Pro-Ukraine hackers have compromised a large number of Russian cloud databases, deleting data, renaming files and potentially exfiltrating information for future attacks, researchers have confirmed.
Jeremiah Fowler and a team at Website Planet decided to look at the campaign to “hack back” at Russian entities following the invasion of Ukraine.
The Anonymous hacking collective announced on February 24 that it was “officially in cyber war” against the Russian government, while the Ukrainian vice prime minister, Mykhailo Fedorov, is organizing a volunteer “IT army” of hackers via Telegram to hit Russian targets.
Fowler found that their efforts are starting to bear fruit. Out of a random sample of 100 misconfigured Russian cloud databases discovered via IoT engines and other legitimate techniques, 92 had been compromised.
In the majority of these cases, attackers completely wiped the dataset with a script similar to the infamous MeowBot. Files were also renamed with pro-Ukrainian messages such as “putin stop this war,” “no war,” and “HackedByUkraine,” he said.
One of the compromised databases belonged to the post-Soviet Commonwealth of Independent States (CIS).
“Hundreds of folders in the database had been renamed to ‘putin_stop_this_war.’ In addition to the hack, it appears that the database exposed very weak administrative credentials and numerous emails. This would also make employees easy targets for social engineering to gain access deeper in the organization or social engineering,” Fowler explained.
“We do not know if data was downloaded or what the hackers plan to do with this information, but most chances these exposed individuals face real risks of further cyber actions.”
Hacktivists could theoretically use personal information exposed in such attacks to target individuals with spear-phishing and/or destructive malware.
Other notable finds were a dataset managed by Russian internet provider “Green Dot” and a trove containing “a very large number” of secret keys referencing Russian email giant mail.ru as the host server.
Although precise attribution is challenging, “we can only assume they are affiliated with or supporters of Anonymous based on the timeline of when the Russian databases were targeted,” Fowler said of the hackers responsible.
The news comes as the Russian government yesterday revealed hackers had caused temporary outages of multiple agency websites by targeting an externally loaded widget used to collect visitor statistics.