Sponsored By

What Happened to #OpRussia?

The cyberwar to attack Russia has never really stopped, despite a decreasing interest from the West.

Alex Haynes

February 13, 2023

5 Min Read
mashup of Ukrainian and Russian flags
Source: tunasalmon via Shutterstock

Almost a year ago, Russia invaded Ukraine.

Due to the unprovoked aggression by Russia, worldwide condemnation was quickly followed by a call to arms to help Ukraine, both on the ground and in cyberspace. #OpRussia was born.

A year on, you'd be forgiven for thinking that #OpRussia had died down. What happened to it? What did it achieve?

First, let's look at the numbers and the participants. While it's hard to pin down exactly how many people are active in the cyberwarfare aspect of the conflict, estimates range from 150,000 to 400,000, based on the number of subscribers to various Telegram channels. Count active subscribers to the various Discord channels and active reactions to such posts, however, and you get closer to 200,000 — many of which are found in the IT army Telegram channel, the main repository for target listing and action in the ongoing cyberwarfare.

To confuse matters, there are also participants in various auxiliary organizations that have flocked to the Ukrainian banner. Hacken.io — a bug bounty outfit based out of Kyiv that specializes in security of crypto tokens, extended the call to arms to its own army of hackers. While the initial callout was to find vulnerabilities in Russian infrastructure, this was walked back a few weeks later to protect Ukrainian infrastructure. Then we have Anonymous (the infamous, nebulous organization that anyone can identify with), which pushed the #OpRussia tag to prioritize attacks against Russian interests in cyberspace. On top of this, disparate hackers and entities joined the fray. For example, Network Battalion 65, a pro-Ukrainian outfit, appeared on Twitter in February 2022 and almost immediately started compromising high-profile Russian targets with alarming regularity, under the #OpRussia banner.

The Tools and Initiatives

A lot of high-profile initiatives were born from the drive to damage Russian interests (and, eventually, Western entities that still maintained a presence in Russia). The most popular and still actively used is Disbalancer (also called "Liberator"), a DDoS tool used to take down infrastructure targets. The barrier to entry for this tool is extremely low: simply download the flavor of your choice — Windows, Mac, or Linux — and run it, and your bandwidth is used to attack a rotating target list.

Disbalancer has had remarkable success, with an average running load of 3,000 users (still a formidable botnet), with peaks of more than 34,000 users. The tool has had more than 200,000 downloads to date. There is a rotating target list of up to a dozen targets, and Disbalancer claims to have attacked more than 700 Russian targets.

On top of this were some more esoteric efforts, such as PlayforUkraine.life, a simple Web-based game of 2048, which performed application-level DDoS in the background. This was responsible for taking down Alfabank, Russia's largest domestic bank. PlayforUkraine.life isn't active anymore and seems to have gone quiet in mid-July or August of last year.

Another such site is WasteRussianTime.today, which automatically connected two government officials with each other. As the name implies, the only outcome was wasted time and some hilarious results. The website is currently showing a 502 error and looks like it went out of action in about June or July of last year.

The Impact and Breaches

The one notable constant in the cyber conflict is how the Russian mythos of invulnerability has quickly evaporated (a parallel can be drawn here to its "physical" forces too). The breaches from February to August would be too numerous to list here, but for brevity I've listed the biggest ones. (For similar reasons I've also omitted DDoS takedowns, as these are now in the hundreds of targets.)

At the top of the list we have Roskomnadzor, at a whopping 900GB. It effectively is the mass surveillance department for the Russian population. This was quickly followed up byVGTRK — the Russian state broadcaster, essentially a propaganda mouthpiece for the Kremlin — that was 20 years' worth of emails and 700GB of data. Then lots of other government affiliated entities follow: Rosatom (state nuclear agency), the Central Bank of Russia, Gazprom, Petrofort, the Russian interior ministry, Transneft, SberBank, the Federal Security Service, and even the Russian Orthodox Church all get their turn. For the first six months of 2022, the Russian government was suffering a breach every three days, for a total equivalent of 20TB (!) of breached data in the first few months of the war.

This is only counting the leaks made public via various entities such as Ddossecrets.com, where most of these leaks can be found.

But then, after the first six months, things got a bit quiet. Even the most prolific actor on the scene, Network Battalion 65 — which was tearing through Russian companies since February — went dark in August 2022 and never resurfaced. In its wake, more than 20 high-profile breaches and something north of 4TB of data leaked by them alone in the space of four months.

So, What's Happening Now, and Why Have Things Subsided?

The cyberwar never really stopped, and the attacks rumble on at a lower rhythm, but the intensity remains. At the time of this writing, for example, atol.ru (tech company supporting automation) and ofd.ru (a cloud company) are the current targets of the IT army of Ukraine, and that's not mentioning the dozen or so rotating targets of the Disbalancer tool.

Interest in Ukraine has sadly waned in the Western press as the conflict rumbles on. Google Trends shows that, aside form a large peak in February/March 2022 and a follow-up jump in May, interest in Ukraine in search terms has slowly decreased. The impact on the overall course of the war, however, remains unclear, and if anything proves that true cyberwar is a long way off and that the real outcome of the war will be decided in real space with guns and steel.

About the Author(s)

Alex Haynes

Chief Information Security Officer, IBS Software

Alex Haynes is a former pen tester with a background in offensive security and is credited for discovering vulnerabilities in products by Microsoft, Adobe, Pinterest, Amazon Web Services and IBM. He is a former top 10 ranked researcher on Bugcrowd and a member of the Synack Red Team. He is currently CISO at IBS Software. Alex has contributed to United States Cyber Security Magazine, Cyber Defense Magazine, Infosecurity Magazine, and IAPP tech blog. He also has spoken at security conferences including OWASP and ISC Security Summits.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights