As Russia began its invasion of Ukraine on February 24, with the conflict quickly spilling beyond the countries’ physical borders into cyberspace, there were growing fears that a surge of cybercrime underground and volunteer hackers from around the globe, battling on the digital frontline with Moscow, could provoke more serious attacks by nation-state hackers and set a dangerous precedent for cyber norms.
However, this might not be the case, as a study conducted by researchers from the universities Cambridge, Strathclyde and Edinburgh indicates. The conclusion is based on the analysis of hundreds of thousands of web defacement attacks, DDoS attacks, announcements in Telegram channels, as well as interviews with the hacktivists participating in the attacks.
“Our findings indicate that the conflict briefly but significantly caught the attention of the low-level cybercrime community, with notable shifts in the geographical distribution of both defacement and DDoS attacks. However, the role of these players in so-called cyberwarfare is minor, and they do not resemble the 'hacktivists' imagined in popular criminological accounts,” the report reads. “Initial waves of interest led to more defacers participating in attack campaigns, but rather than targeting critical infrastructure, there were mass attacks against random websites within '.ru' and '.ua'. We can find no evidence of high-profile actions of the kind hypothesised by the prevalent narrative.”
The analysis of the activity indicates that most of defacement attacks took place immediately after the invasion, but the rise of activity was short-lived and lasted only for around two weeks. While DDoS activity lasted longer (likely due to the widespread availability of cheap DoS-for-hire services), it was still fairly short-lived.
The researchers said they have found “very little measurable evidence to suggest that the cybercrime underground is making any real ‘hard’ contribution to a conflict, even in a major war between two of the countries in which this underground is well developed.”
“The activities […] are by and large trivial. The so-called ‘defacements’ are the rough equivalent of breaking into a disused shopping centre on the outskirts of a mid-sized Russian city and spraypainting “Putin Sux” on the walls. The DDoS campaigns by the cybercrime underground contributed around as much to the war as going to your local supermarket and hiding the vodka under the frozen peas. These are trivial acts of solidarity, teenage competition, and expressive delinquency, not a contribution to the armed conflict in any real sense,” the report concludes.