0 0
Read Time:17 Minute, 10 Second

“The most useful attacks are on Russia’s financial sector.” Interview with a #Ukrainian underage hacker from Cyber.Anarchy.Squad

Oleksandr Strelnykov

System dumps of Russian state institutions, defacement of enemy military sites, leaks of documents by propagandists from the Russian Federation – this is not an exhaustive list of means used by Ukrainian hackers from the Cyber.Anarchy.Squad group during the “first world cyber war”.

DOU managed to record a conversation with a CAS activist, who told more about the work of the hackers after February 24. At the request of the hero, we are publishing this interview with the preservation of his anonymity.

“We have almost complete decentralization”

— Tell us your story, how did you get into Cyber.Anarchy.Squad?

I am a minor, so I do not yet work anywhere, I study at the Faculty of Telecommunications and Radio Engineering of the Ukrainian University.

Cyber.Anarchy.Squad has been around for four years now. Previously, it was a kind of hobby, within which people could engage in programming, cyber-raids, cyber-bullying in discord. Over time, I realized that I wanted to take the bar higher. And he started programming software for hacking contests, started a blog in which he wrote articles about web vulnerabilities.

When the war began, we moved to a more aggressive phase of development and began to fight Russia in cyberspace.

— Are you self-taught, did you consciously decide to learn programming and improve your skills?

So. I was interested in becoming better than others in this field. At first, my team and I hacked other people’s servers, it was outright cyberbullying. Later we realized that we were doing something wrong and needed to take more interesting bars. And I was thrown into the web, that is, website penetration testing, testing sites for strength.

— CAS is a decentralized structure? Or is there a person responsible for defining goals and objectives?

As the name suggests, this is anarchy. No one pushes anyone, everyone decides for himself what to do and chooses his own direction of work. We have almost complete decentralization, however, there are also special chat rooms where a number of our members promote this anarchy to the masses, that is, talk about the operations carried out. We have special channels where we store software and Russian databases.

But in general, everyone who is interested in hacking and the concept of cyberanarchy can ascribe themselves to CAS. The only requirement is not to dishonor the name of cyberanarchy. It happened that people of not very moral character and with mediocre achievements in life did stupid things, for example, they used Nazi symbols next to our name in attacks or persecuted people under our auspices. This, of course, hit the reputation of the entire hacker movement and caused only a rebuke. And we had to apologize. We understand that this is hacking, but it should have moral boundaries.

— How many members does your organization have?

From 15 or more dedicated people who know what they are doing. And if we talk about those who are simply interested in our activities and casually join, then up to 100 people.

— What do you see as the goal of the CAS movement during the war?

The very concept of cyberanarchy testifies to the idea of ​​freedom on the Internet, the ability to freely do what you want without oppression from others. But now, because of the war, our community has decided to oppose Russia on the cyber front, because there is too much propaganda and aggression from this rotten empire.

“Cyber ​​war against Russia almost does not pay”

— You put some merged information on auctions, and then you direct part of the received funds to the needs of the Armed Forces. Do you continue to engage in commercial hacking, or do you focus all your efforts on countering Russia?

Cyber ​​war against Russia is almost not paid and takes a lot of time. In addition, in terms of labor costs, it does not differ from ordinary office work. Some hackers lack time for their main work and have to choose: either work all day and hack at night, or sacrifice work. It’s easier for me, because I’m currently only getting a higher education.

Many people who join the cyber resistance, of course, want to have at least some kind of monetization, but hackers should not be tied to commerce. In this case, everything should be based on an idea. We do not engage in direct commercial hacking.

In order to have at least some profit, sometimes we sell databases or access to colleagues in the workshop. This is enough to cover your own software needs, to pay for the rent of servers, virtual numbers and proxies. After all, pay for the Internet.

— How do you measure the success of conducted cyber operations? What are you trying to do in cyberspace with these attacks, downpours and  deanons ?

There are a lot of angry Russians on the Internet who spread panic and sow hatred against Ukrainians in chat rooms. Such people need to be put in their place. Do not deanonish everyone, but it should be done precisely.

As for cyberattacks, together with rainstorms, they deal a big blow to the budget of the aggressor’s companies, because the idle time spent on eliminating the problems caused by us entails considerable monetary losses. Sometimes a defacement [hacking of a website accompanied by a change of the main page — ed.] is used to expose a specific opinion formed and imposed by the Russian authorities.

Deface of the website of the Russian media holding, which owns the channels Ren-TV, STS and others, for the Independence Day of Ukraine

For example, when we hacked the official portal of legal information of the Russian Federation, we wanted to convey information that among the Russian army there are war criminals who castrate people, and this is not normal, it is animal cruelty. People need to be shown that war is not just someone coming and fighting without consequences. We wanted to convey Ukraine’s position.

In some attacks where we leak data, we directly put the reputation of the compromised companies and institutions at risk. For example, as it happened with ESIA (“Unified system of identification and authentication”), or the so-called “State services”. They threw everything in our direction: and that it was a “dirty game” and that we just made a mix from old sources. But the very fact that we have launched a data leak (there are already more than 2.5 million lines) and they can be bought speaks for itself. We have put the reputation of Russian digital systems under attack and are causing them great financial damage.

— Is the power of Russian hackers, which was written about by many Western media until recently, really a myth? In your opinion, how secure are Russian government servers, especially those related to critical infrastructure?

Russians take a more responsible approach to critical infrastructure and spare no expense for its protection. In Russia, there is the so-called “GosSOPKA” (Russian: state system of detection, prevention and elimination of the consequences of computer attacks – ed.) for cyber security control of important objects. But in general, the state of cyber security in Russia is the same as in the entire CIS.

In Ukraine now, too, according to my feelings, cyber security is not taken too responsibly, without warning. Even the head of the Ministry of Digital Affairs, Mykhailo Fedorov, stated as early as 2019 that the role of cyber security in the whole world is exaggerated. They think similarly not only in our country, but also in neighboring countries.

I will not talk about defense, because I deal with the opposite – attacks. But in general, I can say that our security in cyberspace is at a low level. Of course, some companies spend a lot of money on it, sometimes even state structures lay down good budgets for it, but this is only part of the big picture.

As for Russian hackers, in  2000-2010 they were a kind of brand around the world. In the West, they constantly wrote: Russian hackers stole a million, carried out cyber attacks, leaked data – under this label, the media and state authorities understood not only Russians directly, but also hackers from neighboring countries – Ukrainians, Belarusians, Kazakhs.

Since the full-scale aggression, this stereotype has begun to break. The world talked about Ukrainian hackers separately. So we are creating our cyber brand — hackers who will stand up to Russia. And we will not stop doing it even after the end of the war.

The biggest threat is the GRUSHNY hackers — Fancy Bear, there are many subspecies of these “bears”. They are well sponsored by the special services of the Russian Federation. They are given a task – and they perceive it as an order, like soldiers. This carries great danger both for Ukraine and for its allies.

— According to your estimates, how many of them are “decorated” hackers who do it purely for money, and how many are “ideological”?

Some Russian hackers are forced to cooperate with state structures, that is, they are given the choice of either going to prison or working for the state. Some of them, of course, are paid.

About “idealists”. I don’t think that there can be such ideological people who will terrorize Ukraine and Poland, conduct DDoS attacks on the websites of parliaments and be considered fighters for an idea. That is, I even refuse to call them that. Mostly it is soaked cotton wool, which shouts the loudest in the chats that everyone will “scoop” from it. This is not an idea, such people do not know what they are fighting for. They want to serve themselves, to get a mental “cheat” that they supposedly helped their state, so that in case of something after the war, they can be told not to touch them.

“We haven’t announced our most complex attacks yet”

— What type of cyber operations is the most difficult to perform? Perhaps you will remember something from the last tasks that became real tests.

The most difficult thing is when the victim of the attack is weak in cyber security. But nothing is perfectly protected, and sooner or later there will be a specialist who will crack it.

The most complex attacks are those cyberattacks that are built in a chain: you hacked one target, gained access rights, hacked another target, went to it with previously obtained access, got access to the network there, hacked it and moved on.

Draining the databases of the Rosatom Innovations website

Actually, I consider such step-by-step situations, when it is necessary to constantly advance through the network, to be the most difficult. Hacking one site is relatively simple: find the login and password of the administrator, find a vulnerability, and that’s it – the task is done. And when the company is large and has an extensive infrastructure, it is necessary to act step by step.

It was not easy to hack “1C-Bitrix”. They have quite a large infrastructure, many servers, everything had to be reviewed, vulnerabilities found. After gaining access to different servers several times, you need to get higher level rights. Admins in some cases severely limited the possibilities on the web and disabled some functions in the same PHP. I had to wriggle out.

We have not yet announced our most complex attacks. Some of them turned out to be successful. But we need time to process the received data.

— Which of the Ukrainian cyber groups do you cooperate with?

We work closely with DumpForums. We also cooperate with the “Ukrainian Cyber ​​Alliance”, Revenge.Monster (a resource that publishes merged databases of Russia).

We used to work with DataLeak, a leak aggregator, but it disappeared from the radar four months ago. The administrator said he would write to me. I appeal to him: if you are going to read this, come back. You know my contacts.

— Not so long ago, you reposted a post that the Ukrainian “IT army gets confused under your feet” when you conduct cyber operations. Can you explain the idea?

Until recently, I didn’t have any complaints against the IT army – they did their own thing, DDoSed something, it didn’t affect me.

But everything changed with the hacking of the CSTO (Collective Security Treaty Organization) website. When protests began in Kazakhstan in January of this year, it became wild for me that Russia, Belarus and other CSTO countries entered their troops into the territory of a sovereign country: people of their own volition went to a rally, and here it is.

In September, I read in the news that Armenia asked the CSTO for help amid the conflict with Azerbaijan. Then the other CAS members and I realized that something had to be done about it.

We hacked their resources, posted a fake news story that hurt their reputation, and later the admin freaked out and shut down the servers — calling it a DDoS. After that, we decided to take a break until some more high-profile news related to the CSTO broke out, and then build a more effective attack.

We wrote in an aggressive tone that this is not the end, we will be back. We were waiting for the right time, and here they send me the news that the IT army has ruined almost all access for us. They posted a “last greeting” to Putin . I thought: “God, what have you done?!”. We were preparing to conduct a professional cyber operation, and now we have partially lost access. We spoke about this: Sean Townsend from the “Ukrainian Cyber ​​Alliance” wrote more gently so that they would not get confused. I reacted more emotionally. And there are a lot of such misunderstandings between us now.

— Do you communicate with the IT army so that this does not happen, so that you can coordinate your actions?

We almost cooperate with representatives of the law enforcement agencies of Ukraine. We have no direct contact, no one gives us tasks. We act as a kind of volunteer battalions.

We communicate with law enforcement officers through colleagues and friends. For example, we inform them that we have found a vulnerability on the site, we pass on the information, they say, remove it, please. Or we say that we have found data related to the security sector of the Russian Federation, and we pass it on.

I believe that it is necessary to create a coordination center for attacks that are carried out in cyberspace by both independent hackers and government cyber specialists. No one directly wants to communicate, let alone comment on the chosen goals. There is some confusion in communication.

“There are many different targets for hacker attacks”

— How do you feel about the idea of ​​creating a full-fledged Ukrainian cyber army? Is it effective? Or, if we are talking about serious cyber operations, is it better to have an extensive network of cyber gangs?

I am positive about the creation of such an army. The first world cyber war is now underway, and we are almost unprepared for it. Yes, we had the “Ukrainian Cyber ​​Alliance”, which worked since 2015, they had a lot of experience, but we and the rest of the groups came as “green”. One of our first targets was the Ministry of Education of the Russian Federation, and we successfully hacked it, but we couldn’t even post the data.

The first attempt to publish the leak was marred by an inability to find a suitable host that would charge that much data. I later learned that this attack was attributed to some Aurora group. When CAS and I already had our own good hosting and a lot of subscribers, I still decided to post this data. But here too we had a setback – the hosting did not charge such a large amount of data. It was a fiasco.

We lacked access to advance the attack and just sat back and looked for what we could break. If we had a cyber army, it would be much easier to conduct cyber operations against serious adversaries such as Russian situational awareness systems (although I have great doubts that the Russian Federation will be able to develop an analogue of the Ukrainian “Delta”).

— According to your estimates and from your experience, what goals should be struck in the Russian Federation? Maybe it makes sense to choose small targets and bombard the Russians with cyber attacks? Or gather a lot of talented hackers and lay the power system of Moscow – and from this there will be more “exhaust”? And maybe we can even develop our own Stuxnet , which will cause maximum damage to the Russians?

A very cheap and strict analogue of Stuxnet is Azov Ransomware, it was developed by one of the Ukrainian volunteers. It deletes 666 bytes per cycle, turning files on the victim’s device into garbage.

There are many different targets for hacker attacks: financial institutions, state structures, the defense industry, factories, social and critical infrastructure (dams, explosives manufacturing enterprises, sewage treatment plants, nuclear power plants, thermal power plants, hydroelectric power plants). That is, systems that should provide the entire city or several cities. Such cyber attacks are the most destructive and aggressive. After them, the FSB and the GRU start to take an interest in you, of course! Because you, sitting in Ukraine, were able to turn off the light of an entire Russian region and cause tangible damage to the company that supplies the light. Sometimes such attacks even lead to deaths.

The first world cyber war is now underway, and we are almost unprepared for it

The most useful attacks for us are on the financial sector of the Russian Federation. The idea is to leave the occupiers penniless. I believe that even their marketplaces like Avito should be attacked.

Another interesting goal is government applications. Many state structures in Russia cooperate with coordination centers and use RIA for this. You can “lay” entire servers of “public services” that are actively used by the population, and this will lead to dissatisfaction and distrust of the state.

— To what extent, in your estimation, has Ukraine become more protected in cyberspace after February 24? And what areas of cyber security do we still need to “tighten up”?

The protection became better, they began to check the systems. For example, if the Russians hack a company responsible for maintaining airports, other companies in the industry will also be tested.

But this is still not enough. CAS had a situation when, at the beginning of the war, we found a vulnerability in one educational portal in Ukraine, which allowed downloading a lot of data about students and teachers, students and teachers – addresses, numbers, passwords, e-mails. The vulnerability concerned the admin panel.

We tried to draw attention to this, wrote to the technical support of the portal, but we were ignored. Then, through the main page of the site, we called the administrator in Telegram, where we conveyed all the vulnerabilities and tried to come to an agreement. He didn’t want to do anything about it, he just said: OK, I’ll pass it on.

The vulnerability hung around for three months, we tried to connect CERT-UA to this situation — it didn’t work. Through acquaintances, they got in touch with the law enforcement agencies, who said that they would also hand them over. This is such a drag. But if an attack takes place, hundreds of thousands of Ukrainian computers will be under attack. As long as there is such an attitude towards security in Ukraine, it will put the security of the entire country under attack

About Post Author

Treadstone 71

@Treadstone71LLC Cyber intelligence, counterintelligence, Influence Operations, Cyber Operations, OSINT, Clandestine Cyber HUMINT, cyber intel and OSINT training and analysis, cyber psyops, strategic intelligence, Open-Source Intelligence collection, analytic writing, structured analytic techniques, Target Adversary Research, cyber counterintelligence, strategic intelligence analysis, estimative intelligence, forecasting intelligence, warning intelligence, threat intelligence
0 %
0 %
0 %
0 %
0 %
0 %

By Treadstone 71

@Treadstone71LLC Cyber intelligence, counterintelligence, Influence Operations, Cyber Operations, OSINT, Clandestine Cyber HUMINT, cyber intel and OSINT training and analysis, cyber psyops, strategic intelligence, Open-Source Intelligence collection, analytic writing, structured analytic techniques, Target Adversary Research, cyber counterintelligence, strategic intelligence analysis, estimative intelligence, forecasting intelligence, warning intelligence, threat intelligence