- More than three weeks ago, a popular Twitter account named "Anonymous" declared that the shadowy activist group was waging a "cyber war" against Russia.
- Since then, the account has claimed responsibility for disabling prominent Russian government, news and corporate websites and leaking data from entities such as Roskomnadzor, the federal agency responsible for censoring Russian media.
More than three weeks ago, a popular Twitter account named "Anonymous" declared that the shadowy activist group was waging a "cyber war" against Russia.
Since then, the account — which has more than 7.9 million followers, with some 500,000 gained since Russia's invasion of Ukraine — has claimed responsibility for disabling prominent Russian government, news and corporate websites and leaking data from entities such as Roskomnadzor, the federal agency responsible for censoring Russian media.
But is any of that true?
It appears it is, says Jeremiah Fowler, a co-founder of the cybersecurity company Security Discovery, who worked with researchers at the web company Website Planet to attempt to verify the group's claims.
"Anonymous has proven to be a very capable group that has penetrated some high value targets, records and databases in the Russian Federation," he wrote in a report summarizing the findings.
Of 100 Russian databases that were analyzed, 92 had been compromised, said Fowler.
They belonged to retailers, Russian internet providers and intergovernmental websites, including the Commonwealth of Independent States, or CIS, an organization made up of Russia and other former Soviet nations that was created in 1991 following the fall of the Soviet Union.
Many CIS files were erased, hundreds of folders were renamed to "putin_stop_this_war" and email addresses and administrative credentials were exposed, said Fowler, who likened it to 2020's malicious "MeowBot" attacks, which "had no purpose except for a malicious script that wiped out data and renamed all the files."
Another hacked database contained more than 270,000 names and email addresses.
"We know for a fact that hackers found and probably accessed these systems," said Fowler. "We do not know if data was downloaded or what the hackers plan to do with this information."
Other databases contained security information, internal passwords and a "very large number" of secret keys, which unlock encrypted data, said Fowler.
As to whether this was the work of Anonymous, Fowler said he followed Anonymous' claims "and the timeline matches perfect," he said.
Hacked TV broadcasts and websites
The Twitter account, named @YourAnonNews, has also claimed to have hacked into Russian state TV stations.
"I would mark that as true if I were a factchecker," said Fowler. "My partner at Security Discovery, Bob Diachenko, actually captured a state news live feed from a website and filmed the screen, so we were able to validate that they had hacked at least one live feed [with] a pro-Ukrainian message in Russian."
The account has also claimed to have disrupted websites of major Russian organizations and media agencies, such as the energy company Gazprom and state-sponsored news agency RT.
"Many of these agencies have admitted that they were attacked," said Fowler.
He called denial of service attacks — which aim to disable websites by flooding them with traffic — "super easy." Those websites, and many others, have been shuttered at various points in recent weeks, but they are also reportedly being targeted by other groups as well, including some 310,000 digital volunteers who have signed up for the "IT Army of Ukraine" Telegram account.
False claims by other groups
Fowler said he didn't find any instances where Anonymous had overstated its claims.
But that is happening with other hacktivist groups, said Lotem Finkelstein, head of threat intelligence and research at the cybersecurity company Check Point Software Technologies.
In recent weeks, a pro-Ukrainian group claimed it breached a Russian nuclear reactor, and a pro-Russian group said it shut down Anonymous' website. Check Point concluded both claims were false.
"As there is no real official Anonymous website, this attack … appears to be more of a morale booster for the pro-Russian side, and a publicity event," CPR said, a fact which did not go unnoticed by Anonymous affiliates, who mocked the claim on social media.
Groups are making fake claims by posting old or publicly available information to gain popularity or glory, said Finkelstein.
Fowler said he feels Anonymous is, however, dedicated more to the "cause" than to notoriety.
"In what I saw in these databases, it was more about the messaging than saying 'hey, you know, Anonymous troop No. 21, group five, did this,'" he said. "It was more about the end result."
A cyber 'Robin Hood'
Hacktivists who conduct offensive cyber warfare-like activities without government authority are engaging in criminal acts, said Paul de Souza, the founder of the non-profit Cyber Security Forum Initiative.
Despite this, many social media users are cheering Anonymous' efforts on, with many posts receiving thousands of likes and messages of support.
"They're almost like a cyber Robin Hood, when it comes to causes that people really care about, that no one else can really do anything about," said Fowler. "You want action now, you want justice now, and I think groups like Anonymous and hacktivists give people that immediate satisfaction."
Many hacktivist groups have strong values, said Marianne Bailey, a cybersecurity partner at the consulting firm Guidehouse and former cybersecurity executive with the U.S. National Security Agency. Cyber activism is a low-cost way for them to influence governmental and corporate actions, she said.
"It is protesting in the 21st century," said Bailey.
Yet cheering them on can be dangerous in the "fog of war," she said.
"A cyberattack has the potential for such an immediate impact, in most cases well before any accurate attribution can be determined," she said. "A cyber strike back or even kinetic strike back could be directed to the wrong place. And what if that misattribution is intentional? What if someone makes the attack appear from a specific country when that's not true?"
She said cyber warfare can be cheaper, easier, more effective and easier to deny than traditional military warfare, and that it will only increase with time.
"With more devices connected to this global digital ecosystem the opportunity for impact continues to expand," she said. "It will undoubtedly be used more often in future conflicts."