How Telegram became the battlefront of the Russia-Ukraine cyberwar
6 March, 2023
Telegram is a vital communication lifeline for the Ukrainian resistance, Russian hackers, and profiteering cybercriminals who seem resilient to war
[Above: The number of weekly posts on Telegram and underground forums mentioning war-related keywords in Russian or Ukrainian]
By ADI BLEIH and DOV LERNER, Cybersixgill
When Russia invaded Ukraine on February 24th, 2022, many warned that the conflict could escalate into a global cyberwar. These fears intensified as ransomware gangs and hacking groups sympathetic to the Russian government appeared ready to strike. A self-styled IT Army allied with Ukraine declared a counter-offensive. Governments — and companies — around the world are prepared for widespread digital incursions. Yet, for all their bluster, these groups failed to impact the ground campaign significantly.
Instead, the war’s digital presence manifested in other ways. A year after the war began, Cybersixgill investigated how the war echoed on the deep and dark web, the context of hybrid conflict, and how cybercriminals kept business humming.
Telegram has been the central deep web venue for the war. Many conversations about the war occurred on large, existing cybercrime channels, and the invasion spawned many new channels.
Chatter on Telegram tended to follow events in the war. War-related posts in Russian or Ukrainian peaked at over 122,000 per week in mid-October, coinciding with the strike against the Crimean bridge and subsequent Russian missile attacks.
Many Telegram channels assumed a fiercely nationalistic tone. Some called for and coordinated cyberattacks against the adversary. However, the predictions for a global cyberwar have fortunately fallen short. While groups aligned with Ukraine and Russia have carried out many successful attacks against many governmental and civilian targets, they are similar to traditional hacktivist methods, such as data compromise, defacement, and denial of service. It does not appear that any attack has provided even a minor tactical advantage, though they perform a valuable symbolic service in energizing the base of supporters to the cause.
Meanwhile, Telegram provided a valuable service to Ukrainian and Russian civilians alike. Many turned to channels to consume critical information, follow battlefield events, find humanitarian assistance, and determine how to escape the fighting or mobilization.
Activity on Telegram contrasts with deep and dark web forums and markets, where chatter about the war peaked initially, then steadily declined as the war continued and as administrators sought to reduce political discourse to a minimum. Notably, there was a significant rise in the number of compromised Russian credit cards for sale and scams seeking to exploit aid donations, but otherwise we can attest that it’s business as usual for cybercriminals.
Telegram groups have served as a rallying point for supporters of either side. They are excellent channels to galvanize the respective bases against the adversary. Thematic groups on Telegram function as echo chambers in which like-minded users encourage one another’s opinions. Some channels even shared celebratory images of the enemy’s dead soldiers, and (more towards the beginning of the war) Ukrainian channels shared details of Russian troop movements to enable counterattacks.
Threats and calls for action spilled over into the cyber arena. For example, one of the most notorious ransomware groups announced full support for the Russian army and President Vladimir Putin’s administration. It added, “If anybody decides to organize a cyberattack or any war activities against Russia, we will use all possible resources to strike back at the critical infrastructures of an enemy.” Several hours after they issued this threat, a Ukrainian security expert leaked hundreds of their files containing 60,694 internal messages. Nevertheless, the group did not change its modus operandi towards targeting Western infrastructure.
Furthermore, in March 2022, a group that had previously been involved in DDoS tools transformed into a pro-Russian hacktivist collective. Engaging daily with over 90,000 subscribers on Telegram, the group has declared war on Western targets and claimed responsibility for attacks against Western private and public sector targets, ranging from defense contractors to Eurovision.
Pro-Ukrainian forces have joined the fight. One prominent pro-Ukraine hacker collective on Telegram, boasting nearly 13,000 members, has called on Western hackers and groups to join in the fight against Russia.
Already in the early days of the war, a Ukrainian cybersecurity official alleged that their ranks numbered over 400,000 Ukrainians and sympathizers from abroad.
In the last year, they have claimed attacks against hundreds of Russian websites and military targets such as the Wagner group (figure 3) and even caused a traffic jam in Moscow by ordering dozens of drivers to the same site.
Pro-Ukranian hackers also stole $25,000 in Bitcoin from a Russian dark web drug market and gave it to a Kyiv charity.
Additionally, they leaked data such as that of Russian soldiers that allegedly took place in the attack against Mariupol (figure 4), the Russian Ministry of Foreign Affairs (figure 5), and the Moscow traffic police.
However, these attacks follow the general framework of ideologically-motivated cyberattacks (hacktivism), albeit in higher intensity than in previous conflicts. None of these attacks stands out as unique in scale and scope, and they have had little effect on the situation. Still, these attacks provide symbolic victories essential for morale and resilience.
The nature of discourse on Telegram contrasts with discussions of the war on established dark web forums, which were generally more balanced.
Early calls for radical actions, such as banning all pro-Russian users (figure 7), subsided. We discovered indications that some forum admins banned users from expressing political views, which makes sense, considering that they want to keep forum discourse strictly to business.
Informational and humanitarian discourse
The bulk of deep and dark web activity is concerned with informational and humanitarian updates about the war.
Many Telegram channels broadcast regular news updates, sometimes granular reports about specific events.
Many other Telegram groups offered to help with border crossing, including assistance with passports, transportation, and certifications.
Many more reached out through Telegram to offer donations of money, food, clothes, and essential gear.
Many Russians are using Telegram to avoid conscription by the Russian government. For example, in a post repeated over 22,200 times across twenty different Telegram channels, an actor has offered to forge HIV-positive certificates for Russians in return for 40,000 rubles (~$550).
Other Russians declared that they fled the country to avoid the draft, and several dedicated Telegram channels even reported experiences at border crossings.
Russians have also resorted to the deep and dark web to circumvent sanctions, enabling them to transfer funds and purchase goods from beyond Russia’s borders. Thus, while Russians can no longer enjoy a meal at McDonald’s or a coffee at Starbucks, savvy users of the underground can still get their hands on banned technology products. And even though Russian cardholders cannot purchase items outside of Russia, actors on underground forums can procure cryptocurrency or virtual and prepaid credit cards to make purchases abroad.
Many cybercriminals reside in Russia and Ukraine. However, cybercrime appears to have been resilient to the war. Criminal forums have operated like it’s business as usual, with no noticeable decrease in activity. Indeed, the war seemed to have little effect on the overall volume of Russian and Ukranian-language posts on underground forums.
We discovered two ways that the war has affected crime. First, like with all crises, threat actors attempt to take advantage of both fear and goodwill. On the underground, actors have warned one another from falling victim to fake donation sites.
Second, there was a curious increase in compromised Russian credit cards sold in underground markets in 2022: the number rose from only 769 in 2021 to 28,327 in 2022.
This spike occurs within the broader context of the plummeting quantity of compromised credit cards for sale.
Furthermore, the conventional understanding is that the Russian regime permits cybercriminals to operate with impunity as long as they do not attack Russians. Indeed, a clear indicator of this notion has always been the disproportionate underrepresentation of compromised Russian credit cards.
Perhaps Russian actors felt more confident compromising local cards because the regime was preoccupied. Non-Russians may have stolen the cards in a criminal-nationalistic attack. However, this is especially notable since soon after the war began, credit card companies such as Visa and Mastercard blocked Russians from using their cards for international purchases. (Roughly 24,000 of the cards were either Visa or Mastercard.) Thus, many of these cards were procured through a compromise of a Russian e-commerce site.
Unfortunately, Russia continues to wage war in Ukraine with no end in the foreseeable future. The war has exacted a devastating humanitarian tool and decimated Ukrainian cities and towns.
While many predicted that the war would herald a new era of cyber warfare, this has yet to materialize; there were many nationalistically-motivated attacks, but they were limited in scale and largely symbolic. Instead, the real impact of the deep and dark web on the war has been the ability to share news and humanitarian developments. Amidst the uncertainty of war, many undoubtedly have relied on a consistent stream of updates to forge their paths to survival.
Posted in tags: Cybersixgill , Russia-Ukraine conflict