XakNet has claimed it is not being directed by the Russian government. In one Telegram post responding to Mandiant’s findings, it said it “fully” supports the Kremlin’s position and acknowledges its activities aren’t legal. It said it does not cooperate with Russia’s FSB security service “at the moment” but is “happy to provide data to those who ask.”
It is possible there are some connections among Russian hacker groups themselves. In multiple instances, Wahlstrom says, they have cross-posted about other groups’ work on their Telegram channels. For instance, when Killnet called for Lithuania to be targeted it posted a message asking for help from XakNet, Russian ransomware groups, and other pro-Russian hacking groups.
“XakNet and Killnet have given a decent amount of media interviews in the Russian media space, which is a reason to at least consider that there is a potential dual component to some of this activity,” Wahlstrom says. “They are helping to advance Russian interests abroad, either in Ukraine or further afield, but on the flip side they’re being heavily promoted in the Russian media as groups that are displays of these patriotic volunteers that embody support for Russian government decisions.”
Killnet responded to a request for comment by saying it was “no longer friends” with XakNet. “Our enemy is your government bro,” the group says. “But we are not dangerous to ordinary people.”
DDoS attacks have been prominent in Ukraine, too. Officials there created a volunteer IT army, where people from around the world can help launch attacks against Russian targets. The IT army has claimed to take down, at least temporarily, the websites of Russian government departments, food delivery services, and banks—one of Putin’s speeches last month was delayed by an hour after the IT army attacks. Attacks against Russia have also come from hacktivist groups outside of Ukraine, such as Anonymous.
Ultimately, as Russia’s war against Ukraine continues, the activity of pro-Russian cyber groups continues to be in line with Russian aims. “Moscow has kept its relationship with Russia-based hacktivist groups deliberately ambiguous,” says Emily Harding, deputy director of the international security program at the Center for Strategic and International Studies, a US-based think tank. “Moscow’s security services know who these operators are and will use some form of leverage to force them to cooperate when needed.”
Harding says analysts have continuously predicted that Russia would use “deniable tools” and groups to react against countries that support Ukraine. While DDoS attacks may not be sophisticated, they contribute to this effort. And if attacks by so-called hacktivist groups become more advanced, there’s a greater chance they could cause more damage or risk escalation of the conflict. “The risk of miscalculation is real,” Harding says. “No one has yet really tested the limits of cyber operations without causing escalation.”