of plausible deniability.”

John Hultquist, vice president of intelligence analysis at Mandiant, said now that XakNet has established itself as a hacktivist group, it could be used as a cover for a more-serious cyber operation directed by Russian intelligence. “These actors can’t be taken lightly,” he said of the GRU. “They are capable of turning out the lights.”

The evidence isn’t a smoking gun, but the repeated links between the GRU-linked attacks and the hacktivists “are hard to ignore and they suggest the relationship isn’t incidental,” Mr. Hultquist said.

This past spring, the Department of Homeland Security issued an alert naming XakNet (pronounced hack-net) and another group known as Killnet as possible threats to U.S. infrastructure. It also warned that the war in Ukraine could result in an uptick in attacks from criminal and hacktivist groups.

Killnet has attacked a range of entities, including targets in Japan, Italy, Norway, Estonia, and Lithuania with distributed denial of service, or DDoS, attacks that attempt to overwhelm servers with internet traffic, security researchers say. The group appears to act, at times, in concert with XakNet, Mr. Hultquist said.

Killnet has granted interviews with Russian media in recent months, and researchers say that the media attention—reinforcing the idea that Russia’s war has gained popular support—may be a more important objective than any cyber disruption. “They’re very loud, but they’re a small annoyance at best,” said Vlad Cuiujuclu, an analyst with Flashpoint, a cyberthreat-intelligence company.

But there have been a handful of incidents targeting the U.S. In July, Congress.gov, the official provider of congressional legislation information, was knocked offline for about two hours by a DDoS attack, according to a spokesman for the Library of Congress, which operates the website. “The Library’s network was not compromised, and no data was lost as a result of the attack,“ the spokesman said.

In August, Killnet said it was launching an attack against U.S. defense contractor

Lockheed Martin Corp.

, and around the same time it dumped documents it said were taken from Gorilla Circuits, a defense industry contractor based in San Jose, Calif., that manufactures circuit boards.

A spokesman for Gorilla Circuits confirmed that the company had experienced a security incident months earlier—in the fall of 2021. “In accordance with applicable law, Gorilla Circuits provided written notification of the incident to individuals and entities whose information was potentially involved,” he said. “Since then, Gorilla Circuits has not experienced another security incident.”

A Lockheed Martin spokesman said, “We face threats every day from sophisticated adversaries around the world and regularly take actions to increase the security of our systems and to protect our employee, customer and program data.”

Hacktivist groups have been around for more than a decade. Russian hacktivists launched a devastating online attack against Estonia in 2007 after Estonia removed a Soviet-era statue from its national capital, Tallinn. Banks, government websites and media companies were disrupted for about a week.

Jonas Skardinskas, director of cybersecurity management at Lithuania’s national cyber agency, said Lithuania has experienced at least two waves of denial of service against government agency websites that began in June of this year. But the attacks—some of which Killnet claimed responsibility for launching—were unusual because they were unfocused and never reached a crippling level, but persisted over a long duration.

“They were intended to be more annoying than disruptive,” Mr. Skardinskas said in an interview.

Still, officials have reason for concern. Gert Auväärt, a top cybersecurity official in Estonia, said in an interview in Tallinn last week that the small Baltic country was targeted with a wave of DDoS attacks in August following the removals of its remaining Soviet war memorials. Killnet claimed responsibility for the attacks, which some officials said were the most extensive since the 2007 digital siege.

Estonia successfully repelled the attack, Mr. Auväärt said, but Western officials were surprised by the level of traffic involved in the attempt, which peaked at over 200 gigabytes per second of data—an amount far higher than the normal single-digit amounts involved in denial of service attacks.

“When discussing this with our allies, both here in Europe and also across the Atlantic, these numbers were impressive to all of them,” Mr. Auväärt said.

Write to Robert McMillan at [email protected] and Dustin Volz at [email protected]