Russia-Ukraine War: Ransomware Groups Target Critical Infrastructure
According to new research by Accenture, the Russia-Ukraine war is sparking ideological rifts between ransomware groups that could significantly impact Western critical infrastructure.
Before Russia invaded Ukraine, cyber threat actors were largely transnational and financially motivated. In a new shift that Accenture describes as “unprecedented,” these groups are siding with Russia or Ukraine and becoming politically motivated, akin to hacktivism.
To assess this change, researchers are monitoring underground, Russian-language ransomware forums associated with skilled and respected cybercriminals. Pro-Ukrainian actors are rejecting business with Russian-allied actors and entertaining Russian targets. Conversely, pro-Russian actors are calling for Western-targeted attacks and offering discounts for these hacking services.
According to Accenture, pro-Russian actors are targeting resource, utility, government, media, finance, and insurance entities for their function in Western-imposed sanctions and perceived value as critical infrastructure.
The ransomware groups LockBit, CoomingProject, and Conti have openly expressed their support for Russia. However, these declarations have backfired, at least for Conti. Four days into the war, a Ukrainian cybersecurity researcher leaked a year’s worth of Conti’s internal data. This included the Conti’s internal chat logs—which linked them to Russian intelligence agencies—as well as details on the group’s infrastructure, logistics, tooling, and zero-day exploits.
What’s the impact?
Shifting from opportunistic financial gains to political motives creates a higher threat level for the West. According to Accenture, this is because:
- Critical infrastructure has “gone from being a low-medium target to the focus of targeted ransomware campaigns.” Politically-motivated hacktivists typically use free or inexpensive tools and are ill-equipped to cause significant, lasting damage. But now, politically-motivated threat actors include well-funded ransomware groups with budgets upwards of USD $10M. They’re also highly skilled and organized, putting targets at risk for significant disruption.
- Ransomware groups will likely return to popular underground forums, which provide valuable communications needed to acquire the tools, affiliates, and exploits for scaled operations. This would reverse existing forum bans, which were imposed to anticipate law enforcement crackdowns after the Colonial Pipeline attack in 2021. Researchers believe this renewed online activity could further fuel threat actors.
Additionally, the situation is also provoking pro-Ukraine hacktivist groups like Anonymous. Ruthless attacks against critical infrastructure on either side could have significant, unpredictable, and potentially dangerous impacts on governments and civilians.
How Can OSINT Help?
A user on the dark web forum RAMP asks to purchase access to Ukrainian corporations and NATO countries (translated from Russian)—as viewed in the Echosec Systems Platform
The cybersecurity landscape is rapidly evolving. Governments need to monitor potential risks to their critical infrastructure in the coming weeks and months as the war evolves.
Researchers at Accenture have illuminated emerging risks by accessing cyber threat actor communications on underground forums. These primarily operate on the dark web, which is clunky and dangerous to access without the right software.
OSINT tools like the Echosec Systems Platform support cybersecurity intelligence efforts by:
- Acting as a proxy to search and view deep web and dark web content, keeping analysts safe and anonymous
- Covering a wide range of relevant public data sources, including dark web forums and chat applications popular among ransomware groups and other threat actors
- Enabling analysts to translate search queries and results from a range of target languages, including Ukrainian and Russian
To learn more about OSINT and the use of OSINT tools in the Russia-Ukraine war, contact us today.