Cybersecurity firm Mandiant has linked three pro-Russian hacktivist collectives to the intrusions conducted by APT28, an advanced persistent threat group believed to be affiliated with the Russian Main Intelligence Directorate (GRU).

The three hacktivist groups are the XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn — known through their eponymous Telegram channels, where they announce future operations and leak data from their victims.

Mandiant says this assessment is based on its observations of the deployment of wipers used by APT28 on the networks of multiple Ukrainian organizations and the subsequent leaks of data by threat actors claiming to be hacktivists likely originating from those entities on Telegram within 24 hours. The company said it identified at least 16 data leaks from these groups, four of which coincided with wiping attacks by APT28.

In one XakNet data leak the researchers found a unique technical artifact from an APT28 intrusion, indicating that APT28 had access to the same parts of the network the leak was sourced from. Based on this finding, Mandiant believes that the moderators of XakNet Team either are GRU intelligence officers or work directly with the GRU APT28 operators conducting on-net operations.

“Although we assess with moderate confidence that moderators respectively behind XakNet Team, Infoccentr, and CyberArmyofRussia_Reborn are at least coordinating with the GRU, we currently reserve judgement as to the composition of these groups and their exact degree of affiliation with the GRU. However, at a minimum, this coordination is consistent with frequent GRU tactics,” Mandiant notes.

“While we assess with moderate confidence that APT28 at least coordinates with the moderators of at least the three channels we identified in this report, potentially sharing or driving operations, it is also possible that the GRU or other Russian Intelligence Services are also coordinating with other self-professed hacktivist groups to target entities both within and surrounding Ukraine.”

The researchers also believe that XakNet may be connected to another pro-Russia hacktivist group known as KillNet, but has not formally attributed the latter to the GRU.

“Russia’s February 2022 invasion of Ukraine created unprecedented circumstances for cyber threat activity. This likely is the first instance in which a major cyber power potentially has conducted disruptive attacks, espionage, and information operations concurrently with widespread, kinetic military operations in a conventional war. We have never previously observed such a volume of cyberattacks, variety of threat actors, and coordination of effort within the same several months. We assess with high confidence that Russian cyber espionage and attack operations, while already a serious threat to Ukrainian organizations, pose an elevated risk to Ukraine as long as Russia continues its invasion,” the company concluded.