Who are the so-called Russian hackers and how do they work?

February 24 is the anniversary of the start of the war in Ukraine. The year of conflict was played out on many fronts, including that of cyber security. Information technology has been a field that has seen a thousand facets mix money, secret services and the inevitable mingling with Russian politics. The hacker attack claimed by the NoName057 collective, which in recent days has hit several Italian institutional and corporate sites, represents yet another sign of how much the conflict is also moving on the IT security front identifying sensitive targets and symbolic attacks such as those of the last few hours in conjunction with the visit to Kyiv by Prime Minister Giorgia Meloni.

The motivations behind the most active collectives

Behind the scenes of an attack, there are professionals who must necessarily find a solution for compromised systems. A situation that has brought out an unprecedented figure like that of cyber negotiator, a professional who has the task of knowing who organizes the attacks. “In the current landscape of cyber threats we can identify different types of threat actorsincluding a large number of Russian or pro-Russian hacker groups and collectives mainly driven by two purposes: purely economic reasons or aimed at disruption of services of Western companies or public administrations. Last year’s bulletin of attacks has seen a succession of different collectives of hackers of this type, from Killnet to NoName057”, explains one of the protagonists of the sector, Enrico Corradinilegal and cyber negotiator of Var Group and Yarix.

To better understand the context, we must remember that we are talking about collectives ideologically and politically moved by anti-Western sentiments and by support for the Russian Federation. “There are also so-called groups Advanced persistent threat of Russian origin, such as APT 28 (Fancy Bear) and APT 29 (Cozy Bear) to mention the most famous, hacker groups that act more under cover for mainly cyberespionage purposes”, continues Corradini. “The type of threat in this case is highly sophisticated and aimed at espionage, to steal sensitive information from the attacked organization or country.”

Let’s go back to the link with Moscow: in the collectives such as Killnet and NoName057, as in the APT groups, links with the agencies of intelligence or at least with theestablishment Russian. Not only the only ones: “Then there are the so-called RaaS, ransomware as a service gang, hacker groups also predominantly of Russian origin which, motivated by economic motives, specialize in ransomware attacks which envisage the encryption of the victim’s systems and the exfiltration of the data contained in the systems and the transfer of the decryption key upon payment of a ransom. However, it is not always possible to ascertain links between these gangs and the Russian secret services, although there is often a tendency to link the attacks ransomware to criminal groups state-sponsoredi.e. linked – directly or indirectly – to governments.”

Modes of attack

While it remains difficult to identify the attack matrix with certainty, it is easier to analyze the attack methods: “Among the most used cyber weapons in this context, politically motivated groups such as Killnet and NoName05, the Distributed Denial of Service (DDoS attack, ed) is generally the most used: Is a hostile attempted multi-source attack that overloads your organization’s servers and blocks network traffic. A method generally adopted by APTs for cyberespionage purposes or by RaaS gangs involves the exploitation of vulnerabilities that have not yet been documented in the technological products of the vendors used by the victim organization – the so-called zero days, or in any case documented vulnerabilities but whose security update is not been applied by the victim organisation”.

Furthermore, these groups (APT and RaaS gang) also tend to buy in the dark web, for a cost ranging from 5,000 to 10,000 dollars, access credentials to critical systems of a given organization put up for sale by so-called Initial Access Brokers (IABs). “After hacking into the victim’s systems described above, these hacker groups release malware in computer systems that have the purpose of exfiltrating confidential and highly strategic data, and in the case of RaaS gangs, the release of ransomware is expected”, explains Corradini.

The most common patterns to pay attention to

In every attack there is always a “entry point”, or a targeted system access point: this can be the exploitation of a vulnerability, “the public exposure of servers that are not properly protected, the breaches in the firewalls that protect the cyber perimeter of the organization and the exploitation of ‘human error, through for example the social engineering and the phishing emails. It is difficult to find weaknesses in this type of attack”, concludes Corradini.

In short, behind a ransomware attack the load of risk and expertise is always high. Without forgetting that better managing reaction times in an attempt to reduce losses as much as possible is the fundamental action to be taken. Perhaps without compromising industrial and state secrets.