Ukrainian ethical hackers targeted by Russian malware attacks

Russian hacking on a laptop mockup with code sprawling over the screen
(Image credit: Getty Images)

Cyber criminals are preying on ethical hackers supporting the IT Army of Ukraine by deceiving them into downloading information-stealing malware.

Opportunistic cyber criminals are posing as genuine representatives of the IT Army of Ukraine and pretending to provide them with tools to deliver distributed denial of service attacks (DDoS) that ultimately turn out to be malware, according to researchers at Cisco Talos.

The IT Army of Ukraine is a group that mobilise via the Telegram platform and was originally assembled at the start of the conflict by a Ukrainian Minister to recruit as many supporters as possible to fight Russia in cyber space.

The group currently has more than 300,000 members and posts daily ‘hit lists’ - lists of target .ru URLs for tech-savvy supporters of Ukraine to knock offline. Recent targets include Russian electronic signature services and importers of technology for the Russian military.

Criminals are targeting these ethical hackers using Telegram channels that are seemingly related to the real IT Army of Ukraine group, but are not genuine.

Screenshot of deceptive malware message in a Telegram group

(Image credit: Cisco Talos)

Cisco Talos researchers saw cases of adverts for inauthentic versions of genuine DDoS tools, such as the real Disbalancer Liberator tool, which when clicked infect the user's system with information-stealing malware that harvests credentials and cryptocurrency information.

The information stealer gleans information from browsers such as Chrome and Firefox, and scans other locations on the file system for key information before relaying it back to a Russian IP address.

“This is an example of one of the many ways opportunistic cybercriminals are attempting to take advantage of the Russian invasion by exploiting sympathisers on both sides of the conflict,” the researchers said.


Edge to cloud security: A new WAN and security edge

A practical guide to adopting a secure access service edge (SASE) architecture


“Such activity could take the form of themed email lures on news topics or donation solicitations, malicious links purporting to host relief funds or refugee support sites, malware masquerading as security defensive or offensive tools, and more. Users must carefully inspect suspicious emails before opening them and validate software or other files before downloading them.”

Cisco Talos said evidence suggests the threat actors behind the campaign have been distributing infostealers since “at least November 2021” but have now pivoted to targeting hacktivists siding with Ukraine.

It also said it expects the information-stealing activity to continue and diversify as the global interest in the conflict creates a potentially massive pool of targets for threat actors to prey on.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.