The Russian invasion of Ukraine on February 24  set off a global onslaught in cyberspace that is overwhelmingly targeting Russian government infrastructure, private companies, and individual Russian citizens. While the Ukrainian Ministry of Digital Transformation has termed this onslaught to be the “world’s first cyber war,” a more appropriate term is “cyber chaos.” Amidst this ongoing chaos in cyberspace, one tactical element has been most prominently leveraged by pro-Ukraine and anti-Russia hacking groups: data dumps.

Data dumps and data leaks are generally used synonymously, but there can be stark differences between them. Leaks are usually defined as sensitive data that is unknowingly exposed, while dumps are large amounts of data transferred from one system or location to another. The aspect where they differ the most is information density. Leaks are typically information-rich because of the sensitivity of the data they include, while dumps are normally information-poor but large in size. Essentially this is comparable to a letter containing specific information and a truckload of household garbage.

The second aspect in which they can differ is the choice of dissemination. Data dumps are usually dumped into the public domain with few specifics about their origins, purpose, content, and to who they are addressed to. Data leaks, by contrast, typically contain context identifying the data’s origin, who found it, who it was reported to, and what it includes. Essentially, with leaks, there is relatively little heavy lifting and time investment needed to determine the informational content and value.

Data dumps and information leaks can both be utilized in the context of so-called hack and leak operations, which have been employed by intelligence agencies, hacktivists, and cybercriminals alike. In the context of the war in Ukraine, observers can broadly discern between three types of hack & leak operations: (1) hacking and dumping data—with data dumps ranging from a single document to terabytes (TB) of files; (2) hacking and dumping information – which is usually done by posting databases, personal identification information, usernames and passwords lists, credit card details, or internal chat protocols;  and (3) hacking, dumping, and deleting data and information – which is a very difficult operation to assess from the outside, given that only the victim can verify whether anything was deleted from their systems. There is also a smaller fourth type of hack and leak operation emerging amidst the Ukraine war, namely, hacking, encrypting, deleting, and dumping data. This is even more difficult for an outsider to verify if the victim is unwilling to talk.  

Hack & leak operations against Russian entities have emerged as one of the most misunderstood activities during the war in Ukraine. The sheer amount and frequency of data dumps and information leaks have culminated in a never-ending data flood that has overwhelmed journalists and analysts alike. Few are willing to spend their time wading through this ocean of data in the hopes of stumbling upon something interesting and meaningful. But not all data dumps are created equal. In fact, their quality, impact, and usefulness can differ depending on the source, size, type, structure, availability, and other factors that facilitate the data dump ecosystem.

In the current data flood environment, there are a handful of elemental questions that can help separate the wheat from the chaff. The most basic is determining where the data dump was hosted and how long it was accessible. The following three examples show how hackers have dumped Russian data during the war in Ukraine using specific hosting measures.

Within the new Anonymous community, the smallest popular group—measured by their activity and data dump sizes00is probably V0g3lSec. Their Twitter account identifies them as a Dutch hacking group from the Netherlands.  Like many new Anonymous groups, V0g3lSec started hacking Russian-based entities shortly after the invasion began. Between March 2 and April 24, V0g3lSec posted ten data dumps. The largest one was 729 MB and consisted of 262 items allegedly exfiltrated from the Russian space agency Roscosmos. The dump was uploaded to the file-sharing host gofile.io but has since been taken down. V0g3lSec’s smallest information leak appears to have consisted of five tables that contained “usernames, names, emails & passwords (hashed) of different people” allegedly exfiltrated from the Russian Federal Center for Integrated Arctic Studies. This information leak was also uploaded on gofile and has also since been taken down. Finally, on May 22, 2022, V0g3lSec surprisingly disbanded, tweeting: “V0g3lSec [Disbanded]. Feb 27/2022 - May 22/2022. We hated ourselves due to western & russian propaganda.”

All in all, nine out of V0g3lSec's ten dumps and leaks were hosted on gofile, with the last utilizing the text storage site ghostbin.com. Think about ghostbin like a public .txt file with an expiration date ranging from ten minutes to indefinitely. The way V0g3lSec hosted its files illustrates a few things about the group. First, their dumps were not meant to be available for a long period of time. Access was measured in hours and days rather than weeks, months, or years. This might have been a conscious decision to facilitate targeted dump dissemination within a certain community or, more likely, the result of a lack of financial resources, time, internal coordination, and concerns about operational security. 

Second, the decision to host their dumps on one particular file hosting site, speaks to a deliberate preference. For example, the Ukrainian data leak repository revenge.monster—which was stood up after the Russian invasion—explicitly noted that “if you want to support us and Ukraine, and you have some free time, then look for a database that is not on our website, upload it to gofile and upload it here, we will be very grateful!” To be clear, there is no known link between V0g3lSec and revenge[.]monster and as of this writing, none of V0g3lSec’s dumps are hosted on the site. 

Different repositories, hacking groups, and individuals make deliberate choices where to host their dumps based on certain preferences and motives. This can be particularly pronounced in large groups where a specific data dump is exclusively held by one individual rather than every member of the group. Thus, when that member leaves the group, their data dump is unavailable to be reuploaded and might be gone forever. Overall, hacking groups are rarely bound by coherent structures but are often alliances of convenience, which can be reflected in their hosting preferences.

A counter-example to V0g3lSec’s hosting preferences would be a group like the Network Battalion 65 (NB65). NB65 is different from the new Anonymous space in terms of activity, drama, creativeness, outreach, size, and popularity. As of this writing, NB65 has roughly 210,000 followers on Twitter while V0g3lSec has a mere 5,400. On February 27, NB65 published its first data dump using the anonfiles.com file hosting service. The dump was 120 megabytes (MB) large and consisted of approximately 40,000 files allegedly obtained from the Nuclear Safety Institute of the Russian Academy of Sciences. A few hours after NB65 announced the dump, two non-NB65 members created mirror links, making the dump available on a New Zealand-based file host Mega and a Czech-based file sharing platform Uloz.to. As of this writing, both mirror links still work, but the dump on Anonfiles is gone. Several other dumps and leaks followed with NB65 using a variety of hosting options including Mega, pastebin, an onion site on the TOR network, and on one occasion even the U.S.-based volunteer privacy collective Riseup.net. 

Starting in late March 2022, NB65 and other major new Anonymous groups began to form a relationship with Distributed Denial of Secrets (DDoSecrets). Officially, DDoSecrets is a journalistic non-profit organization whose “aim is to avoid political, corporate or personal leanings, to act as a beacon of available information. As a transparency collective, we don't support any cause, idea or message beyond ensuring that information is available to those who need it most—the people.” Unofficially, they have become the most prominent data dump host and aggregator platform for Anonymous groups targeting Russian companies and government agencies. DDoSecrets’ hosting service is particularly attractive because the dumps are located on several servers around the world and are being shared via the Torrent network. This means that the dumps can be very large in size, are always seeded, and are available to download for years. As of May 10, six NB65 data dumps with a combined size of approximately 2.4 terabytes (TB) are hosted by DDoSecrets. Uploading that much data on a file-sharing site like Mega or gofile would be extremely frustrating—particularly if the host deletes the dump every few days.

In contrast to V0g3lSec and NB65, groups active in the Russian and Ukrainian-speaking ecosystem are primarily sharing data dumps and information leaks via Telegram. Telegram has a maximum file upload size of 2 gigabytes (GB), and groups utilize it in combination with torrents and file sharing sites. For example, tevenge.monster has a  Telegram channel but prefers to utilize it in combination with gofile uploads. It is important to note that many data dump and information leak aggregator channels on Telegram are essentially cybercriminal markets. Some dumps are shared for free while others can be partially viewed and purchased in full. For these groups, the hacktivist activities amidst the Ukraine war are mere background noise for a much larger ecosystem trading in stolen data and information. On Telegram, the dividing lines between hacktivism and cybercrime are almost non-existent. 

Similarly, Anonymous’ hacktivism has also been inching closer and closer to financial cybercrime. For example, NB65 has targeted Russian companies with a modified version of Conti’s ransomware encryptor. Conti is most well-known for recently running a ransomware campaign against Costa Rica which forced the country’s president to announce a state of emergency in May 2022. Among others, Russia’s SSK Gazregion fell victim to NB65, who allegedly exfiltrated 110 GB of data, deleted several backups, and then encrypted the systems to extort the company. As NB65 explained, “1) Companies and governments outside of Russia need not be worried about NB65. Russian assets are our only targets. 2) Ransomware payments (if any are made) will be donated to #Ukraine.” Exfiltrating data is one thing but deleting data, encrypting data, and extorting companies financially is clearly criminal behavior that should not be excused nor applauded under the cover of political hacktivism. 

That being said, Anonymous’ data dumps have been largely ignored within the cybercriminal ecosystem. The consensus seems to be that Anonymous largely consists of amateurs and that their dumps are closer to opportunistic grab and smash rascality rather than targeted operations whose aim is to exfiltrate relevant and valuable data. In fact, most Anonymous groups do not even have members that can read Russian, which facilitates the ‘grab all files’ attitude because hackers cannot interpret the data that they’ve gained access to and substantially hinders them from efficiently navigating the system they have infiltrated. Huge corporate networks and systems can be opaque and difficult to navigate, and there are numerous cases of hackers lacking the patience to analyze material accessed after breaching a network. For these reasons, even the Ukrainian government—including the “IT Army,” which was stood up by the Ministry of Digital Transformation—has ignored Anonymous’ data dumps. Speaking to the Ukrainian news outlet Media Sapiens on March 23, the Head of the Electronic Services Development at the Ministry of Digital Transformation, Mstislav Banik, noted that “we do not process the data merged by Anonymous.”

In sum, the issue of hosting can tell outside observers a lot about how important a specific data dump is to a certain group or individual. Some data dumps are kept alive for long-term access and dissemination, while others disappear after a few hours or days. Generally,  if the group does not care about the availability of its own data dump, then the dump is likely not valuable. Hosting choices can also significantly influence the size of a data dump. For example, Revenge.monster’s goal is to “completely deanonymize the majority of Runet and Belnet users by draining hundreds of gigabytes of databases of Russian and Belarusian IT giants, delivery aggregators, Internet providers, social networks. networks, etc.” Meanwhile, DDoSecrets is likely encouraging Anonymous groups to dump as much data from a target as possible because, to the average person, a dump of one terabyte of data is seen as more valuable, relevant, and impactful than a dump of a few megabytes. In fact, however, the correlation is actually inverse: The larger the data dump, the less valuable the information is. 

The second question to separate the wheat from the chaff is: Where did a data dump originate from? More specifically, what institution, what network within that institution, and what exact part within that network did the data come from? In most instances, analysts and journalists fail to ask these elemental questions, and many Anonymous groups are totally fine with falsifying claims of having breached the headquarter of conglomerate A when they actually found a meaningless file transfer protocol (FTP) server of a contractor that works for a subsidiary of a local branch of conglomerate A in the middle of nowhere. A recent example highlights the prevalence of this phenomenon.

On March 22, 2022, several Anonymous news accounts tweeted: “BREAKING NEWS: Hacker group Anonymous has released 10 GB of data from Swiss company Nestlé. This is the collective's retaliation for continuing the company's business in Russia.” While this tweet subsequently gained 13,000 retweets and more than 60,000 likes, the group that published the leak,  KelvinSecurity,  noted in a blog post on the same day that they obtained the data at the end of last year. Talking to the Wall Street Journal, a KelvinSecurity representative explained that the original plan was to sell the data but that the group instead “decided to release it to collaborate with the hacking operation against Russia.” Speaking to TheRecord, a Nestle spokesperson further contextualized the dump: 

“This claim of a cyberattack against Nestlé and subsequent data leak has no foundation. It relates to a case from February this year, when some randomized and predominantly publicly available test data of a B2B nature was unintentionally made accessible online for a short period of time on a single business test website.”

Similarly, several Anonymous groups, including GhostSec and AgainstTheWest/BlueHornet, have claimed to have breached the network of the Russian domestic and military intelligence services, or gained access to an internal network of Russian APT actors. In the end, those data dumps included meaningless data or self-made summaries of information that was included in publicly available U.S. grand jury indictments.  

In contrast to this behavior, the WeLeakDatabase channel on Telegram has tried to provide some context to the origin of their data dumps. For example, on April 20, weleakdatabase posted a 43.5 GB dump from miltor.ru. Miltor is a Russian bulletin board for goods and services that connects buyers with companies across the Federation. Weleakdatabase explained that “apparently, all the data was uploaded from the developer’s repository on bitbucket.org or from his work computer. In addition to the miltor.ru project, the databases and sources of nedvrf.ru, sigtura.ru, remont-vsego.ru, sitesms.ru, etc. were also ‘merged’.” Given that Weleakdatabase operates in the cybercriminal environment rather than the hacktivism scene, pieces of information about a dump’s origin are in fact selling points that show a degree of due diligence, trusted sourcing, and professionalism. All of this is missing from the data dumps that Anonymous groups have been churning out over the course of the war in Ukraine.

Which brings us to the third question: How did the groups gain access to the data and what kind of permission rights did they have on the breached systems? Posing these questions is important because hacktivists tend to have one of two general non-exclusive objectives. 

The most straightforward objective is to embarrass the victim by highlighting their weak security measures. Data dumps supported by this narrative are usually legitimate and sometimes underpinned with supporting screenshots that show root access or administrative rights on the breached systems. One example of this was when V0g3lSec released its largest data dump on March 3, which included documents on Roscosmos’ Lunar Missions. Talking to Vice Motherboard on the same day, one V0g3lSec member explained that “[Roscosmos] were using their own file sharing service where the files could be accessed only by providing a username & password.. all i did was bruteforcing the password while keeping the username as ‘admin’.. as they were using a weak password, it didnt take much time for me to get the password.” V0g3lSec’s accurately described how many Anonymous groups gain access to random servers and databases across the .ru domain. The research team at Website Planet, for example, conducted a random sampling of 100 Russian databases that were publicly accessible and found that ninety-two were compromised by pro-Ukraine hacktivists. In the V0g3lSec case, the claim is that they breached an administrative account that would have given the group wide-raging permission rights on that file server, including to alter, delete, and move files on the server. But they could have also just breached a random user account that only has file reading permissions that would not allow them to alter, delete, or move files on the system. In both instances, data exfiltration and data dumping is possible, but only in the administrative case are destructive follow-on options a distinct possibility.

The second objective can be to release data and information that given its specific nature and context, speaks for itself. One example of this is the Conti leaks by a Ukrainian security researcher after the group officially announced their full support for the Russian government one day after the invasion. The leaks not only provided insights into Conti’s day-to-day operations but also helped researchers identify previously unknown Conti infrastructure, their collaboration with other ransomware groups, and potential links to the Russian government. Another example is the disclosure of the personal information of 120,000 Russian soldiers fighting in Ukraine, including their passport data, military rank, and unit identification. Anonymous took credit for the leak on April 3, but the original source was actually the private Telegram channel of a hacking group called E_N_I_G_M_A. The dataset’s legitimacy was also already confirmed by the International Volunteer Community InformNapalm on February 26, 2022. Similarly, on March 28, Ukraine’s intelligence service released the personally identifiable information of 620 FSB officers stationed in Moscow and allegedly involved in criminal activities across Europe. All three examples are data dumps and information leaks that have had the most impact in the context of the war in Ukraine since they offered a wealth of intelligence value due to the density of the information included, were immediately actionable and produced follow-on outcomes, and are made accessible for a long period of time to unlock their continuous potential.

To conclude, there are many other questions outside observers can pose to figure out whether a data dump has value and can impact the war in Ukraine without even downloading it.  A group’s reputation and past claims, or even their ability to talk to journalists and researchers in a coherent manner when challenged on the details, can indicate how legitimate and valuable the data is. Not all hacking groups and data dumps, however, follow the same logic. The most impactful hacking groups and hacktivists in recent years, such as Phineas Fisher, the people that breached Mossack Fonseca, or the individual that supplied the Xinjiang Police Files, operated in ways that are so far removed from the hacktivism seen amidst the war in Ukraine. For now though, while embarrassing for the Russian government and private entities, most of the data dumps stemming from the war in Ukraine are largely inconsequential. 

​​Stefan Soesanto is a Senior Researcher in the Cyberdefense Project with the Risk and Resilience Team at the Center for Security Studies (CSS) at ETH Zurich.

Image: Reuters.