Dark Web: Covert Warfare and Cyber Attacks in Ukraine

Dismantling Russian SIM Farms
The conflict in Ukraine extends beyond the battlefield, reaching into the darker corners of the internet. Recent operations by Ukraine’s Security Service (SSU) have uncovered extensive infrastructures used by Russian intelligence agencies to spy on and manipulate Ukrainian soldiers. These infrastructures, known as “SIM farms,” utilize thousands of mobile numbers and Telegram accounts to conduct phishing attacks and install spyware on soldiers’ devices. In Zhytomyr, a city west of the Ukrainian capital Kyiv, a woman was found to be running such an operation under direct orders from Russia. She managed over 600 mobile numbers used to target Ukrainian forces. Special software was employed to send phishing SMS messages to soldiers’ devices. These messages contained links that, once clicked, would install spyware. This spyware would grant the controller access to data and communications on the infected devices, as well as potential tracking capabilities on the battlefield.

Social Engineering and Propaganda
These revelations follow a warning from Ukraine’s Computer Emergency Response Team (CERT-UA) about soldiers’ phones being used in espionage campaigns. Soldiers were targeted with various forms of social engineering, including videos of combat situations and friend requests on social media platforms. The warning also briefly mentioned the use of dating sites. While the SSU did not provide specific examples of the spyware’s use, it became evident that the technology was also employed to spread pro-Kremlin propaganda, seemingly from genuine Ukrainian citizens. The woman running the operation in Zhytomyr was paid in cryptocurrency. Meanwhile, a large-scale operation was led by a 30-year-old resident of Dnipro, who managed nearly 15,000 social media accounts registered on Ukrainian mobile networks and sold access to these accounts on dark web forums. His primary clients were members of Russian intelligence services. So far, only the man from Dnipro has been arrested, while the woman has been informed that she is suspected of violating Article 361.5 of the Ukrainian Criminal Code, comparable to the Computer Misuse Act.

Arrests of Ransomware Criminals
As the SSU tackled these alleged Kremlin facilitators, Kyiv police announced the arrest of a suspected key figure in the LockBit ransomware gang. This 28-year-old man allegedly played a significant role in both the Conti and LockBit gangs, using his programming skills to build encryption payloads for two of the most notorious ransomware groups ever. The arrest, executed in April under the leadership of Dutch police, was linked to two major attacks in the Netherlands and Belgium. If his role was as pivotal as claimed, he could be responsible for hundreds of other incidents. This suspected cybercriminal joins two generations of alleged LockBit affiliates previously arrested, including a father-son duo apprehended in February. This was around the same time that Operation Cronos made efforts to dismantle LockBit. Although the organization, allegedly led by suspect Dmitry Khoroshev, is still active, it now operates on a reduced scale according to the UK National Crime Agency.

The Fight Against Cybercrime
The operations carried out by the SSU highlight the ongoing battle against cybercrime in Ukraine, extending from the battlefield to the digital world. The use of SIM farms and social engineering techniques by Russian intelligence agencies demonstrates the sophistication and determination of these cyberattacks. The arrests of cybercriminals in Ukraine, such as the suspected LockBit affiliate, show that international cooperation and targeted operations are essential in combating these threats. As the war continues, the struggle for information and cyber dominance remains a crucial part of the conflict. The dark web plays a significant role in this, serving as a platform for trading stolen data, selling access to hacked accounts, and spreading malware. The actions of the SSU and other international partners are a step in the right direction to disrupt these illegal activities and hold the involved criminals accountable.

Future Outlook
The recent developments in Ukraine underscore the complexity of modern warfare, where traditional military tactics are complemented by advanced cyberattacks. The dark web acts as a shadowy marketplace where criminal activities can thrive, and dismantling these networks is crucial for national security. The efforts of the SSU and their international partners demonstrate that while the fight is challenging, the collaboration and determination to combat cyber threats continue unabated. It is an ongoing struggle to balance technological advancement with protection against its misuse by malicious actors. The world must remain vigilant and continuously work towards improving cybersecurity and building resilience against the threats emerging from the dark web.