Ukraine war: IT army of hacktivists against Russian state hackers

The security researchers at Check Point take these figures from their ThreatCloud, in which their collected data from all over the world flows together. Russia has 4 percent more attacks. Phishing emails in East Slavic languages ​​increased sevenfold, with a third targeting Russia.

The security researchers from Check Point Research (CPR), the specialist department of Check Point Software Technologies, took a close look at the development of cyber attacks after the start of the Ukraine war. The numbers speak for themselves: Virtual attacks against Ukraine’s military and authorities increased by 196 percent in the first three days of fighting compared to early February 2022; globally and in Russia, these sectors are not increasing.

In contrast, attacks against Russian companies increased by 4 percent in one week, in Ukraine only by 0.2 percent; all other regions of the world are seeing declines in cyber attacks against companies – Europe down 8 percent, the United States down 12 percent.

Figure 1: Overview of the increase in cyber attacks against companies.

Phishing emails in East Slavic languages ​​increased sevenfold, with a third of them targeting Russian citizens, sent from Ukrainian email addresses – either genuine or redirected through spoofing. This means that fraudulent e-mails in these languages ​​now account for almost 12 percent worldwide. In addition, fraudulent e-mails are sent calling on citizens of other countries to donate to Ukraine, but the money would end up with criminals.

Figure 2: Increase in phishing emails in East Slavic languages ​​and their share in all fraudulent emails worldwide.

It should be added that the Ukrainian government has created an international IT army of so-called hacktivists (hacker activists) through the news program Telegram, which has over 175,000 members. Even in underground dark web forums, this group is looking for members, with text likely written on the orders of a senior official in Ukraine’s Defense Ministry.

The Anonymous Collective has become part of this Ukrainian IT army and has declared cyber war on Russia, with some success already. The websites of Russian authorities, such as those of the Kremlin, were paralyzed. In addition, this hacking group released 200 gigabytes of data from the Belarusian arms manufacturer Tetraedr and some databases from the Russian Defense Ministry. Also, some influential celebrities support Ukraine, like Elon Musk, who wants to keep Ukraine online through his company Starlink, and Disbalancer, a DDoS stress testing company that raises funds to provide servers for a DDoS attack on Russia to buy.

This IT army has issued a list to anyone interested which Russian targets to attack in every possible way.

Image 3: Well-known companies are on the attack list of the Ukrainian IT army, such as Sberbank or Gazprom. In addition, authorities such as the Russian Ministry of Defense.

On the other hand, some notorious hacking groups, like Conti ransomware group, have announced that in case of a cyber attack against Russia, they will retaliate against the attack. CoomingProject is also on the Russian side and has repeatedly published some stolen data sets from Western companies in 2021.

In between, the aforementioned criminal phishing scammers are lurking around, sending out false appeals for donations because the Ukrainian government officially called for cryptocurrency donations and has already received $1.5 million.

Lotem Finkelstein, Head of Threat Intelligence at Check Point Software Technologies, reports: “It is important to understand that this war also has a cyber dimension, and that people are also aligning themselves on the web, from the dark web to the social media. We are therefore also publishing an article on how the Ukraine war is polarizing the virtual world. Hacktivists (hacker activists), cyber criminals, white hat hackers, and even tech companies choose sides and are encouraged to act on behalf of their choice. However, we warn people who want to donate to Ukraine against fraudulent e-mails that want to make false capital from their willingness to donate. Therefore, always check the e-mail address of the sender and look out for spelling mistakes in the texts. Also check if the sender of the email is authentic. Meanwhile, we will continue to monitor all areas of cyber activity surrounding the ongoing war.”

Check Point experts share some tips on how people can protect themselves against phishing emails:

1. Identify fake domains

One of the most common techniques used in phishing emails is well-fake mailbox addresses for the senders. Similar-looking URLs are designed to look like a legitimate or trusted domain at first glance. For example, a phishing email instead of the email address This email address is being protected from spambots. To display JavaScript must be turned on! the address This e-mail address is being protected from spambots. To display JavaScript must be turned on! or use boss@compаny.com. Phishers can also use completely fake but plausible-sounding domains in their attacks.

2. Beware of unusual attachments

A common goal of phishing emails is to trick the recipient into downloading the attached malware and running it on their computer. For this to work, the email must contain a file capable of executing code. Phishing emails can therefore contain unusual or suspicious attachments. For example, a rogue invoice can be a ZIP archive file, or an attached Microsoft Office document can request macros to be enabled in order to display the content. If this is the case, it is likely that the email and its attachments are infected.

3. Incorrect grammar or intonation

Phishing emails are often not written by people who are fluent in the language in question. This means that these emails may contain grammatical errors or sound wrong in the choice of words. Genuine emails from a reputable company are less likely or not likely to have these errors, so this is a red flag of a phishing attack. In addition, phishing e-mails often have the aim in their text to persuade the recipient to do something that is not in their interest, such as passing on confidential data or installing malware through supposedly genuine approaches. To achieve this, hackers often use psychological tricks in their campaigns, such as the following:

    • The sense of urgency: Phishing emails often suggest to recipients that something needs to be done immediately. That’s because someone who’s in a hurry is less likely to think about whether the email looks suspicious or is legitimate.
    • Use of Authority: Business Email Compromise (BEC) scams and other spear phishing emails often pretend to come from the CEO, department head, CEO, or other high-level authorized person. These impostures take advantage of the fact that the recipient is prone to obey orders from leaders, whoever they may be.

4. Beware of suspicious requests

Hackers always want to use phishing emails to steal money, login credentials, or other sensitive information. If an email makes a request or demand that seems unusual or suspicious, then that could be an indication that it’s a phishing attack.