XakNet “hacktivists” linked to APT28 and Russia’s GRU intelligence service

Updated on 2022-12-22

Cyberscoop reported last week that CISA researchers found the Russian APT28 cyber-espionage group lurking in the network of a US satellite network. Read more: CISA researchers: Russia’s Fancy Bear infiltrated US satellite network

Updated on 2022-09-26: Fancy Bear

A Cluster25 report published last Friday deals with recent operations carried out by the Fancy Bear (APT28) Russian cyber-espionage group. Read more: In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants

Overview

In a report published on Friday, security firm Mandiant said it linked three pro-Russian hacktivist groups to intrusions performed by APT28, the codename of a cyber-espionage group operated by the Russian Main Intelligence Directorate (GRU).

This includes self-proclaimed hacktivist groups such as the XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn—known to the world through their eponymous Telegram channels, where they announce future operations and leak data from their victims.

This assessment is based primarily on Mandiant’s direct observations of the deployment of wipers used by APT28 on the networks of multiple Ukrainian organizations and the subsequent leaks of data by threat actors claiming to be hacktivists likely originating from those entities on Telegram within 24 hours. We identified at least 16 data leaks from these groups, four of which coincided with wiping attacks by APT28.

Mandiant researchers also add:

In one XakNet data leak, Mandiant discovered a unique technical artifact from an APT28 intrusion. This indicates APT28 had access to the same parts of the network the leak was sourced from.

In addition, Mandiant also believes that XakNet has coordinated with another faux hacktivist group named KillNet, but has not formally linked the latter to the GRU just yet. The company has also not ruled out that either GRU or other Russian intelligence services might be behind other pro-Russian newly formed hacktivist groups, such as FromRussiaWithLove (FRWL), DeadNet, Beregini, JokerDNR (alternate spelling: JokerDPR), and RedHackersAlliance.

But Mandiant’s findings are not surprising in the slightest for anyone familiar with APT28’s history and its propensity toward using “hacktivist” personas. GRU’s cyber division has also previously posed as Anonymous Poland in a campaign to influence the country’s politics through leaks, hacked WADA under the guise of a hacktivist group cheekily named FancyBear (a codename used for Russia’s FSB hackers), invented the Guccifer 2.0 persona [PDF] to leak data from the DNC hack, and the CyberBerkut persona to leak data on Ukrainian politicians in the late 2010s.

We’ve further linked hacktivist leaks and GRU intrusions. I am concerned that they have established deniable personas they will use for mischief (like elections) and I’m concerned we are not taking hacktivists seriously when some are serious players.

As for a response from the hacktivist groups after Mandiant’s report, only XakNet has addressed the topic, promising a reply in the coming days. Knowing how we know XakNet, it will probably be something lame and stupid.

Read more in

• GRU: Rise of the (Telegram) MinIOns
• IVAN SERGEYEVICH YERMAKOV
• U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations
• EXCLUSIVE: ‘Lone DNC Hacker’ Guccifer 2.0 Slipped Up and Revealed He Was a Russian Intelligence Officer
• CyberBerkut
• [PDF] APT28: AT THE CENTER OF THE STORM