beyond the headlines
February 17, 2023by Ilana Touboul, Ebin Sandler

Researchers expose proxies used by major Russian hacktivist group in Western attacks

While organizations can now blacklist the IPs to protect against DDoS attacks, the group’s cyber arsenal continues to evolve.

The Headline

To help organizations thwart attacks by pro-Moscow hacktivists during the Russia-Ukraine war, security researchers recently released a list of proxy IP addresses used in Distributed-Denial-of-Service (DDoS) incidents by a major Russian hacktivist collective. The list was published on GitHub and contained close to 18,000 IP addresses as of February 9, 2023. The list will continue to grow as researchers discover additional IP addresses used in DDoS attacks by the group and its allies. Potential targets of DDoS attacks can take preventive measures by blacklisting these IP addresses, thereby stopping DDoS attacks launched via flagged proxies.

Read: Reshaping the Threat Landscape in 2023: Cybersixgill Announces Top Trends in Cybersecurity

The list represents a significant development because the group in question has targeted hundreds of organizations with DDoS attacks in countries that support Ukraine. The collective has been active since March 2022, when it pledged allegiance to Moscow following Russia’s invasion of Ukraine. In recent months, it expanded its modus operandi from DDoS attacks to network intrusions and data extortion. The group also claimed it breached U.S. government organizations, including a major law enforcement agency.

In early February 2023, the group began attacking hospitals in pro-Ukraine European countries, including medical centers, hospitals, and other healthcare facilities. DDoS attacks make Internet-linked resources and services unavailable by overwhelming them with malicious traffic. Ultimately, such attacks can cause delays in treatment and interrupt urgent medical services, potentially endangering patients’ lives. Disrupting healthcare organizations with DDoS attacks reflects the group’s disregard for the welfare of residents of countries it deems hostile to Russia.

In addition to medical facilities, the pro-Russian gang recently launched a series of DDoS attacks targeting airports, governmental agencies, and financial institutions. This offensive was a reaction to a Ukrainian ally’s provision of military aid.

Diving Deeper

Cybersixgill collected a tweet from an information security expert sharing a link to the Russian hacktivist collective’s list of IP addresses. The repository contains a huge list of IP addresses allegedly used by the group in DDoS attacks, as well as the related ports corresponding to different services or applications running on devices. The list is continually updated as additional IP addresses are identified. While the group is no doubt simultaneously modifying the IP proxies it uses in attacks, the list can still help organizations protect their systems from DDoS attacks.

Figure 1: Tweet sharing malicious IP addresses

Cybersixgill also collected a Telegram post from the Russian hacktivist group announcing a second wave of DDoS attacks on medical institutions. While the gang did not identify targeted countries or organizations, its willingness to disrupt Western organizations in critical industries is well established.

Figure 2: Forthcoming attacks on Western medical institutions announced on Telegram

Finally, Cybersixgill observed the Russian hacktivist collective announcing a partnership with a Ukrainian group that allegedly seeks revenge on the Security Service of Ukraine (SBU) for arresting accomplices during a previous SBU operation. On its Telegram channel, the Russian group claimed that its new Ukrainian co-conspirators now fully support Russia.

According to the Russian group, the Ukrainians in question allegedly participated in DDoS attacks against social service organizations in Europe to retaliate for military support to Ukraine. The Ukrainian group also allegedly plans to target “mercenaries” and “personalities” in Ukraine, about whom the group claims to possess information.

This Russian-Ukrainian alliance is a unique phenomenon, as Russian hacktivist groups rarely collaborate with Ukrainian anti-state collectives, despite their shared objectives. The alliance between the entities is thus a significant development that should be closely monitored.

Figure 3: A Russian-Ukrainian partnership announced on Telegram

Figure 4: Ukrainian threat actors threaten the SBU with revenge on Telegram


The recent release of proxy IP addresses used by a major Russian hacktivist collective could help Western organizations protect against DDoS attacks. Blacklisting these IP addresses could prevent potential attacks, enhancing network security. In addition to the IP address list, Cybersixgill’s discovery of the Russian-Ukrainian alliance also represents a major development. This kind of collaboration is dangerous because Ukrainian gangs may have access to valuable intelligence that Russian hacktivists could leverage in future attacks, posing a significant risk for the Ukrainian government and society at large.

Cybersixgill automatically aggregates data leaks and alerts customers in real time.

Learn More

You may also like

February 09, 2023

The night the lights went out at the Super Bowl: A decade later

Read more

July 27, 2022

Out of breach: Shanghai police breach leads to increased Chinese underground activity

Read more

July 13, 2022

Dox of US Supreme Court Justices

Read more