The Russian invasion of Ukraine has split the hacking community, sending some of the most recognizable and powerful groups scrambling to pick a side to declare which has their allegiance.
In a tweet, hacking group Anonymous declared "a cyber war against the Russian government" and has claimed to be responsible for attacks that brought down Russia Today, a state-backed news outlet, and several government websites. It also said it hacked other Russia state-TV channels.
Conti, a ransomware group with possible ties to Russian intelligence that attacked more than 290 American targets last year, declared its "full support of Russian government" and would use "all possible resources to strike back" at any adversaries. Cyber threat intelligence company Orpheus Cyber reported another group united with Russia obtained stolen data from more than 45 Ukrainian government websites, with some of it up for sale.
The motives of these hacking groups to pick a side range widely. Members of Anonymous have stated that their guiding principle is "anti-oppression." Russian-aligned attacks may be state sponsored. They can also come from groups who feel pressured by the Kremlin to operate on their behalf.
"It's not entirely clear what the connection is between the ransomware gangs and the Russian government," Brett Callow, threat analyst at Emsisoft, said. "At best, they are working within a permissive environment. At worst, they are working for certain wings of the Russian government."
"Some of the actions of Russia's government just prior to the war — shutting down the REvil gang or arresting them and shutting down a number of dark web forums and shops — these cybercriminals are afraid that if they don't support the regime, they're going to be next," Alex Holden, founder of Hold Security, said.
Hacking groups may turn themselves into targets for moving away from their usual financial motives for attacks, however. After Conti declared support for Russia, an apparent insider who objected the group's support for Russia leaked a trove of internal chat messages and other files that Holden says "mortally wounded" the gang.
"When we see things like this, we are learning how in 2021, 2022, cyber criminal enterprises operate, so we have [the] ability to detect and deter organizations like this in the future," Holden said.
Moving forward, experts told Newsy that any further cyber escalation could spell trouble for those outside the conflict zone, including Americans. Groups like Conti could come back to hit the U.S. as well.
"They are a highly effective ransomware group, albeit one that has terrible operational security," Callow said. "They likely do still have access to certain U.S. networks that they have yet to encrypt, and they could potentially do that any time."