The Russian invasion of the Ukraine was bound to take place in part in cyberspace. While the use of Russian offensive security operations against the West has long been alleged, the rise of crowdsourced security efforts in the current war has taken an interesting turn.
First, there were the accusations of Russia utilizing the Premise microtask platform to identify everything from bomb craters to targets of opportunity. This was backed up by Ukrainian military forces in a Facebook post, which eventually led to a curt rebuttal from the CEO of Premise, who denied the claims. Subsequently, the company turned off Premise in Ukraine.
On the Ukrainian side of the conflict, Anonymous launched #OperationRussia to target government assets owned and operated by the Russian government, Chechnya, and Belarus. While Anonymous is a wild card when it comes to political causes, its Twitter feed was ripe with targets, and a string of successes has emerged since the group launched the operation in late February. Many dozens of .ru websites, Kremlin websites, and government-backed companies were all fair game. Even the Russian stock exchange was out of action, serving a "I'm a teapot" HTTP 418 error for the first few weeks of the conflict before being sinkholed completely.
Creation of a "Cyber Army"
Then there are official bug bounty platforms. Hacken.io was launched in 2017 and is based in Kyiv, Ukraine's capital. It specializes in bug bounties and vulnerability disclosure programs around blockchain products. While I don't think much of cryptocurrencies, I did have a go at some of its bug bounties back in the day, and it resembles any other bug bounty platform used by common crowdsourced security platforms (think Bugcrowd, HackerOne, etc.).
At the outset of the conflict, Hacken launched "Cyber Army" via email sent to all security researchers currently signed up to its platform, asking them to get involved directly in the conflict by discovering vulnerabilities in Russian websites to be leveraged by Ukrainian military assets.
The email states:
"Now it's high time for you to use your technical skills and knowledge for global peace and security. We've created Cyber Army to stop Russian propaganda machines and contribute to disseminating real information about the Russian invasion of Ukraine among Russian citizens. Everyone can join us to help Ukraine win the cyberwar against Russia."
The company's Telegram account now has over 1,000 users and is climbing every day. Hacken elaborates further on this bug bounty program on its website, which states:
- "Select a russian [sic] propaganda or infrastructure website
- "Find critical vulnerabilities
- "Submit a report
- "That's it! We'll put it in the good hands of Ukrainian cyber forces"
The site explains how the organization is mainly looking for serious stuff, such as RCE, SQLi, and RFI/LFI and will ignore low/medium vulnerabilities. So, this is not the time to pester the site with that cross-site scripting vulnerability you found.
Then a suggested target list is provided, which includes the targets you would expect in this kind of scenario, such as hosting providers, aerospace, energy, and pretty much any infrastructure that would disrupt the Russian war machine.
Since the initial publication, Hacken has scaled back the message on its site to "defending Ukrainian assets" by finding vulnerabilities in them, rather than attempting to find exploits in Russian infrastructure. And it's been a successful program — the page tracking the discovered vulnerabilities now lists hundreds of exploitable vulnerabilities, with a single researcher responsible for 325.
Hacken now works in conjunction with the IT army of Ukraine and messages outlining their successes are regularly broadcast across both of their Telegram channels. These range from the number of Russian websites taken down in DDoS attacks to meme-like successes, including a cash register printing out expletives about Putin or a gas station pump deep in Russia displaying "Glory to the Ukraine."
All in the Game
Last week, the game site playforukraine.life was released. While on the surface, users are playing a game, in the background players are sending requests to a rotating list of Russian websites, which will eventually cause DDoS incidents when enough people are playing.
Danger for Organizations
So, what's the danger here? Because of the scope creep of the attacks, it's important to dissociate from or review your associations with anything that is based in Russia or has any connection to Russia. While the initial attacks clearly focused on the Russian government, and then spread to Russian-backed companies, this has quickly ballooned to "anything Russian or connected to Russia," which includes Western companies that haven't yet exited the Russian market. They could be potential targets by seeming to support the invasion.
Just a single tweet could define a company as in league with Russia and it would feel the wrath of the masses online, without any gatekeeper there to validate the intelligence in the first place.
While companies around the world are evaluating their exposure to this conflict and try to shore up their defenses against Russian retaliation because of sanctions, I find it increasingly likely that we will see companies caught up in the tidal wave of outrage and become victims to online masses when they are named and shamed and their online assets attacked because of a vague association with one side or the other.