A18 EZ RE K THE WASHINGTON POST.MONDAY, MAY 2 , 2022
war in ukraineresearcher known as Dissent Doe,
who runs the website DataB-
reaches.net, AgainstTheWest’s
leader said the group formed in
October and was composed of six
English-speaking hackers, all pri-
vately employed but with intelli-
gence backgrounds.
The initial objective “was to
steal state-secrets, government
software (in the form of source
codes), private documents and
such. However, we also had the
idea that we should act on China
for attacking the west in cyberes-
pionage campaigns over the
years,” the hacker said.
After hitting targets in China,
AgainstTheWest moved on to
those in North Korea, Iran and
Russia.
The leader said the group was
not acting directly for any intelli-
gence agency but declined to say
whether it was being helped by
any of them. “We’re doing our job
in the hopes that it benefits west-
ern intelligence. We share all pri-
vate documents with anyone
from the government in the U.S./
EU.”
The group has made other doc-
uments public through DDoSe-
crets. Best received one request
from a U.S. military account for
access beyond what she pub-
lished but turned it down.
Painter, the former State De-
partment and Justice Depart-
ment expert, said he was con-
cerned that some volunteer hack-
ers might take a step too far and
harm civilian infrastructure or
trigger a major reaction, and he
cautioned that others might be
hiding additional motives.
“In the normal course of
events, you don’t want to encour-
age vigilante hackers,” Painter
said. But he then agreed, “We’re
not in a normal course of events.”the most ferocious ransomware
gangs, Conti, declared that it
would rally to protect Russian
interests in cyberspace.
The pledge backfired in a spec-
tacular fashion, since like many
Russian-speaking crime groups it
had affiliates in Ukraine.
One of them then posted more
than 100,000 internal gang chats,
and later the source code for its
core program, making it easier
for security software to detect
and block attacks.
Network Battalion 65 went fur-
ther. It modified the leaked ver-
sion of the Conti code to evade the
new detections, improved the en-
cryption and then used it to lock
up files inside government-con-
nected Russian companies.
“We decided it would be best to
give Russia a taste of its own
medicine. Conti caused (and still
causes) a lot of heartache and
pain for companies all around the
world,” the group said. “A s soon as
Russia ends this stupidity in
Ukraine, we will stop our attacks
completely.”
In the meantime, Network Bat-
talion 65 has asked for ransom-
ware payments even as it has
shamed victims on Twitter for
having poor security. The group
said it hasn’t gotten any money
yet but would donate anything it
collects to Ukraine.
Network Battalion obtained
the state broadcast emails and
other hoards and gave them to
DDoSecrets, making it one of the
most important of several hack-
tivist suppliers to that site, along-
side a pro-Western group named
AgainstTheWest and some who
have adopted the branding of
Anonymous, a larger, looser and
recently resurgent collective that
welcomes anyone.
In an April 3 interview with aideological stake in the conflict
have also gotten in on the act,
taking advantage of preoccupied
security teams to grab money as
the aura of invincibility falls, re-
searchers said.
Last month, a quarterly survey
of email addresses, passwords
and other sensitive data released
on the open Web identified more
victim accounts likely to be Rus-
sian than those from any other
country. R ussia topped the survey
for the first time, according to
Lithuanian virtual private net-
work and security firm Surf-
Shark, which uses the underlying
information to warn affected cus-
tomers.The number of presumed Rus-
sian credentials, such as those for
email addresses ending in .ru, in
March jumped to encompass
50 percent of the global total,
double the previous month and
more than five times as many
published as were in January.
“The U.S. is first most of the
time. Sometimes it’s India,” said
SurfShark data researcher Agnes-
ka Sablovskaja. “It was really sur-
prising for us.”
The crime business can also
turn political, and it definitely
has with the war in Ukraine.
Soon after the invasion, one ofWhile many of the hackers
want to inform the public about
Russia’s role in areas including
propaganda and energy produc-
tion, Best said a secondary moti-
vation post-invasion is “the sym-
bolic ‘pantsing’ ” of Putin and
some of the oligarchs.
“He’s cultivated a strongman
image for decades, yet not only is
he unable to stop the cyberattacks
and leaks hitting his government
and key industries, he’s the one
causing it to happen.”
The volunteer hackers have
gotten a first-of-its-kind boost
from the government of Ukraine,
which endorsed the efforts and
has suggested targets through itsIT Army channel on Telegram.
Ukraine government hackers are
assumed to be acting directly
against other Russian targets,
and officials have distributed
hacked data including the names
of troops and hundreds of FSB
agents.
“There are state institutions in
Ukraine interested in some of the
data and actively helping some of
these operations,” said an analyst
at security company Flashpoint,
who spoke on the condition of
anonymity because of the sensi-
tivity of his work.
Ordinary criminals with noIn its first in-depth interview,
the group told The Washington
Post via encrypted chat that it
gets no direction or assistance
from government officials in
Ukraine or elsewhere.
“We pay for our own infrastruc-
ture and dedicate our time out-
side of jobs and familial obliga-
tions to this,” an unnamed
spokesperson said in English.
“We ask nothing in return. It’s
just the right thing to do.”
Christopher Painter, formerly
the top U.S. diplomat on cyber
issues, said the surge in such
activity risked escalation and in-
terference with covert govern-
ment operations. But so far, it
appears to be helping U.S. goals in
Russia.
“A re the targets worthy? Yes,”
Painter said. “It’s an interesting
trend that they are now being the
target of all this.”
Painter warned that Russia
still has offensive capabilities,
and U.S. officials have urged or-
ganizations to prepare for an ex-
pected Russian cyber-assault,
perhaps held to be deployed in a
moment of maximum leverage.
But perhaps the most impor-
tant victim of the wave of attacks
has been the myth of Russian
cyber-superiority, which for dec-
ades helped scare hackers in oth-
er countries — as well as crimi-
nals within its borders — away
from targeting a nation with such
a formidable operation.
“The sense that Russia is off-
limits has somewhat expired, and
hacktivism is one of the most
accessible forms of striking at an
unjust regime or its supporting
infrastructure,” said Emma Best,
co-founder of Distributed Denial
of Secrets, which validated and
published the regulator and
broadcast troves, among others.Digital assailants have plun-
dered the country’s personal fi-
nancial data, defaced websites
and handed decades of govern-
ment emails to anti-secrecy activ-
ists abroad. One recent survey
showed more passwords and oth-
er sensitive data from Russia
were dumped onto the open Web
in March than information from
any other country.
The published documents in-
clude a cache from a regional
office of media regulator
Roskomnadzor that revealed the
topics its analysts were most con-
cerned about on social media —
including antimilitarism and
drug legalization — and that it
was filing reports to the FSB
federal intelligence service,
which has been arresting some
who complain about government
policies.
A separate hoard from VGTRK,
or All-Russia State Television and
Radio Broadcasting Co., exposed
20 years of emails from the state-
owned media chain and is “a big
one” in expected impact, said a
researcher at cybersecurity firm
Recorded Future, who spoke on
the condition of anonymity to
discuss his work on dangerous
hacking circles.
The broadcasting cache and
some of the other notable spoils
were obtained by a small hacktiv-
ist group formed as the war began
looking inevitable, called Net-
work Battalion 65.
“Federation government: your
lack of honor and blatant war
crimes have earned you a special
prize,” read one note left on a
victim’s network. “This bank is
hacked, ransomed and soon to
have sensitive data dumped on
the Internet.”
HACKS FROM A
Unprecedented attacks by hacktivists and criminals w reak havoc in Russia
“The sense that Russia is off-limits hassomewhat expired, and hacktivism is one of themost accessible forms of striking at an unjustregime or its supporting infrastructure.”
Emma Best, co-founder of Distributed Denial of SecretsGiving VoiceDomee ShiDirector, “Turning Red”Vice President, Creative, PixarTuesday, May 3 at 2:00 p.m.The director of “Turning Red” discusses thefilm, representation and her story in the firstof a series with cultural pioneers during AsianAmerican and Pacific Islander Heritage Month.To register to watch, visitwapo.st/shimayor scan code below usinga smartphone camera:Listen wherever podcasts are available.@POSTLIVE #POSTLIVEStay one step ahead of the weather with the
Capital Weather Gang
washingtonpost.com/news/capital-weather-gang • @capitalweather
picnic or movie?
S0141 6x1.
75