Ukraine is turning to hacktivists for help

Welcome to The Cybersecurity 202! If you’re skipping tonight’s State of the Union address, consider streaming the 1948 Spencer Tracy and Kathryn Hepburn film “State of the Union” about the corruption of an idealist presidential candidate. 

Below: Sen. Mark R. Warner (D-Va.) wants rules of the road for social media companies and disinformation, and hundreds of thousands of lawyer disciplinary records were exposed in California. 

Six days into Russia’s Ukraine invasion, some of the most visible hacks have come from Ukrainian volunteers and others not affiliated with the embattled nation’s government. 

Those attacks have been relatively small scale — mostly blocking and defacing Kremlin-linked websites. But they’ve grabbed the public’s attention and telegraphed a bold rejection of Russian aggression.

Ukraine sympathizers have vandalized Russian TV stations to display pro-Ukraine content and disabled and defaced Russian electric vehicle chargers with profane anti-Putin messages. 

The hackers, some of whom have formed into an “IT Army” under directions from Ukraine’s embattled government, are aiming to deface major Russian targets or force them offline, including banks and energy firms. They may even have been behind a takedown of the Moscow Stock Exchange website. The group has been bolstered by some seemingly non-Ukrainians who claim affiliation with the hacktivist group Anonymous. 

The hacks are especially noteworthy given the absence — so far — of blockbuster destructive Russian cyberattacks that many cyber experts had prepared for, as Joseph Menn and Craig Timberg report. That has let Ukrainians maintain relatively unfettered access to the Internet for communications, strategizing and their own largely symbolic digital attacks. 

The hacks are an early indication of the significant role guerilla-style patriotic hacktivists are likely to play in future conflicts. 

While such attacks are great for rallying spirits and thumbing a nose at the enemy, analysts fear they might also add to the fog of cyberwar — perhaps making grievous errors, hacking innocent targets and unnecessarily ratcheting up cyber conflict between nations. 

“The Wild West analogy gets used a lot in cyber, but that’s really what you’re creating by inviting noncombatants into the field. When there are more offensive players, that creates a situation where things can go wrong and lead to unintended consequences,” Virpratap Vikram Singh, a research and program coordinator at Columbia University who's focused on cyber conflict, told me. 

It’s too early to tell what effect the Ukrainian attacks will have. 

The hacks so far are likely enough to pester the adversary but not to create severe anxiety — especially by a nation as cyber-capable as Russia. Many are distributed denial of service attacks — cyber actions that overwhelm websites with bogus traffic until they go offline but don’t actually hack into anything. 

“Patriotic hackers usually aren’t the top of the league and probably aren’t causing the Russians to burst into tears,” Jim Lewis, a cyber researcher at the Center for Strategic and International Studies, told me. 

If it's properly directed, the IT Army could fulfill a useful cyber defensive function, Lewis told me, such as helping Ukrainian firms patch over vulnerabilities that might be exploited by Russians and sharing information about Russian hacker tactics. 

Estonia launched a similar volunteer cyber protection initiative after it faced a blistering Russian denial of service attack in 2007. 

Russia has its own outsiders – criminal hacking groups – lining up to help.

At least four such groups have pledged to aid Russia, according to a tally from the cyber publication the Record — stoking fears that ransomware gangs could launch economy rattling attacks against U.S. companies in retaliation for damaging sanctions. But there are some caveats.

The move by YouTube, Facebook and TikTok is “blocking Moscow’s biggest megaphone for influencing public opinion about the war in Ukraine in a critical region on its borders,” Elizabeth Dwoskin, Cat Zakrzewski and Gerrit De Vynck report. 

It comes after significant pressure from European leaders, the Ukrainian government and some U.S. lawmakers and could prompt retaliations from the Kremlin. 

Sen. Mark R. Warner (D-Va.), who chairs the Senate Intelligence Committee, praised early moves by the companies during a Washington Post Live event. But he warned Congress shouldn’t have to rely on tech companies to take action on their own and needs “some rules of the road on social media."

Other social media company moves:

President Ursula von der Leyen said the E.U. was working on “tools to ban [Russian sites’] toxic and harmful disinformation in Europe,” and the outlets would “no longer be able to spread their lies to justify [Russian President Vladimir] Putin’s war and to sow division in our union.”

Governments and regulators continue to scrutinize the outlets. 

U.K. broadcast regulator Ofcom has opened 15 investigations into its Ukraine coverage, the Guardian’s Jim Waterson reports. The regulator could force RT’s U.K. television channel to go off the air.

The records, which are supposed to be secret until formal charges are filed, were posted to the legal database JudyRecords, Reuters’s Karen Sloan reports. 

California Bar officials called the incident a “hack” and said JudyRecords obtained the records illegally. But JudyRecords says the information was “previously publicly available” on the bar’s website. JudyRecords has since taken the files down. The administrator of JudyRecords is anonymous. 

The state bar has apologized for the incident and said it has asked its software vendor and a cybersecurity firm to investigate. JudyRecords said it accepted an invitation by the bar to discuss the matter. The California Bar said JudyRecords was able to access 260,000 disciplinary case records. JudyRecords tentatively said less than 1,000 cases were affected.

Production at 14 Japanese factories will restart Wednesday, Reuters's Satoshi Sugiyama reports. The work stoppage had affected the manufacturing of roughly 13,000 vehicles, a Toyota spokesperson told the New York Times’s Ben Dooley and Hisako Ueno. 

The pause came after systems at auto component manufacturer Kojima Industries were disrupted on Saturday. Kojima shut down its networks so the potential hack wouldn’t spread to customers, a spokesperson told the Times.

It comes at a critical time for the world’s largest automaker. Like the auto industry at large, Toyota faces a supply chain crunch that has forced it to cut production amid the pandemic. The company had already planned to stop production at some Japanese factories in March because of component shortages.

The leak of 60,000 of the notorious ransomware gang’s internal messages paints a chilling portrait of the group that crippled Ireland’s health-care system among other major hacks. 

Cybersecurity outlets the Record and Bleeping Computer have confirmed that the messages are authentic – but its possible hackers were lying in internal communications or messages were altered before they were leaked. 

Here are some details:

Bellingcat executive director Christo Grozev accused the Conti hacker of working for Russia’s security services:

Mandiant vice president John Hultquist offered some sage analysis of the situation in Ukraine:

Thanks for reading. See you tomorrow.