Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Getting Bored of Cyberwar: Exploring the Role of Low-level Cybercrime Actors in the Russia-Ukraine Conflict

Anh V. Vu, Daniel R. Thomas, Ben Collier, Alice Hutchings, Richard Clayton, Ross Anderson

TL;DR

The paper investigates whether low-level cybercrime actors meaningfully influence the Russia-Ukraine conflict. It combines four longitudinal data streams—web defacements (358k), UDP amplification DDoS (1.7M), Hack Forums discussions (1,764 posts by 372 users), and Telegram IT Army announcements (441) over Jan-Jun 2022—and applies $ANOVA$ or $Kruskal ext{-}Wallis$ tests with post-hoc analyses, along with data fusion for geolocation and semi-automatic validation. The main finding is a fleeting surge of attention and attacks around Russia and Ukraine that dissipates within weeks, with little evidence of high-profile actions or persistent impact, and limited overlap with state-sponsored or hacktivist operations. The study argues that these actors act as soft power or opportunistic participants rather than enduring warfighters, suggesting policy and security focus should remain on higher-profile, state-backed threats. The work provides a data-driven baseline for understanding the transient role of low-level cybercrime in modern conflicts and highlights the importance of separating such activity from official cyberwarfare analyses.

Abstract

There has been substantial commentary on the role of cyberattacks carried out by low-level cybercrime actors in the Russia-Ukraine conflict. We analyse 358k website defacement attacks, 1.7M UDP amplification DDoS attacks, 1764 posts made by 372 users on Hack Forums mentioning the two countries, and 441 Telegram announcements (with 58k replies) of a volunteer hacking group for two months before and four months after the invasion. We find the conflict briefly but notably caught the attention of low-level cybercrime actors, with significant increases in online discussion and both types of attacks targeting Russia and Ukraine. However, there was little evidence of high-profile actions; the role of these players in the ongoing hybrid warfare is minor, and they should be separated from persistent and motivated 'hacktivists' in state-sponsored operations. Their involvement in the conflict appears to have been short-lived and fleeting, with a clear loss of interest in discussing the situation and carrying out both website defacement and DDoS attacks against either Russia or Ukraine after just a few weeks.

Getting Bored of Cyberwar: Exploring the Role of Low-level Cybercrime Actors in the Russia-Ukraine Conflict

TL;DR

The paper investigates whether low-level cybercrime actors meaningfully influence the Russia-Ukraine conflict. It combines four longitudinal data streams—web defacements (358k), UDP amplification DDoS (1.7M), Hack Forums discussions (1,764 posts by 372 users), and Telegram IT Army announcements (441) over Jan-Jun 2022—and applies or tests with post-hoc analyses, along with data fusion for geolocation and semi-automatic validation. The main finding is a fleeting surge of attention and attacks around Russia and Ukraine that dissipates within weeks, with little evidence of high-profile actions or persistent impact, and limited overlap with state-sponsored or hacktivist operations. The study argues that these actors act as soft power or opportunistic participants rather than enduring warfighters, suggesting policy and security focus should remain on higher-profile, state-backed threats. The work provides a data-driven baseline for understanding the transient role of low-level cybercrime in modern conflicts and highlights the importance of separating such activity from official cyberwarfare analyses.

Abstract

There has been substantial commentary on the role of cyberattacks carried out by low-level cybercrime actors in the Russia-Ukraine conflict. We analyse 358k website defacement attacks, 1.7M UDP amplification DDoS attacks, 1764 posts made by 372 users on Hack Forums mentioning the two countries, and 441 Telegram announcements (with 58k replies) of a volunteer hacking group for two months before and four months after the invasion. We find the conflict briefly but notably caught the attention of low-level cybercrime actors, with significant increases in online discussion and both types of attacks targeting Russia and Ukraine. However, there was little evidence of high-profile actions; the role of these players in the ongoing hybrid warfare is minor, and they should be separated from persistent and motivated 'hacktivists' in state-sponsored operations. Their involvement in the conflict appears to have been short-lived and fleeting, with a clear loss of interest in discussing the situation and carrying out both website defacement and DDoS attacks against either Russia or Ukraine after just a few weeks.
Paper Structure (15 sections, 8 figures, 3 tables, 1 algorithm)

This paper contains 15 sections, 8 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Methods and Datasets
  4. The Evidence from Web Defacements
  5. The Evidence from DDoS Attacks
  6. Hacking Community Reactions
  7. Concluding Remarks
  8. Ethical Considerations
  9. Data Licensing
  10. Determining Attack Geolocation
  11. Defacement Submission Process
  12. Website Defacement Collection
  13. Validating On-hold Defacements
  14. Unifying Defacements and Defacers
  15. Statistical Significance of Impact

Figures (8)

  • Figure 1: Number of defacements and defacers per day in the Russia-Ukraine scale (top) and the global scale (stacked, bottom).
  • Figure 2: Number of defacements hitting Russia and Ukraine by hour around the invasion day (marked with the red star).
  • Figure 3: Number of DDoS attacks and victims per day in the Russia-Ukraine scale (top) and global scale (stacked, bottom).
  • Figure 4: Number of DDoS attacks on Russia and Ukraine by hour around the invasion day (marked with the red star).
  • Figure 5: Number of daily posts and posting users on Hack Forums mentioning Russia and/or Ukraine (the top 5 subforums).
  • ...and 3 more figures