According to Mandiant, at least three alleged hacktivist groups purportedly aligned with Russian interests are believed to collaborate with state-sponsored cyber operatives. Mandiant, a Google-affiliated cybersecurity firm, has reported with moderate confidence that key figures behind the hacktivist Telegram channels such as ‘XakNet Team,’ ‘Infoccentr,’ and ‘CyberArmyofRussia_Reborn’ are likely coordinating their activities with cyber threat actors associated with the Russian Main Intelligence Directorate (GRU).
This assessment is supported by evidence indicating that data stolen from Ukrainian organizations was leaked within mere hours following malicious wiper attacks linked to a Russian state-sponsored group known as APT28, also referred to as Fancy Bear, Sofacy, or Strontium. These wiper incidents have been closely monitored, particularly with regard to their timing and subsequent data leaks attributed to these hacktivist entities.
Mandiant identified that out of 16 data leaks from these groups, four of them coincided with disk-wiping malware attacks executed by APT28, specifically involving a variant recognized as CaddyWiper. This correlation raises significant concerns about the structure and intent of these groups, suggesting they may be fronts for information warfare and destructive cyber activities targeting Ukraine.
Active since at least 2009, APT28 is widely recognized for its association with Russia’s GRU and gained notoriety in 2016 for its involvement in cyber intrusions against the Democratic National Committee (DNC) during the U.S. presidential election. The group’s tactics often include a range of advanced persistent threats, showcasing capabilities that pose enduring challenges for cybersecurity postures around the globe.
The coordinated operations of these hacktivist groups have primarily manifested in distributed denial-of-service (DDoS) attacks and website defacements against Ukrainian targets. However, this façade masks their deeper intentions, which lean towards supporting Russian strategic objectives through information operations and cyber destruction.
While the precise details of the relationship between these hacktivist entities and the Russian state remain ambiguous, Mandiant suggests there may be direct involvement from GRU operatives or influence exerted through the moderators of the Telegram channels. This hypothesis aligns with the observed leaks from XakNet, which contained unique technical artifacts tied to APT28’s compromises of Ukrainian networks.
Additionally, Mandiant has observed interconnectedness among these groups—specifically between XakNet and Infoccentr, as well as the pro-Russian group KillNet—highlighting broader trends in Russian cyber operations. The ongoing conflict in Ukraine has illuminated the intricate web of state-sponsored cyber threats, providing insight into the coordination and effectiveness of their cyber campaigns across various platforms.
