From 0 to 100: a story of the escalation of Threat Actors

Timeline of Threat Actors in relation to the Russian-Ukrainian War

This is a timeline of when the CyberPeace Institute started to record the different Threat Actors (TA) conducting cyberattacks in the context of the war. Threat Actors are divided into three categories depending on their affiliations, Pro-Russian, Pro-Ukrainian and Ambiguous Affiliation. Threat Actors are also color-coded depending on type.  It is important to note that most of the attacks monitored by different threat actor groups have self attributed the attacks carried out. 

Type of Threat Actor:

🔴 Nation State, 🔵 Collective, 🟣 Cybercriminal, 🟢 Individual, ⚫️ Unknown

Since the start of the 2022 full-scale military invasion of Ukraine on February 24, the CyberPeace Institute has been aggregating and analyzing data related to cyberattacks and operations:

1. against  infrastructure essential for the survival of the civilian population in Ukraine and the Russian Federation, and affecting non-belligerent countries .
2. on the perpetrators of such attacks – primarily either  pro-Russian or  pro-Ukrainian threat actors.

Currently, the CyberPeace Institute monitors, on a daily basis, the activities of more than 100 threat actors in relation to this international armed conflict, through the aggregation of open-source intelligence. The data on the threat actors, and the attacks they have conducted, are freely accessible through our Cyber Attacks in Times of Conflict Platform #Ukraine.

 

First Day of 2022 Hostilities

February 24, 2022

From the first day of the full scale military invasion of Ukraine in 2022, the kinetic war had spill-over effects in cyberspace. On February 24th, the Russian Federation’s 2022 military invasion of Ukraine, was accompanied by a cyberattack conducted by a Russian nation-state actor, which disrupted broadband satellite internet access. This attack disabled modems that communicated with Viasat Inc’s KA-SAT satellite network, and the supply of internet access to tens of thousands of people in Ukraine and Europe. [For more information, please visit our Case Study: Viasat Attack.] 

Other threat actors quickly announced their active support to the conflict in cyberspace. The cybercriminal group Conti declared their support for Russia. In support of Ukraine, the social media channels associated with the global hacktivist collective Anonymous announced that they had declared  “cyberwar” against Russia. In reaction to Anonymous’ declaration, KillNet, previously a group focused on DDoS-as-a-Service, announced their full support for Russian war efforts in Ukraine.

List of new threat actors:

• Pro-Russian: 🔴 DEV-0586, 🔴 Nation-State Russia, 🔴 Sandworm, 🔴 UNC1151, 🔴 Gamaredon, 🔵 KillNet
• Pro–Ukrainian: 🔵 Anonymous

---

A week of hostilities in and out of cyberspace

February 25 – March 4, 2022

On February 26, 2022, two days after the 2022 invasion of Russia, Ukraine’s Deputy Prime Minister Mykhailo Fedorov, published a “cyber call to arms”, establishing the IT Army of Ukraine. While the newly formed “army” consisted of individuals from the general population, the CyberPeace Institute identified that individuals joining  the IT Army could lose their civilian status if they carried out attacks that were directly participating in the hostilities.  The IT Army could also be considered as a nation-state actor, if they receive direction, funding, and/or technical assistance from the Ukrainian government. The IT Army of Ukraine has two DDoS crowdsourcing projects – disBalancer and Liberator. The former, developed by a group of cybersecurity experts in 2021, is a defensive software. The latter, released on March 4, 2022, is an offensive software.

Meanwhile, in the first week of the war, a new pro-Russian hacktivist collective appeared. On March 2, 2022, the Telegram channel of “People’s CyberArmy” was created. The threat actor has been actively targeting entities predominantly in Ukraine, and has been linked by Mandiant, with a medium certainty, to Russian state actors. Additionally, the CyberPeace Institute estimates that there is a realistic possibility that “People’s CyberArmy” is affiliated with KillNet.

New threat actors:

• Pro-Russian: 🔵 theMx0nday, 🟣 Conti, 🔵 Legion Cyber Spetsnaz
• Pro-Ukrainian: 🔵 V0g3lSec, 🔵 Anonymous Liberland-Pwn-Bär Hack Team, 🔵 GhostSec, 🔵 NB65, 🔵 AgainstTheWest, 🔴 IT Army of Ukraine

---

100 Days of war in cyberspace

February 25 – June 25, 2022

In terms of threat actors’ activity, and available information, pro-Ukrainian threat actors were predominantly more active than their pro-Russian counterparts, with the former conducting 102 cyberattacks against Russian entities, while the latter conducted 65 against Ukrainian entities. During this period, the most active pro-Russian hacktivist collective to date created its first social media channel, and published its manifesto, on March 11, 2022 – NoName057(16). 

New threat actors:

• Pro-Russian: 🔴 APT28, 🔴 Dragonfly, 🔴 InvisiMole, 🔴 Scarab, ⚫️ UAC-0041, ⚫️ UAC-0088, ⚫️ UAC-0094, ⚫️ UAC-0098, 🔵 Vermin, 🔵 XakNet, 🟣 Wizard Spider, 🔴 Cold River, 🟣 Black Basta
• Pro–Ukrainian: 🔵 Anonymous DepaixPorteur, 🔵 Anonymous-Spid3r, ⚫️ CaucasNet, 🔵 StudentCyberArmy, 🟢 RIAEvangelist, 🔵 The Black Rabbit World, 🔴 GURMO
• Ambiguous Affiliation: 🔴 TA416, 🔴 APT10

---

From 100 days of hostilities to partial Russian mobilization

June 26 – September 21, 2022

During this three month period, more and more hacktivist collectives began operating in cyberspace in the context of the conflict. In July, a social media channel for the group, “Anonymous Russia” was created. Members of Anonymous Russia were alleged to be former members of KillNet, who decided to leave KillNet due to an internal differences; specializing in DDoS attacks, the collective also provided their DDoS-as-a-service platform to its members. 

The CyberPeace Institute recorded an increase in operations against entities in both Ukraine and non-belligerent countries by pro-Russian threat actors and a decrease in activities against Russian entities by pro-Ukrainian threat actors. The overall activity of pro-Ukrainian threat actors decreased, specifically the Anonymous Collective and its connected groups. However, this was not the case for the threat actor IT Army of Ukraine.

During  this moment in the war, Russian media increased their focus on  pro-Russian threat actors with several interviews carried out with leaders of different collectives. Participants in these pro-Russian collectives were portrayed as “defenders of Russia” and “patriots”. This likely caused an increase in awareness and participation in the groups’ activities. NoName057(16) quickly became the most active pro-Russian threat actor conducting DDoS attacks against targets in Ukraine and in non-belligerent countries.  In August, the group released its DDoScrowdsourcing project, “DDoSIA Project”. Through an invite-only group, the group distributed a software that turns a member’s device into a bot, which is used for DDoS attacks with a financial incentive for the most active members.

New threat actors:

• Pro-Russian: 🔵 Anonymous Russia, 🔵 ICC_H@ckTeam, 🔵 NoName057(16), 🔵 People’s CyberArmy, 🔵 RaHDiT, 🔴 Turla, ⚫️ UAC-0100, 🔵 Zarya, 🔴 APT37, 🔵 Adrastea, 🔵 Phoenix
• Pro–Ukrainian: 🔵 2402team, 🔵 Cyber Palyanitsa, 🔵 Haydamaki, 🔵 Team OneFist
• Ambiguous Affiliation: 🔴 TontoTeam, 🟣 Unnamed Criminal Organisation

---

One Year of hostilities  – from partial mobilization in Russia until the one-year anniversary of the 2022 full-scale invasion

September 22, 2022 until February 24, 2023

A week after the announcement of a partial mobilization, 14 pro-Russian hacktivist collectives announced that they were uniting under the KillNet umbrella, including the previously alleged former members from Anonymous Russia. Two months later, for the first time since the start of the hostilities in 2022, the Institute detected several attacks claimed by pro-Russian threat actors against Russian entities, and disputes between different pro-Russian hacktivist groups. However, during this period, pro-Russian threat actors (mainly the hacktivist collectives) turned their attention to targets outside of Ukraine. 

At  the start of  2023, many new pro-Russian hacktivist collectives emerged and began conducting mainly DDoS attacks, and to a lesser extent defacement operations, against Ukrainian entities and entities in countries announcing support for and/or to  Ukraine. Overall, there was a sharp increase in the activities of pro-Russian threat actors in the first quarter (January-March 2023). During this quarter, the Institute documented 475 incidents against entities outside the two belligerent countries, whilst having documented 461 incidents against entities in non-belligerent countries throughout the whole of 2022.    This is highly likely to be due to the announcements of increased support including military assistance   to Ukraine. 

As for cyberattacks conducted by pro-Ukrainian threat actors, the Institute documented a steady decrease in the number of active pro-Ukrainian threat actors during this period. Our monitoring found information on less than 5 pro-Ukrainian threat actors, with the rest seemingly having become inactive, or not or no longer meeting our inclusion criteria (Methodology – substantiated vs unsubstantiated claims of attacks).

New threat actors:

• Pro-Russian: 🔵 AlTahrea, 🔵 Clowns, 🔵 FRwL, 🔵 Mirai, 🔵 National Hackers of Russia, 🔵 Netside Group, 🔵 Red Hackers Alliance, 🔵 Russian Clay, 🔵 Russian Hackers Team, ⚫️ UAC-0132, ⚫️ UAC-0133, ⚫️ UAC-0145, ⚫️ UNC4166, ⚫️ Winter Vivern, 🔴 APT29, 🔵 Anonymous Sudan, 🔵 AnonymousX777Z, 🔵 Bear IT Army, 🔵 Cyber Cat, 🔵 Furious Russian Hackers, 🔵 Genesis Day, 🟢 KillMilk, 🔵 KillNet Collective, 🔵 RADIS, 🔵 Infinity Hackers BY, ⚫️ UAC-0050, 🔵 Russian Hackers Community
• Pro–Ukrainian: 🔵 Anonymous Italia, 🔵 CH01, 🔵 Cyber Partisans, 🔵 KelvinSecurity, 🔵 National Republican Army, 🔵 NLB
• Ambiguous Affiliation: ⚫️ Red Stinger  

---