Skip to Content

XakNet “hacktivists” linked to APT28 and Russia’s GRU intelligence service

Updated on 2022-12-22

Cyberscoop reported last week that CISA researchers found the Russian APT28 cyber-espionage group lurking in the network of a US satellite network. Read more: CISA researchers: Russia’s Fancy Bear infiltrated US satellite network

Updated on 2022-09-26: Fancy Bear

A Cluster25 report published last Friday deals with recent operations carried out by the Fancy Bear (APT28) Russian cyber-espionage group. Read more: In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants


In a report published on Friday, security firm Mandiant said it linked three pro-Russian hacktivist groups to intrusions performed by APT28, the codename of a cyber-espionage group operated by the Russian Main Intelligence Directorate (GRU).

This includes self-proclaimed hacktivist groups such as the XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn—known to the world through their eponymous Telegram channels, where they announce future operations and leak data from their victims.

This assessment is based primarily on Mandiant’s direct observations of the deployment of wipers used by APT28 on the networks of multiple Ukrainian organizations and the subsequent leaks of data by threat actors claiming to be hacktivists likely originating from those entities on Telegram within 24 hours. We identified at least 16 data leaks from these groups, four of which coincided with wiping attacks by APT28.

Mandiant researchers also add:

In one XakNet data leak, Mandiant discovered a unique technical artifact from an APT28 intrusion. This indicates APT28 had access to the same parts of the network the leak was sourced from.

Suspected False Hacktivist Fronts - Leaked Data Likely Stolen From APT28 Wiper Victims.

In addition, Mandiant also believes that XakNet has coordinated with another faux hacktivist group named KillNet, but has not formally linked the latter to the GRU just yet. The company has also not ruled out that either GRU or other Russian intelligence services might be behind other pro-Russian newly formed hacktivist groups, such as FromRussiaWithLove (FRWL), DeadNet, Beregini, JokerDNR (alternate spelling: JokerDPR), and RedHackersAlliance.

But Mandiant’s findings are not surprising in the slightest for anyone familiar with APT28’s history and its propensity toward using “hacktivist” personas. GRU’s cyber division has also previously posed as Anonymous Poland in a campaign to influence the country’s politics through leaks, hacked WADA under the guise of a hacktivist group cheekily named FancyBear (a codename used for Russia’s FSB hackers), invented the Guccifer 2.0 persona [PDF] to leak data from the DNC hack, and the CyberBerkut persona to leak data on Ukrainian politicians in the late 2010s.

We’ve further linked hacktivist leaks and GRU intrusions. I am concerned that they have established deniable personas they will use for mischief (like elections) and I’m concerned we are not taking hacktivists seriously when some are serious players.

As for a response from the hacktivist groups after Mandiant’s report, only XakNet has addressed the topic, promising a reply in the coming days. Knowing how we know XakNet, it will probably be something lame and stupid.


Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.