Russia's Joker DPR Claims Access to Ukraine Troop Movement Data

A hacktivist group working with Russia claims it breached DELTA, the Ukrainian battlefield management system (BMS).

joker playing card
Source: Enrico01 via Alamy Stock Photo

The Joker DPR threat group has been around and functioning as an arm of the Russian state since 2019, largely focused on spreading disinformation and leaking sensitive Ukrainian government and military secrets stolen by insiders friendly to Russia. Its goal is undermining people's confidence in the country's institutions, but no one should be fooled into thinking Joker DPR is a sophisticated group of super-hackers — it's not.

In its own words, Joker DPR wants to "destroy the clowns" running Ukraine's government ("DPR" is the English acronym for a separatist group in eastern Ukraine called Donetsk People's Republic). And in November, it made a startling claim that would seem to further that agenda — that it had real-time access to DELTA, the Ukraine military's battlefield management system (BMS). If true, this would have given the group insights into military planning for the Armed Forces of Ukraine (AFU).

However, according to new analysis from Recorded Future, that claim was vastly exaggerated.

Exaggerated Access to Ukraine's Troop Movement Data

Recorded Future and other cybersecurity experts were dubious about the hacktivist group's allegations and found after analysis of Joker DPR's "proof" of compromise that instead of gaining full access, the threat group is far more likely to have access to an individual user account.

The distinction hardly mattered to Joker DPR, since Russian media quickly picked up the story and proclaimed that the Russians had a full backdoor into Ukraine's DELTA system.

After the claim of compromise, AFU commanders might choose not to use the sophisticated system on the battlefield — a win for Russia. The Recorded Future researchers said they have sources which show that this tactic was effective.

"Given that the breach was unlikely to have occurred in the manner Joker DPR described, in real terms, the greatest damage Joker DPR could have inflicted was through the assertion of the breach's existence," the Recorded Future researchers added. "Joker DPR was essentially claiming that it had real-time access to the BMS."

The report added that the fact that Russian media was so eager to pick up the story further signals Joker DPR didn't actually have the access to DELTA as claimed. If it had real-time intel into the AFU's movements, Russia would not be so quick to give away their advantage, Recorded Future's research explained.

Don't Believe the Hacker Hype

Although the group wants to give the impression of being a band of super hackers, in reality, the group hasn't displayed dazzling hacking abilities, according to Recorded Future's analysis.

"Put simply, the group does not appear to specialize in hacking, and it will 'take what it can get' to support its information agenda," a researcher who prefers to remain anonymous from Recorded Future tells Dark Reading. "Joker DPR first and foremost specializes in information operations, and any cyber activity that occurs within the umbrella of the group is only meant to support those operations."

That makes it tricky to try and predict Joker DPR's next target.

"Joker DPR's activities suggest the group is more opportunistic with its cyber activity, using its platform to amplify news of compromises in an effort to undermine the credibility of the Ukrainian government and military," Recorded Future's researcher says. "This is in contrast to groups like Killnet that display consistency in their tactics, techniques, and procedures (TTP) and targets."

The likelihood of international law enforcement reaching Joker DPR in Russia is small, but Recorded Futures' analysis hopes to raise the group's profile to help protect Ukraine's forces from Russian-aligned groups, as well as push pack against ongoing Russian disinformation campaigns.

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights