Hacktivist collective Anonymous is headed for cyberwar with a Russian ransomware crew believed to have swindled at least 65,500 BTC ($2.8 billion).
Anonymous last Thursday joined the global majority in siding with Ukraine. The group has since claimed responsibility for cyberattacks on media outlets controlled by the Kremlin.
One target was Russia Today (RT), a news outlet which spreads Russian propaganda. Anonymous interrupted RT’s website with distributed denial-of-service attacks (DDoS). They also struck government-owned news site Russ.ru.
DDoS attacks flood targets with traffic to render them unreachable. RT’s site has since come back online but some functionality was still affected at press time.
The group struck official government websites as well, including Kremlin, State Duma, and Ministry of Defence portals.
Performance on all sites was still slowed some five days later. In an article, RT acknowledged that Anonymous had declared cyberwar against Russia.
Reuters noted that targeted sites had displayed messages telling Russian residents that local news outlets were lying to them.
“Anonymous is currently involved in operations against the Russian Federation,” said the group’s promotional Twitter account.
“Our operations are targeting the Russian government. There is an inevitability that the private sector will most likely be affected too.”
Russian ‘Wizard Spider’ all but declares war on Anonymous
Anonymous has a highly decentralized hierarchy with no known leader. The @youranonnews Twitter account acknowledged it cannot speak for each member of the Anonymous collective.
Still, the account said that Anonymous’ so-called hacktivists generally support world peace, albeit via digital anarchy.
Anonymous warned of a potential Russian cyber retaliation over its DDoS campaign. Previous ransomware hacks traced back to Russia-sponsored actors crippled US infrastructure.
Most prominently, major US gas infrastructure provider Colonial Pipeline was rendered useless last year by a collective known as DarkSide. It had deployed a ransomware strain known as Ryuk.
Colonial Pipeline had paid $5 million worth of Bitcoin to regain control of its critical systems, however the FBI managed to seize private keys tied to more than half of that crypto.
Ryuk was ubiquitous in ransomware attacks between 2018 and 2021, having wreaked havoc on local governments, hospitals, and psychiatric care facilities across the US, Europe, and the wider global corporate community.
In late 2020, Security Magazine reported that Ryuk was the malware behind one-third of all ransomware detections in that year.
And sure enough, the “Conti Team,” which wields a ransomware strain (Conti) considered to be Ryuk’s successor, declared it would begin waging cyberwar on behalf of Moscow.
Cybersecurity researchers noted on Twitter that recent leaks made Conti’s primary Bitcoin address publicly traceable.
- Across a three-year period until now, Conti’s main ransomware wallet garnered nearly 65,500 BTC.
- At current prices, that represents a war chest worth $2.8 billion.
- However, Conti would’ve generated far less if laundered for fiat on receipt (there’s only $3 million left in the wallet).
“The Conti Team is officially announcing a full support of Russian government,” said the crew on its website (via CSO Online).
“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy.”
Both Ryuk and Conti strains are believed to have been created by a hacker unit known as Wizard Spider, which reportedly counts more than 80 members based in St. Petersburg and even Ukraine.
Analysts reckon the Kremlin tolerates and even helps Wizard Spider. The group effectively leases its “Ransomware-as-a-Service” software to other bad actors like DarkSide.
Wizard Spider reportedly gets its own hands dirty, too, having most recently struck two thermal coal power plants in Australia and cut off power to three million homes.
The Conti Team specifically was outed to have worked with Russian intelligence, as detailed by recent pro-Ukrainian leaks.
Bitcoin acquired throughout ransomware attacks regularly ends up washed via entities in Moscow City.
Analytics unit Chainalysis recently implicated such firms in receiving more than $700 million worth of illicit crypto over a three-year period.
But while the Conti Team postures against Anonymous, Russia has disrupted internet connectivity in Ukraine as part of its invasion.
SpaceX chief exec Elon Musk responded to a Ukrainian official’s call for help by activating Starlink’s satellite Internet service in the country, and promising to ship Starlink terminals as soon as possible.
Starlink would allow Ukraine to access the web even if Russia destroys ground infrastructure altogether.
Ukrainian Vice Prime Minister Mikhailo Fedorov also said that Ukraine is building an “IT army” to deal with Russian cyberattacks — proving that the internet is a critical theatre of war during this particular conflict.
Follow us on Twitter for more informed news.
Listen to the first three episodes of our new investigative podcast series Innovated: Blockchain City.