Mandiant researchers are tracking multiple self-proclaimed hacktivist groups working in support of Russia, and identified 3 groups linked to the Russian Main Intelligence Directorate (GRU).
The Google-owned threat intelligence and incident response firm said that moderators of the purported hacktivist Telegram channels “XakNet Team,” “Infoccentr,” and “CyberArmyofRussia_Reborn” are coordinating their operations under the control of the GRU.
The hacktivist groups conducted distributed denial-of-service (DDoS) and defacement attacks against Ukrainian websites, but the experts believe that they are a front for information operations and destructive cyber activities coordinated by the Kremlin.
The experts found that some APT28 tools were used to compromise the networks of Ukrainian victims, whose data was subsequently leaked on Telegram within 24 hours of wiping activity by APT28.
The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide.
Most of APT28s’ campaigns leveraged spear-phishing and malware-based attacks. Mandiant identified at least 16 data leaks from threat actors claiming to be hacktivists, four of which coincided with wiping attacks conducted by Russia-linked cyberespionage group APT28.
However, the researchers are not able to determine the composition of these groups and their exact degree of affiliation with Russian military intelligence.
Experts believe that the moderators of the XakNet Team channel are directly supported by APT28, based on XakNet’s leak of a technical artifact APT28 used in the compromise of a Ukrainian network.
The unique nature of this technical artifact suggests that the moderators of XakNet Team either are GRU intelligence officers or work directly with the GRU APT28 operators.
Mandiant said that the war in Ukraine has presented novel opportunities to understand the totality, coordination, and effectiveness of Russia cyber programs, including the use of social media platforms by threat actors.