Dark Web Reactions to Russia’s Invasion of Ukraine

Patrick Wallenhorst

Patrick Wallenhorst

Patrick Wallenhorst is the Intelligence Operations Lead at Binary Defense. In this role, he is responsible for knowing and understanding current cyber-threat actor operations around the world to include criminal organizations, hacktivist groups, and state-sponsored hackers. He is also responsible for overseeing the collection of threat intelligence research of criminal forums, and monitoring of Darknet, Clearnet, and Social Media platforms for threat indicators. Patrick previously served as a Captain in the United States Army where he held positions as a Counterintelligence Special Agent, Intelligence Officer, and Company Commander.

Tensions continue to escalate around the globe as the world watches Ukraine fight off a Russian invasion. Several events have unfolded since the initial invasion on February 24th, and Binary Defense analysts have observed dark web forums and media outlets reacting to the situation. Leading up to the invasion, Ukrainian government networks suffered DDoS attacks that would be attributed to Russia. The day of the invasion, Ukrainian government sites went offline.

During the initial invasion, Russian Criminal forums were very quiet. Typically, when there is a major global event taking place, forum members weigh in and offer opinions on the subject. There was no discussion of the invasion and little activity on these forums. This could have been due to outages in the region caused by the invasion. Raid Forums, an English-speaking hacker forum, condemned the invasion almost immediately.  A moderator of the forum said they would ban any user  that is connecting from Russia and stated the forum does not support the Kremlin. On February 25th, news stories about the war began showing up on the dark web forums. The notorious hacking group, Anonymous, announced they were launching a cyber war against Russia. Then a news story broke that President Biden was evaluating options on how to launch a large-scale cyberattack on Russia to disrupt critical infrastructure. This story caused widespread discussion across multiple Russian dark web forums.

Immediately, Russian telegram channels began posting the story as well as other updates surrounding the conflict. Users stated that the threat from Anonymous was an empty one and labeled them amateurs as they tried to discredit the group.

Russian telegram channels began launching misinformation campaigns. A new user on Raid Forums stated that the Western news outlets are posting propaganda videos to make Russia look evil. Later in the evening it was reported that Raid Forums had been seized and one of the administrators warned users to change their passwords.

Conti Ransomware Group Makes Pro-Russia Statements

Conti Ransomware was the first group to show support for Russia.  Initially they posted the following statement:

“The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all possible resources to strike back at the critical infrastructure of an enemy.”

After the announcement, social media outlets and forums began to question if the group was working for the Russian government. The group responded by changing their warning:

“As a response to Western warmongering and American threats to use cyber warfare against the citizens of the Russian Federation, The Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russa, or any Russian-speaking region of the world. We do not ally with any government, and we condemn the ongoing war. However, since the West is known to wage its wars primarily by targeting civilian, we will use our resources to strike back if the well-being and safety of peaceful citizens will be at stake due to American cyber aggression.”

As a result of this announcement from Conti, a Ukrainian citizen who had access to private files and chat messages from the Conti group leaked the files and chats via AnonFiles and linked to the files on Twitter. Subsequent reporting by cybersecurity reporters alleged that the person who leaked the files is a Ukrainian security researcher, not a threat actor. The fact that many threat groups comprise both Russian and Ukrainian members will likely lead to divisions and possibly additional leaks of threat intelligence information.

Anonymous Strikes Back

At the same time of this announcement, Anonymous claimed to have taken down several Russian sites and to have leaked a database to the Russian Ministry of Defense website. Users on Russian criminal forums claimed that the data was not from a recent breach and further discredited Anonymous. Following the Conti announcement, other groups posted their support for Russia. Most notably, the LockBit ransomware group posted a warning on Sunday threatening retaliation to anyone that launches a cyberattack at Russia.

Ransomware groups supporting Russian attack efforts

It is no surprise that ransomware groups are choosing to support Russia. Recently, Russian authorities began to crack down on cybercriminals residing in Russia. It was believed that these arrests that had previously gone unreported, were an act of good faith to improve Russia’s reputation globally prior to the invasion. Cybercriminals are likely hoping thattheir ability to operate with impunity will be restored due to the invasion in Ukraine. Although Conti has denied working directly with the Russian government and condemned their actions, it is certainly feasible that they are lying. Russian President Vladimir Putin could very well enlist the help of a hacker gang to carry out a cyberattack on the west. In doing so, he has plausible deniability that the attack was carried out by the Russian government and can publicly condemn the group in retaliatory actions.

Users on dark web forums are becoming increasingly more vocal of their support of Russia. With every action the west takes, it is believed that support will grow. Should the United States choose to conduct a cyberattack on Russian infrastructure, it will undoubtedly provoke Russia to retaliate. The bottom line comes down to three factors: how involved President Biden is willing to get, how long can President Putin maintain a kinetic war with Ukraine if outside countries are disrupting Russian infrastructure, and how long can Ukraine continue to stave off the Russian invaders.

Binary Defense analysts will continue to monitor forums for any updates on the situation.

More Articles