under fire
Since February 24, Russian Internet resources have been heavily hacked using tools to execute DDoS attacks. Nearly forty Telegram channels have been created to coordinate such actions, which are punishable by real prison sentences under the legislation of many countries. Igor Bederov, founder and owner of the Russian company Internet Search, told socialbites.ca about this.
“This work is coordinated by 40 communities. There are big ones and there are small ones. Bigger ones are split according to instructions, for example only to hit banks or the media,” he said.
The exclusivity of this situation lies in the call by the Minister of Digital Transformation of Ukraine, Mikhail Fedorov, to participate in such attacks.
The head of the Ukrainian department has repeatedly said in an interview with foreign media that he is organizing the “world’s first cyber army.”
“We currently have around 300,000 experts. Participation is optional and we organize this through Telegram, where we post daily tasks. “There is no personal contact with cyber volunteers,” Fedorov said in an interview with the Spanish newspaper El País on April 27.
According to Igor Bederov, about 650 thousand people participated in the attacks. But it is very difficult to give exact estimates.
Aleksey Novikov, Director of the Positive Technologies Security Expert Center, agrees on the impossibility of assessing the number of participants in the attacks.
“We see about 300,000 participants in just one of the conversations in which the attacks were coordinated,” Novikov told socialbites.ca. “It is impossible to estimate how many attackers there really are. But it is clear that they are not shrinking.”
According to Igor Bederov, the Telegram messenger does not react in any way to this activity. Both channels and their admins are connected to each other.
“There are admins running multiple chats. We identified them. And we know there were the same executives who started and later oversaw this story. We were able to identify about 20 people. They are 23-30 years old. There are many technical university students, there are students,” he said.
According to the expert, most of the participants in these communities either use publicly available software hosted in the community or an external website where the software is already hosted. So the level of both the participants and the organizers is very low.
What is a DDoS attack?
Recall that DDoS attacks are understood as actions aimed at blocking a web resource. This is sending batch requests that need to be “put” to the server or website. The number of such requests must exceed all possible limits. This was made possible by thousands of participants.
A true DDoS attack involves the “massive character” of any action, for example: sending wrong instructions to the server, its execution will cause a crash. Or a mass attack with wrong addresses leading to a “blockage” of communication channels. You can redirect huge amounts of user data to the server, which leads to their endless processing.
The purpose of a DDoS attack is to stop the server selected for the attack from working.
For this purpose, the Ministry of Digital Transformation of Ukraine organized the Telegram channel “Ukraine’s IT ARMY”. Every day they send a list of addresses of Russian sites where it is necessary to carry out a DDoS attack.
The latest targets (as of May 25) on which the activities of the Ukrainian IT army are directed are Moscow and St. Petersburg currency exchanges.
As a result of the attacks, encouraging messages appear on the Telegram channel. For example, these are: “Today let’s combine the results of the last days and supplement the resources of Russian banks and MFIs (leave them in an inoperative state).
To prove the success of the attacks, screenshots of messages in the Russian media or screenshots of non-working company websites are published. This was published on May 23: “Many of the largest Russian microfinance organizations stopped their work on the morning of May 23 due to DDoS attacks on their websites. More than 20 companies have stopped lending online. ”
Digital “reapers”
There are other channels associated with the “Ukrainian IT ARMY” that assisted the “Ukrainian Ministry of Digital Transformation” in the attacks. Thanks to the curators of these channels, he is a regular at IT ARMY.
socialbites.ca counted 12 more permanent communities, including Ukrainian Reaper, CyberPalyanitsya, Student Committee on Cyber Security and Defense of Ukraine, CYBER CERBER, Gaidamaki, Anonymous – Ukraine and others.
Some attackers are constantly working to improve their IT weapons. For example, the organizers of the “Ukrainian Reaper” channel report that their Multiddos program is updated approximately every five days.
“We remind you of the mhddos_proxy update, which allows you to more effectively attack Russian resources. Instructions are available at the link. And also about a telegram bot that can be provided with its own cloud resources, and from them, in turn, will launch a central attack, ”write the curators of the Ukrainian Reaper.
Multiddos was created specifically to perform DDoS attacks and is not a modification of any administrative utility, Swordfish Security technical director Anton Basharin told socialbites.ca.
“This software is an interface for working with several tools. Some were known before, some were developed relatively recently. The Multiddos utility, formerly known as auto_mhddos, appeared on the web in mid-March this year,” Basharin said.
According to him, this software has a number of good features. It combines several utilities for both DDoS attacks and monitoring.
“Multiddos generate traffic similar to the action of a real user using lots of random data. Obviously, traffic from one real system or compilation from several systems is used to establish the structure and sequence of requests,” Basharin says.
In order to constantly update the system, the “Ukrainian Reapers” regularly seek specialists. On the necessary skills: the ability to create viruses, pentest (the ability to find vulnerabilities and problems in someone else’s software – socialbites.ca), creating phishing sites. Another priority is predictably a lot of free time to spend developing the “IT weapon”.
Positive Technologies specialists and other companies professionally engaged in security display messages indicating the targets of attacks on such Telegram channels, in order to prevent them if possible, – explains Alexey Novikov. However, it is only possible to prevent attacks against previously protected companies, both by itself and by the provider.
“Then you might have time to replace the digital ‘passkey’. So, you change it and now you have DDoS protection enabled. But keeping the toggle button on all the time is not helpful. “If it’s not there, it’s impossible to do anything in 10 minutes,” he said.
Source: Gazeta
