--[ Armchair Cyberwarriors: 6 Months of Cybercriminal and Hacktivist Activities Related to the Russian War in Ukraine

$ getent passwd aleslie
├─ name: Alexander Leslie
└── org: Recorded Future

Alexander Leslie is an Associate Threat Intelligence Analyst with the Advanced Cybercrime & Engagements (ACE) Team at Recorded Future. He has a Master’s in Eurasian, Russian, & East European Studies from Georgetown University and a Bachelor’s in International Studies from American University. His research is focused on the intersection of geopolitics, public policy, and cybercrime in Eastern Europe. He is interested in the evolution of tools, targeting, and tactics, techniques, and procedures (TTPs) of Russian cybercriminal, hacktivist, and advanced persistent threat (APT) groups. He is also interested in the broader cybercriminal threat landscape and how cybercriminals adapt to law enforcement actions, geopolitical and economic crises, information operations (IOs), and more.


From February 24, 2022 to August 24, 2022, Recorded Future observed the rise—and, in some cases, downfall—of over 250 cybercriminal and hacktivist groups that became indirectly involved in the Russian war in Ukraine. Following declarations of nation-state allegiance—which led to chaos in the cybercriminal underground—financially motivated, ego-driven, and patriotic hackers alike began to capitalize on geopolitical instability by exploiting individuals, entities, and critical infrastructure that they believed would advance their cause.

This talk will provide unique insights into major events that have shaped the evolution of cybercriminal threats since February 24, 2022. This talk will cover events such as the Conti and Trickbot leaks, seizures of Russian cybercriminal sources, major hacktivist campaigns—from threat actor groups such as IT Army of Ukraine, Killnet, Anonymous—and more. This talk will also discuss the role of plausible deniability in the Russian state’s relationship with cybercrime and how unspoken connections and unwritten rules have changed since the beginning of the war.

This talk will also examine transformative changes to the cybercriminal threat landscape, as a result of the war, and the implications for US law enforcement, foreign policy, and national security. We will discuss market disruptions to the malware-as-a-service (MaaS) industry and the use of commodity malware by Russian advanced persistent threat (APT) groups in Ukraine; changes to the dark web shop and marketplace ecosystem; the rise in payment card and financial fraud; ransomware groups targeting critical infrastructure, healthcare, and education; and other observations on database leaks, initial access brokers, and Russian state-sponsored information operations (IOs).

Following the daily monitoring of approximately 100 active cybercriminal groups—with varying ideologies, motivations, nation-state allegiances, and hacktivist alliances—1 million references in the Recorded Future Platform®, and regular threat actor engagements on dark web and special-access sources, this talk will document, summarize, and analyze the “armchair cyberwar” that took place over the first 6 months of the Russian war in Ukraine.