September 21, 2022

This year, International Peace Day comes amidst a global cyberwar that arguably began (but has determinably escalated) with the Russian invasion of Ukraine. When considering the notion of peace, especially during this time of heightened combativeness, we turned to one of our darknet analysts. In return, they offered their first-hand perspective and candid thoughts on the notion of a peaceful cyberspace.

Peace in the Midst of a Cyberwar: Perspectives from a Darknet Analyst

In my opinion, the concept of a ‘peaceful darknet’ is a complete oxymoron. There have been brief moments when I’ve experienced something close to peace on the darknet, such as when I connect with various underground communities and established trust groups. I login to the community, check the channel nicks to see who else is online, and direct message or send a quick jabber message to the online “friends” I’ve established after years of moving in and out of these communities. There are moments of contentment after a friend shares an update on their dad’s recovery from a recent surgery, and we relate about videos we’ve both watched on YouTube.

But, is it peaceful? Hardly. There’s a cloud of anxiety. At any point in time, the server our community connects to might be hit with a heavy DDoS attack from ‘skids’ or a rival darknet community. You never know when a guest account will connect and immediately flood fill the chat with hateful and explicit messages.

I look at the clock. Around this time most nights, a former member and now banned user connects to the server and there’s immediate drama between them and the chat’s moderators and staff. The user claims he’s got proof that one of the staff is a pedophile. They’re kicked out and the channel/room is locked. Another member posts a funny meme. Another asks for help using Mimikatz. Just another typical night in the darknet.

Before Ukrainian Invasion: Brewings of a Cyberwar

Months before the Russians physically invaded Ukraine resulting in the formation of the IT Army of Ukraine and the hacking collective Anonymous’ launched their infamous cyber campaign #opRussia against Putin and Russia-aligned threat actors, members of the elite GRU were busy covertly carrying out many a pre-invasion operational cyber campaign by probing networks and accessing sensitive Ukrainian networks.

Millions of Ukraine’s citizens’ personal data had already surfaced and were in circulation across the darknet. Russian trolls on darknet forums and Telegram channels taunted the West and Ukraine, with posts about everything from Hunter Biden’s laptop to a weak NATO; some hinted at how quickly Kyiv would collapse after an invasion. Western news media started reporting of troop build-ups along Ukraine’s borders in Belarus and Russia.

Then, the Kremlin announced their recognition of the Luhansk and Donestk People’s Republic (LPR/DPR). Less than a week later Putin ordered commencement of his “special military operation.”

After February 24^th 2022, everything changed: both in real life and virtually. Darknet dynamics completely shifted. Cybercriminal groups and ransomware gangs split down the middle – those supporting Ukraine and those supporting the Kremlin. Many Ukrainian-based darknet users, including an online ‘friend’ prominent in the darknet carding community, disappeared after deploying with the military to fight for their country’s freedom. Hundreds of Russian and Ukrainian Telegram channels emerged with videos from the front lines. Social media channels post videos of cruise missiles hitting centuries old buildings in Kharkiv. Apartments and residential buildings were completely decimated along with the people and memories in them.

War Launches a Frenzy of Darknet Activity

Every few hours I discover another leak URL that has emerged from a victim in Ukraine or Russia. I annotate the details to a database of Ukraine-Russian cyberwar leaks I started within the first 36 hours of the invasion. I proliferate the IP addresses of new targets issued by the Minister of Digital Transformation of Ukraine and load another Tor URL that has mysteriously disappeared.

A DarkOwl Vision monitor I created for a client – months before the invasion – alerts me that the company’s web domain has been mentioned by Russian threat actors on Telegram. Attacks against US companies and NATO entities start to mix into the now daily exhaustive list of on-going cyber activity. New threat actor groups announce their formation every other day. ATW? nb65?! KILLNET…. I begin to ponder how this cyber chaos can possibly result in any form of success for Ukraine. Members of Anonymous and various ‘collectives’ around the globe invariably clash attacking the same digital targets.

My sleep in those early weeks consisted of brief 2-hour naps only after caffeine was no longer effective and I could barely keep my eyes open. My dreams haunted by the sound of the sirens I had heard repeatedly in videos coming out of Kyiv on Telegram and the images of decaying soldiers’ bodies on a channel dedicated to helping survivors identify their lost loved ones. I’m millions of miles from the epicenter; yet, I’m still affected by what I’ve virtually witnessed.

Fast Forward Seven Months

The IT Army of Ukraine has grown to a force of nearly half a million hacktivists. The cyberwar leaks database is terabytes in size. The CONTI ransomware gang passes the ransomware baton to LockBit, shifting from ransomware to nation-state operations. A ransomware group seem to surface every week announcing dozens of global commercial victims – many that are small businesses that struggle to survive such an attack.

Zero days and exploits used against Russian government and commercial entities have become increasingly sophisticated with attacks against critical infrastructure becoming the standard. Anonymous’ operational cyber cells are now run with shocking efficiency and effectiveness and the cyber battlefield is either less chaotic or I’ve become more tolerant and accepting of the chaos.

Pro-Russian disinformation networks across social media and the digital underground are operating at full capacity. On the surface, the Ukrainian military has successfully pushed the Russians back over 6,000 square kilometers in eastern Ukraine, liberated dozens of towns, and villages with their counteroffensive against Russia, and another Russian oil executive has mysteriously fallen out of a window in Moscow. It’s nearing the end of summer. I visit a local farmer’s market all to overhear a random 60-something-year-old woman at a stall arrogantly declare, “President Putin is simply trying to dismantle the global cabal and de-nazify Ukraine”. I take a deep breath and slowly walk back to my car, suddenly no longer interested in buying any local produce.

I return to my home office to find a request for technical information related to recent cyber-attacks in China and Taiwan in my inbox. I suddenly realize that this is never going to end. China could very well invade the island of Taiwan by the end of the year and trigger yet another round of global cyber initiatives and operational campaigns.

The cyberwar is no longer simply between those who support Ukraine and those who do not. The cyberwar is simply a virtual reflection of the pure lack of peace we have within ourselves as individuals, societies, and nations. Peace in Ukraine will in no way result in peace on the darknet nor stop your neighbor down the street from spewing the propaganda they’ve been fed and now believes in their heart.

I disconnect the wi-fi, shut off my computer, crawl into bed in the middle of a Saturday afternoon, and for the first time in seven months, sleep peacefully.

---

The above account came from one of our DarkOwl Analysts, who are trained to routinely immerse themselves in the darknet space. Their efforts support our product collections efforts, and also support our clients to understand data and intelligence on the darknet. For more questions about how analysts support our customers, thought leadership, and data collection efforts, contact us.