news
February 21, 2023by Adi Bleih, Dov Lerner

How Telegram became the battlefront of the Russia-Ukraine cyberwar

When Russia invaded Ukraine on February 24th, 2022, many warned that the conflict could escalate into a global cyberwar. These fears intensified as ransomware gangs and hacking groups sympathetic to the Russian government appeared ready to strike. A self-styled IT Army allied with Ukraine declared a counter-offensive. Governments — and companies — around the world are prepared for widespread digital incursions. Yet, for all their bluster, these groups failed to impact the ground campaign significantly.

Instead, the war’s digital presence manifested in other ways. A year after the war began, guided by threat intelligence data, Cybersixgill investigated how the war echoed on the deep and dark web, the context of hybrid conflict, and how cybercriminals kept business humming.

Telegram has been the central deep web venue for the war. Many conversations about the war occurred on large, existing cybercrime channels, and the invasion spawned many new channels.

Chatter on Telegram tended to follow events in the war. War-related posts in Russian or Ukrainian peaked at over 122,000 per week in mid-October, coinciding with the strike against the Crimean bridge and subsequent Russian missile attacks.

Figure 1: The number of weekly posts on Telegram and underground forums mentioning war-related keywords in Russian or Ukrainian

Many Telegram channels assumed a fiercely nationalistic tone. Some called for and coordinated cyberattacks against the adversary. However, the predictions for a global cyberwar have fortunately fallen short. While groups aligned with Ukraine and Russia have carried out many successful attacks against many governmental and civilian targets, they are similar to traditional hacktivist methods, such as data compromise, defacement, and denial of service. It does not appear that any attack has provided even a minor tactical advantage, though they perform a valuable symbolic service in energizing the base of supporters to the cause.

Meanwhile, Telegram provided a valuable service to Ukrainian and Russian civilians alike. Many turned to channels to consume critical information, follow battlefield events, find humanitarian assistance, and determine how to escape the fighting or mobilization.

Activity on Telegram contrasts with deep and dark web forums and markets, where chatter about the war peaked initially, then steadily declined as the war continued and as administrators sought to reduce political discourse to a minimum. Notably, there was a significant rise in the number of compromised Russian credit cards for sale and scams seeking to exploit aid donations, but otherwise we can attest that it’s business as usual for cybercriminals.

Nationalistic cyberattacks

Telegram groups have served as a rallying point for supporters of either side. They are excellent channels to galvanize the respective bases against the adversary. Thematic groups on Telegram function as echo chambers in which like-minded users encourage one another’s opinions. Some channels even shared celebratory images of the enemy’s dead soldiers, and (more towards the beginning of the war) Ukrainian channels shared details of Russian troop movements to enable counterattacks.

Threats and calls for action spilled over into the cyber arena. For example, one of the most notorious ransomware groups announced full support for the Russian army and President Vladimir Putin's administration. It added, “If anybody decides to organize a cyberattack or any war activities against Russia, we will use all possible resources to strike back at the critical infrastructures of an enemy.” Several hours after they issued this threat, a Ukrainian security expert leaked hundreds of their files containing 60,694 internal messages. Nevertheless, the group did not change its modus operandi towards targeting Western infrastructure.

Furthermore, in March 2022, a group that had previously been involved in DDoS tools transformed into a pro-Russian hacktivist collective. Engaging daily with over 90,000 subscribers on Telegram, the group has declared war on Western targets and claimed responsibility for attacks against Western private and public sector targets, ranging from defense contractors to Eurovision.

Figure 2: In a post on Telegram (May 4), a pro-Russian hacktivist group threatens to target Romanian critical infrastructure

Pro-Ukrainian forces have joined the fight. One prominent pro-Ukraine hacker collective on Telegram, boasting nearly 13,000 members, has called on Western hackers and groups to join in the fight against Russia.

Already in the early days of the war, a Ukrainian cybersecurity official alleged that their ranks numbered over 400,000 Ukrainians and sympathizers from abroad.

In the last year, they have claimed attacks against hundreds of Russian websites and military targets such as the Wagner group (figure 3) and even caused a traffic jam in Moscow by ordering dozens of drivers to the same site.

Figure 3: A pro-Ukrainian hacktivist group announces a hack of the Wagner Group

Pro-Ukranian hackers also stole $25,000 in Bitcoin from a Russian dark web drug market and gave it to a Kyiv charity.

Additionally, they leaked data such as that of Russian soldiers that allegedly took place in the attack against Mariupol (figure 4), the Russian Ministry of Foreign Affairs (figure 5), and the Moscow traffic police.

Figure 4: A pro-Ukrainian hacktivist shares data allegedly of Russian soldiers that took place in the attack against Mariupol

Figure 5: A pro-Ukrainian hacktivist shares data allegedly belonging to the Russian Ministry of Foreign Affairs.

However, these attacks follow the general framework of ideologically-motivated cyberattacks (hacktivism), albeit in higher intensity than in previous conflicts. None of these attacks stands out as unique in scale and scope, and they have had little effect on the situation. Still, these attacks provide symbolic victories essential for morale and resilience.

The nature of discourse on Telegram contrasts with discussions of the war on established dark web forums, which were generally more balanced.

Figure 6: A Ukrainian forum user asks others to share their opinions on the war

Early calls for radical actions, such as banning all pro-Russian users (figure 7), subsided. We discovered indications that some forum admins banned users from expressing political views, which makes sense, considering that they want to keep forum discourse strictly to business.

Figure 7: A forum user proposes banning any members that support the war against Ukraine

Informational and humanitarian discourse

The bulk of deep and dark web activity is concerned with informational and humanitarian updates about the war.

Many Telegram channels broadcast regular news updates, sometimes granular reports about specific events.

Figure 8: A Telegram channel reporting a strike against Engles Airfield.‌ ‌Other channels hosted information discussions about humanitarian developments, such as searching for family members or finding medical assistance

Figure 9: A Telegram channel explaining how to find one’s loved ones via the Vodafone app

Figure 10: A Telegram channel reporting on new medical treatment capabilities in Kherson

Many other Telegram groups offered to help with border crossing, including assistance with passports, transportation, and certifications.

Figure 11: A post offering administrative assistance to Ukrainians seeking to cross the border

Many more reached out through Telegram to offer donations of money, food, clothes, and essential gear.

Many Russians are using Telegram to avoid conscription by the Russian government. For example, in a post repeated over 22,200 times across twenty different Telegram channels, an actor has offered to forge HIV-positive certificates for Russians in return for 40,000 rubles (~$550).

Figure 12: A post on Telegram offering to forge HIV-positive certificates for Russians seeking to avoid the draft in return for 40,000 rubles

Other Russians declared that they fled the country to avoid the draft, and several dedicated Telegram channels even reported experiences at border crossings.

Figure 13: A report on Telegram from a Russian that fled the draft by flying to Armenia and then transferring to Georgia.

Figure 14: A report on Telegram from a Russian that crossed the border into Georgia

Russians have also resorted to the deep and dark web to circumvent sanctions, enabling them to transfer funds and purchase goods from beyond Russia’s borders. Thus, while Russians can no longer enjoy a meal at McDonald’s or a coffee at Starbucks, savvy users of the underground can still get their hands on banned technology products. And even though Russian cardholders cannot purchase items outside of Russia, actors on underground forums can procure cryptocurrency or virtual and prepaid credit cards to make purchases abroad.

Criminal activity

Many cybercriminals reside in Russia and Ukraine. However, cybercrime appears to have been resilient to the war. Criminal forums have operated like it’s business as usual, with no noticeable decrease in activity. Indeed, the war seemed to have little effect on the overall volume of Russian and Ukranian-language posts on underground forums.

Figure 15: The volume of posts in Russian and Ukrainian on underground forums was not impacted by the war

We discovered two ways that the war has affected crime. First, like with all crises, threat actors attempt to take advantage of both fear and goodwill. On the underground, actors have warned one another from falling victim to fake donation sites.

Figure 16: A post on an underground forum warning about fake donation sites

Second, there was a curious increase in compromised Russian credit cards sold in underground markets in 2022: the number rose from only 769 in 2021 to 28,327 in 2022.

Figure 17: Despite the overall decrease in compromised credit cards globally, the number of Russian cards spiked in 2022

This spike occurs within the broader context of the plummeting quantity of compromised credit cards for sale.

Furthermore, the conventional understanding is that the Russian regime permits cybercriminals to operate with impunity as long as they do not attack Russians. Indeed, a clear indicator of this notion has always been the disproportionate underrepresentation of compromised Russian credit cards.

Perhaps Russian actors felt more confident compromising local cards because the regime was preoccupied. Non-Russians may have stolen the cards in a criminal-nationalistic attack. However, this is especially notable since soon after the war began, credit card companies such as Visa and Mastercard blocked Russians from using their cards for international purchases. (Roughly 24,000 of the cards were either Visa or Mastercard.) Thus, many of these cards were procured through a compromise of a Russian e-commerce site.

Conclusion

Unfortunately, Russia continues to wage war in Ukraine with no end in the foreseeable future. The war has exacted a devastating humanitarian tool and decimated Ukrainian cities and towns.

While many predicted that the war would herald a new era of cyber warfare, this has yet to materialize; there were many nationalistically-motivated attacks, but they were limited in scale and largely symbolic. Instead, the real impact of the deep and dark web on the war has been the ability to share news and humanitarian developments. Amidst the uncertainty of war, many undoubtedly have relied on a consistent stream of updates to forge their paths to survival.

Cybersixgill automatically aggregates data leaks and alerts customers in real time.

Learn More

You may also like

Black Hat Recap-Thumbnail

June 25, 2024

Third-Party Threat Intel and the importance of deep, dark web threat intelligence

Read more

December 14, 2022

As Twitter users migrate to Mastodon, threat actors are taking notice

Read more

November 16, 2022

Tour of the Underground Internet

Read more