Ukraine is turning to hacktivists for help

Joseph Marks, Aaron Schaffer

Welcome to The Cybersecurity 202! If you’re skipping tonight’s State of the Union address, consider streaming the 1948 Spencer Tracy and Kathryn Hepburn film “State of the Union” about the corruption of an idealist presidential candidate. 

Below: Sen. Mark R. Warner (D-Va.) wants rules of the road for social media companies and disinformation, and hundreds of thousands of lawyer disciplinary records were exposed in California. 

Ukraine-backing hackers are launching modest cyber attacks on Russia

Six days into Russia’s Ukraine invasion, some of the most visible hacks have come from Ukrainian volunteers and others not affiliated with the embattled nation’s government. 

Those attacks have been relatively small scale — mostly blocking and defacing Kremlin-linked websites. But they’ve grabbed the public’s attention and telegraphed a bold rejection of Russian aggression.

‘IT Army’

Ukraine sympathizers have vandalized Russian TV stations to display pro-Ukraine content and disabled and defaced Russian electric vehicle chargers with profane anti-Putin messages. 

The hackers, some of whom have formed into an “IT Army” under directions from Ukraine’s embattled government, are aiming to deface major Russian targets or force them offline, including banks and energy firms. They may even have been behind a takedown of the Moscow Stock Exchange website. The group has been bolstered by some seemingly non-Ukrainians who claim affiliation with the hacktivist group Anonymous. 

Unfettered playing field

The hacks are especially noteworthy given the absence — so far — of blockbuster destructive Russian cyberattacks that many cyber experts had prepared for, as Joseph Menn and Craig Timberg report. That has let Ukrainians maintain relatively unfettered access to the Internet for communications, strategizing and their own largely symbolic digital attacks. 

The hacks are an early indication of the significant role guerilla-style patriotic hacktivists are likely to play in future conflicts

While such attacks are great for rallying spirits and thumbing a nose at the enemy, analysts fear they might also add to the fog of cyberwar — perhaps making grievous errors, hacking innocent targets and unnecessarily ratcheting up cyber conflict between nations. 

“The Wild West analogy gets used a lot in cyber, but that’s really what you’re creating by inviting noncombatants into the field. When there are more offensive players, that creates a situation where things can go wrong and lead to unintended consequences,” Virpratap Vikram Singh, a research and program coordinator at Columbia University who's focused on cyber conflict, told me. 


It’s too early to tell what effect the Ukrainian attacks will have

The hacks so far are likely enough to pester the adversary but not to create severe anxiety — especially by a nation as cyber-capable as Russia. Many are distributed denial of service attacks — cyber actions that overwhelm websites with bogus traffic until they go offline but don’t actually hack into anything. 

“Patriotic hackers usually aren’t the top of the league and probably aren’t causing the Russians to burst into tears,” Jim Lewis, a cyber researcher at the Center for Strategic and International Studies, told me. 

If it's properly directed, the IT Army could fulfill a useful cyber defensive function, Lewis told me, such as helping Ukrainian firms patch over vulnerabilities that might be exploited by Russians and sharing information about Russian hacker tactics. 

Estonia launched a similar volunteer cyber protection initiative after it faced a blistering Russian denial of service attack in 2007. 

As for Russia…

Russia has its own outsiders – criminal hacking groups – lining up to help.

At least four such groups have pledged to aid Russia, according to a tally from the cyber publication the Record — stoking fears that ransomware gangs could launch economy rattling attacks against U.S. companies in retaliation for damaging sanctions. But there are some caveats.

  • The mostly Russia-based ransomware gang Conti pledged to hack back against anyone attacking Russia. But a few hours later, a Ukrainian sympathizer with access to the group’s internal communications leaked roughly 60,000 messages. The leak is likely enough to destroy the gang’s business.
  • Other Russian cybercriminal groups may face similar constraints because of affiliations with Ukrainians, Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, told me. He called the threat of ransomware gangs hacking the United States in retaliation for sanctions “a risk but perhaps not as much of a risk as has been thought.”
  • Another primarily Russian ransomware gang, LockBit, clearly learned from Conti’s misstep. The gang posted a message on its website declaring it’s not taking sides in the conflict. “For us, it is just business and we are all apolitical,” the gang wrote. “We are only interested in money for our harmless and useful work.”

The keys

Major social media companies are banning Russian state media in Europe

The move by YouTube, Facebook and TikTok is “blocking Moscow’s biggest megaphone for influencing public opinion about the war in Ukraine in a critical region on its borders,” Elizabeth Dwoskin, Cat Zakrzewski and Gerrit De Vynck report

It comes after significant pressure from European leaders, the Ukrainian government and some U.S. lawmakers and could prompt retaliations from the Kremlin. 

Sen. Mark R. Warner (D-Va.), who chairs the Senate Intelligence Committee, praised early moves by the companies during a Washington Post Live event. But he warned Congress shouldn’t have to rely on tech companies to take action on their own and needs “some rules of the road on social media."

“Virtually every one of these platforms has taken down some of the Russian activity or demonetized so they’re not making money off RT or Russian ads… That’s good, I commend these platforms, but the truth is… I shouldn’t have to rely on their good will. We need some rules of the road on social media.“ – Sen. Mark Warner (D-Va.) (Washington Post Live)

Other social media company moves:

  • Twitter is labeling tweets that link to designated Russian state-affiliated media websites
  • Microsoft announced it is banning ads from RT and Sputnik, removing RT’s apps from its app store and will be “further de-ranking these sites’ search results” on its Bing search engine

President Ursula von der Leyen said the E.U. was working on “tools to ban [Russian sites’] toxic and harmful disinformation in Europe,” and the outlets would “no longer be able to spread their lies to justify [Russian President Vladimir] Putin’s war and to sow division in our union.”

Governments and regulators continue to scrutinize the outlets. 

U.K. broadcast regulator Ofcom has opened 15 investigations into its Ukraine coverage, the Guardian’s Jim Waterson reports. The regulator could force RT’s U.K. television channel to go off the air.

Hundreds of thousands of lawyers’ secret disciplinary records were exposed in California

The records, which are supposed to be secret until formal charges are filed, were posted to the legal database JudyRecords, Reuters’s Karen Sloan reports

California Bar officials called the incident a “hack” and said JudyRecords obtained the records illegally. But JudyRecords says the information was “previously publicly available” on the bar’s website. JudyRecords has since taken the files down. The administrator of JudyRecords is anonymous. 

The state bar has apologized for the incident and said it has asked its software vendor and a cybersecurity firm to investigate. JudyRecords said it accepted an invitation by the bar to discuss the matter. The California Bar said JudyRecords was able to access 260,000 disciplinary case records. JudyRecords tentatively said less than 1,000 cases were affected.

Toyota will restart production in Japan after a hack hit a supplier

Production at 14 Japanese factories will restart Wednesday, Reuters's Satoshi Sugiyama reports. The work stoppage had affected the manufacturing of roughly 13,000 vehicles, a Toyota spokesperson told the New York Times’s Ben Dooley and Hisako Ueno. 

The pause came after systems at auto component manufacturer Kojima Industries were disrupted on Saturday. Kojima shut down its networks so the potential hack wouldn’t spread to customers, a spokesperson told the Times.

It comes at a critical time for the world’s largest automaker. Like the auto industry at large, Toyota faces a supply chain crunch that has forced it to cut production amid the pandemic. The company had already planned to stop production at some Japanese factories in March because of component shortages.

Cyber insecurity

Revelations about the Conti ransomware group are trickling out

The leak of 60,000 of the notorious ransomware gang’s internal messages paints a chilling portrait of the group that crippled Ireland’s health-care system among other major hacks. 

Cybersecurity outlets the Record and Bleeping Computer have confirmed that the messages are authentic – but its possible hackers were lying in internal communications or messages were altered before they were leaked. 

Here are some details:

  • Hackers claimed they tried to trick cybersecurity companies into giving them demos of their products so they could figure out ways to get around them, the Record’s Catalin Cimpanu reports.
  • Some messages claim that the group needed $10,000 to pay a lawyer to represent Alla Witte, who U.S. prosecutors in June 2021 accused of being in a group that used “TrickBot” malware.
  • One contributor to the investigative collaborative Bellingcat was hacked by a Conti member, the hacker said in a leaked chat. Bellingcat has written extensively about Russian operations, including identifying the Russian agents who poisoned Kremlin critic Alexei Navalny. Russia’s government has long attacked the outlet for being “fake news,” although it frequently shows evidence like archived social media posts or flight logs in its investigations.

Bellingcat executive director Christo Grozev accused the Conti hacker of working for Russia’s security services:

We tried to figure out what that cyber-crime group was - that apparently takes orders from the FSB. The Russian invasion of Ukraine finally brought the answer. A pro-Ukraine hacker from that cyber-crime group leaked their internal chats. It's the #conti group.

— Christo Grozev (@christogrozev) February 28, 2022

Chat room

Mandiant vice president John Hultquist offered some sage analysis of the situation in Ukraine:

Industry report

Global cyberspace


  • Rep. John Katko (N.Y.), the top Republican on the House Homeland Security Committee, discusses cybersecurity and other issues at a Washington Post Live event today at 10 a.m.
  • New America’s Open Technology Institute hosts an event on the next steps on consumer cybersecurity and privacy labels for connected devices today at 2 p.m.
  • The Cyber Threat Alliance hosts a webinar on metrics for predicting how likely vulnerabilities will be exploited today at 11 a.m.

Secure log off

Thanks for reading. See you tomorrow.