Ukraine is under cyberattack. A small, roving group of hackers called CyberBerkut is trying to humiliate the pro-Western government in Kiev by leaking details on everything from government officials’ personal lives to international arms deals. But, even scarier, CyberBerkut is using methods that pale in comparison to the much larger, more sophisticated digital cannon that can be traced straight back to the Kremlin.

CyberBerkut is a pro-Moscow hacking collective that has breached Ukrainian government and military networks and launched distributed denial-of-service attacks against Western targets, all in an attempt to embarrass Ukraine while conveniently boosting the hackers’ own profile.

This week the group leaked documents to Russian media that seem to prove a Ukrainian state-owned defense company is planning to sell fragmentation bombs to Qatar. Last month Russian media also published documents (provided by CyberBerkut) insinuating that Ukraine sold surface-to-air missiles to Qatar and, ultimately, the Islamic State group (a favorite claim of Russian and Iranian state media).

It’s all part of a propaganda campaign starring Russia’s own version of Anonymous. The group, made up of at least four people who came together in 2014, is the most visible example of a proxy hacking collective launching strikes against Ukraine -- with at least implied authorization from the Kremlin.

Researchers have tracked the group to Ukraine, where a sizable segment of the population in the eastern region of the country is more sympathetic to Russian influence.

“They’re Ukrainians,” said Mikko Hypponen, chief research officer at F-Secure, a cybersecurity company that closely tracks Russian cybercrime. “It’s a voluntary cyber offensive unit that’s not closely affiliated with any government. All the ex-Soviet countries -- including Russia, Estonia, Latvia and of course Ukraine -- have always been very active in regards to cyber. If you look at the map CyberBerkut is located right in the middle of that.”

First Impression

CyberBerkut first attracted attention from security researchers in mid-2014, when it used distributed denial-of-service attacks, which used falsified internet traffic to knock target websites offline, against NATO, the Polish government and the Ukrainian Ministry of Defense. CyberBerkut also used DDoS, an unsophisticated attack vector, against websites used by the German government, which CyberBerkut accused of aiding Ukraine in the Crimea crisis last January.

CyberBerkut also claimed responsibility for a hack that compromised Ukraine’s Central Election Commission (CEC) in May 2014, the most sensational attack aimed at Ukraine since hostilities began. Software designed to display real-time updates on the hotly contested election did not function for 20 hours, router settings were erased and hard drive information was lost (the hack did not affect the election outcome).

The initial group was made up of at least four cybercriminals who call themselves “Mink,” “Artemov,” “MDV” and “KhA,” according to findings unveiled by the research arm of TrendMicro, a cybersecurity company. Each member was active on underground Russian criminal forums and Pastebin, a programming website that international hackers often use as a dumping ground for stolen information. CyberBerkut has since called for additional volunteers, though it’s not clear how many supporters have joined its ranks or from where attacks are launched.

“The attribution process is hit or miss,” said Alan Woodward, a cybercrime consultant for Europol and a professor at the University of Surrey. “It often comes down to looking at the IP address of where something comes from and comparing the modus operandi of the attackers to previous hacks. But it’s very easy to fake all of that, and false flags are notoriously difficult to spot in the cyber world.”

International law, as laid out by the United Nations Institute for Disarmament Research (PDF), rules that international governments can be held legally responsible for a cyberattack only if the attack is carried out by a person working for the state, or with the state’s direct funding or authorization. But governments also might also influence non-state actors indirectly in the form of a rousing political speech denouncing an adversary, for example, or another action that could be interpreted as a call to action.

CyberBerkut falls into the latter category, according to Tim Maurer, who met with Eugene Dokunin, the self-proclaimed leader of Ukrainian cyber forces, before joining the Carnegie Endowment for International Peace as a cyber policy associate.

“CyberBerkut, companies like Hacking Team that are selling hacking-for-hire services, and reports that North Korean hackers are launching their operations from a Thai hotel are all examples of proxy hackers working under indirect influence,” he said.

There’s also been no indication that CyberBerkut is hacking with a profit motive. The longer a hacktivist group survives without taking credit for a commercial data breach, the logic goes, the more likely an international government is involved. “I think that’s concerning, especially in terms of where we’re going to see proxy groups evolve over the next five years,” Maurer said. “There’s also a question of how long hacktivists who aren’t state-affiliated can go without going back to work.”

Ties to a Nation State?

Some have suggested CyberBerkut has ties, or is developing ties, to a nation state group. Cybersecurity experts are divided over whether CyberBerkut actually had the capability to launch the election hack for which it took credit last year. If the group was behind that intrusion, that incident is the only time CyberBerkut has used such sophisticated techniques (displaying incorrect election results and disabling key functions on the site) before or since.

“To bolster its technical credentials as an elite hacker group, CyberBerkut claimed to have discovered and exploited a ‘zero-day’ vulnerability in CEC’s Cisco ASA [Adaptive Security Appliance] software,”  wrote Nikolay Koval, acting head of the Computer Emergency Response Team of Ukraine, in a recent NATO report (PDF). “In my opinion it is highly unlikely that a non-state hacker group would posess such a high level of technical expertise. If CyberBerkut really did exploit a zero day, the group is likely supported by a nation state.”

Translation: If an anonymous group of international cybercriminals is to be taken at face value, it has ties to the Kremlin.

FireEye isn’t buying it. The cybersecurity company tracks Advanced Persistent Threat groups 28 and 29, small armies of hundreds of hackers that focus on political objectives and spread propaganda on behalf of the Russian government, and says there’s nothing to indicate CyberBerkut has similar capabilities.

“That they’re published so easily and quickly in the Russian press seems to suggest there’s at least some tacit approval going on, but it’s hard to say for sure,” said Jonathan Wrolstad, a threat intelligence analyst at FireEye.

DDoS attacks can be purchased or rented for tens of dollars on Russian hacking forums, and outdated government websites traditionally make for vulnerable targets for low-level groups like CyberBerkut. But Advanced Persistent Threat Group 28 (also known as Sofacy, Pawn Storm and a number of other names) launches “hundreds and hundreds” of malware samples from 400 domains, Wrolstad said, and employs hundreds of malware designers, linguists and other professionals.

That level of sophistication enables Russian hackers to frame the Islamic State group -- also known as ISIS or ISIL -- by posing as an ISIS terrorist and hacking a French TV station, for example. APT 28 has also been blamed for breaking into the New York Times’ internal computer network and targeting the data of at least 50 staff members.

“There does seem to be an assumption that groups like CyberBerkut are state-sponsored actors of some sort but I just don’t see the proof of that,” said Alan Woodward. “And let’s say the Russian government really is launching those attacks, why would they want anyone to know?”


A previous version of this story erroneously stated that Tim Maurer was "embedded with Ukrainian cyber forces." Maurer in fact met with Eugene Doukinin as part of a research interview. The change is reflected in the story.