Infamous hacking collective Anonymous is taking aim at Russian infrastructure and its President Vladimir Putin following the country’s invasion of Ukraine last week.
Twitter accounts purporting to represent Anonymous claimed responsibility for taking out websites belonging to the Russian government, banks, news outlets, and a gas company through distributed denial of services (DDoS) attacks.
A video posted to an Anonymous-associated YouTube account over the weekend featured a hooded figure wearing a Guy Fawkes mask warning Putin that the power of Anonymous would be “bearing down” on the Russian President.
“It’s only a matter of time until we uncover the dirt you have been trying to hide from the community you have lied your way into leading,” the mask-wearing figure said.
“From the depths of your closet, no skeleton will be left unturned. We are now asking you to restore the rights of the Ukrainian people and resign as an elected official.”
By Sunday, reports emerged that the maritime tracking data of a $100 million luxury yacht supposedly owned by Putin had been altered so the destination read “Hell” with an estimated arrival on 1 April.
The yacht’s callsign had also been changed to “FCKPTN”.
By nature, it is difficult to accurately attribute activity to Anonymous, given the collective’s lack of a central authority and single-source of truth – a feature that is very much part of Anonymous’s design, allowing it to operate as an amorphous group of skilled cyber activists.
In mid-2020 Anonymous made its return in the wake of George Floyd’s killing after years of dormancy, running DDoS campaigns against the Minneapolis Police Department and allegedly disrupting police radio communications.
Likewise, there are unconfirmed reports that Russian military radio communications are being intercepted, along with Russian TV channels, as hackers do their part to help Ukraine.
Shane Bell, a cyber security analyst with consultancy firm McGrathNicol, said that it was difficult to attribute cyber activity to Anonymous unless you’re part of the collective but said some of the actions are similar to previous campaigns when it was a more active hacktivist group.
“We’re seeing similar things to how they went after Scientology back in the day,” he told Information Age.
“Fundamentally if you look back through the history of Anon they were initially in it for the lolz, they would draw attention to themselves by making it funny.”
DDoS attacks are an important tool in Anonymous’s arsenal, Bell said, in part because it’s attention grabbing – web services going offline is an unavoidably public event – but also because DDoS is crude and resource-intensive, which is befitting for a decentralised collective.
“DDoS has also been an effective technique in drawing attention as a bit of slight of hand,” Bell said.
“You’re saying ‘look over here’ when something might be happening elsewhere as well.”
As Anonymous has been knocking down websites and being a nuisance on maritime data services, an official IT Army of Ukraine has also been activated, calling on IT professionals in offensive campaigns against Russian digital infrastructure.
Organising itself on Telegram, the IT Army co-ordinates DDoS attacks and mass-report spamming of pro-Russian YouTube content.
Recently, the IT Army has been going after Belarusian government targets following news the country was preparing to join the Russian invasion, successfully knocking Belarusian government websites offline.
But Chester Wisniewski, a security researcher at Sophos, said the types of vigilantism encouraged by Anonymous and state officials in Ukraine carries the risk of escalation from cyber criminals that are supportive of Russia's invasion.
"It may seem like a good idea, but if this encourages or incites Russia-based hacking groups to decide to retaliate against western assets it could lead to billions of dollars in damages to western infrastructure, companies, and government entities," he said.
"Up to now, most Russian cybercriminals have been continuing with business as usual and have not escalated or appeared to try to increase their targeting of critical infrastructure, but that could easily change if they’re supported by the Russian state.”