Are Hacktivist Data Dumps Helping Ukraine?

Are Hacktivist Data Dumps Helping Ukraine?

Although lots of data and information has been dumped by hacktivists for public consumption, the information it reveals is usually outdated, irrelevant, or unhelpful.

 

Similarly, Anonymous’ hacktivism has also been inching closer and closer to financial cybercrime. For example, NB65 has targeted Russian companies with a modified version of Conti’s ransomware encryptor. Conti is most well-known for recently running a ransomware campaign against Costa Rica which forced the country’s president to announce a state of emergency in May 2022. Among others, Russia’s SSK Gazregion fell victim to NB65, who allegedly exfiltrated 110 GB of data, deleted several backups, and then encrypted the systems to extort the company. As NB65 explained, “1) Companies and governments outside of Russia need not be worried about NB65. Russian assets are our only targets. 2) Ransomware payments (if any are made) will be donated to #Ukraine.” Exfiltrating data is one thing but deleting data, encrypting data, and extorting companies financially is clearly criminal behavior that should not be excused nor applauded under the cover of political hacktivism. 

That being said, Anonymous’ data dumps have been largely ignored within the cybercriminal ecosystem. The consensus seems to be that Anonymous largely consists of amateurs and that their dumps are closer to opportunistic grab and smash rascality rather than targeted operations whose aim is to exfiltrate relevant and valuable data. In fact, most Anonymous groups do not even have members that can read Russian, which facilitates the ‘grab all files’ attitude because hackers cannot interpret the data that they’ve gained access to and substantially hinders them from efficiently navigating the system they have infiltrated. Huge corporate networks and systems can be opaque and difficult to navigate, and there are numerous cases of hackers lacking the patience to analyze material accessed after breaching a network. For these reasons, even the Ukrainian government—including the “IT Army,” which was stood up by the Ministry of Digital Transformation—has ignored Anonymous’ data dumps. Speaking to the Ukrainian news outlet Media Sapiens on March 23, the Head of the Electronic Services Development at the Ministry of Digital Transformation, Mstislav Banik, noted that “we do not process the data merged by Anonymous.”

 

In sum, the issue of hosting can tell outside observers a lot about how important a specific data dump is to a certain group or individual. Some data dumps are kept alive for long-term access and dissemination, while others disappear after a few hours or days. Generally,  if the group does not care about the availability of its own data dump, then the dump is likely not valuable. Hosting choices can also significantly influence the size of a data dump. For example, Revenge.monster’s goal is to “completely deanonymize the majority of Runet and Belnet users by draining hundreds of gigabytes of databases of Russian and Belarusian IT giants, delivery aggregators, Internet providers, social networks. networks, etc.” Meanwhile, DDoSecrets is likely encouraging Anonymous groups to dump as much data from a target as possible because, to the average person, a dump of one terabyte of data is seen as more valuable, relevant, and impactful than a dump of a few megabytes. In fact, however, the correlation is actually inverse: The larger the data dump, the less valuable the information is. 

The second question to separate the wheat from the chaff is: Where did a data dump originate from? More specifically, what institution, what network within that institution, and what exact part within that network did the data come from? In most instances, analysts and journalists fail to ask these elemental questions, and many Anonymous groups are totally fine with falsifying claims of having breached the headquarter of conglomerate A when they actually found a meaningless file transfer protocol (FTP) server of a contractor that works for a subsidiary of a local branch of conglomerate A in the middle of nowhere. A recent example highlights the prevalence of this phenomenon.

On March 22, 2022, several Anonymous news accounts tweeted: “BREAKING NEWS: Hacker group Anonymous has released 10 GB of data from Swiss company Nestlé. This is the collective's retaliation for continuing the company's business in Russia.” While this tweet subsequently gained 13,000 retweets and more than 60,000 likes, the group that published the leak,  KelvinSecurity,  noted in a blog post on the same day that they obtained the data at the end of last year. Talking to the Wall Street Journal, a KelvinSecurity representative explained that the original plan was to sell the data but that the group instead “decided to release it to collaborate with the hacking operation against Russia.” Speaking to TheRecord, a Nestle spokesperson further contextualized the dump: 

“This claim of a cyberattack against Nestlé and subsequent data leak has no foundation. It relates to a case from February this year, when some randomized and predominantly publicly available test data of a B2B nature was unintentionally made accessible online for a short period of time on a single business test website.”

Similarly, several Anonymous groups, including GhostSec and AgainstTheWest/BlueHornet, have claimed to have breached the network of the Russian domestic and military intelligence services, or gained access to an internal network of Russian APT actors. In the end, those data dumps included meaningless data or self-made summaries of information that was included in publicly available U.S. grand jury indictments.  

In contrast to this behavior, the WeLeakDatabase channel on Telegram has tried to provide some context to the origin of their data dumps. For example, on April 20, weleakdatabase posted a 43.5 GB dump from miltor.ru. Miltor is a Russian bulletin board for goods and services that connects buyers with companies across the Federation. Weleakdatabase explained that “apparently, all the data was uploaded from the developer’s repository on bitbucket.org or from his work computer. In addition to the miltor.ru project, the databases and sources of nedvrf.ru, sigtura.ru, remont-vsego.ru, sitesms.ru, etc. were also ‘merged’.” Given that Weleakdatabase operates in the cybercriminal environment rather than the hacktivism scene, pieces of information about a dump’s origin are in fact selling points that show a degree of due diligence, trusted sourcing, and professionalism. All of this is missing from the data dumps that Anonymous groups have been churning out over the course of the war in Ukraine.

Which brings us to the third question: How did the groups gain access to the data and what kind of permission rights did they have on the breached systems? Posing these questions is important because hacktivists tend to have one of two general non-exclusive objectives. 

The most straightforward objective is to embarrass the victim by highlighting their weak security measures. Data dumps supported by this narrative are usually legitimate and sometimes underpinned with supporting screenshots that show root access or administrative rights on the breached systems. One example of this was when V0g3lSec released its largest data dump on March 3, which included documents on Roscosmos’ Lunar Missions. Talking to Vice Motherboard on the same day, one V0g3lSec member explained that “[Roscosmos] were using their own file sharing service where the files could be accessed only by providing a username & password.. all i did was bruteforcing the password while keeping the username as ‘admin’.. as they were using a weak password, it didnt take much time for me to get the password.” V0g3lSec’s accurately described how many Anonymous groups gain access to random servers and databases across the .ru domain. The research team at Website Planet, for example, conducted a random sampling of 100 Russian databases that were publicly accessible and found that ninety-two were compromised by pro-Ukraine hacktivists. In the V0g3lSec case, the claim is that they breached an administrative account that would have given the group wide-raging permission rights on that file server, including to alter, delete, and move files on the server. But they could have also just breached a random user account that only has file reading permissions that would not allow them to alter, delete, or move files on the system. In both instances, data exfiltration and data dumping is possible, but only in the administrative case are destructive follow-on options a distinct possibility.

 

The second objective can be to release data and information that given its specific nature and context, speaks for itself. One example of this is the Conti leaks by a Ukrainian security researcher after the group officially announced their full support for the Russian government one day after the invasion. The leaks not only provided insights into Conti’s day-to-day operations but also helped researchers identify previously unknown Conti infrastructure, their collaboration with other ransomware groups, and potential links to the Russian government. Another example is the disclosure of the personal information of 120,000 Russian soldiers fighting in Ukraine, including their passport data, military rank, and unit identification. Anonymous took credit for the leak on April 3, but the original source was actually the private Telegram channel of a hacking group called E_N_I_G_M_A. The dataset’s legitimacy was also already confirmed by the International Volunteer Community InformNapalm on February 26, 2022. Similarly, on March 28, Ukraine’s intelligence service released the personally identifiable information of 620 FSB officers stationed in Moscow and allegedly involved in criminal activities across Europe. All three examples are data dumps and information leaks that have had the most impact in the context of the war in Ukraine since they offered a wealth of intelligence value due to the density of the information included, were immediately actionable and produced follow-on outcomes, and are made accessible for a long period of time to unlock their continuous potential.