The war in Ukraine has impacted the world. Energy prices have rocketed, the cost of food has risen by 8.7% on average and inflation has reached peak highs, contributing to a cost of living crisis. Yet it has also transformed the cyber threat landscape, bringing together cyber-criminal groups, who oppose Western support for Ukraine.
On Friday 18 June 2023, representatives from Killnet, Revil and Anonymous Sudan met, seemingly forming a coalition that is being dubbed the ‘Darknet Parliament’. They went on to deliver their first attack against the European Investment Bank just two days later.
In this article, we explore the potential consequences from Darknet Parliament and examine the countermeasures organisations might employ to defend against such a formidable coalition.
How Darknet Parliament was formed
The Darknet Parliament coalition appears to have come together on common political objections to the West supporting Ukraine in its conflict with Russia. “Repel the maniacs according to the formula: no money, no weapons, no Kiev regime,” the group wrote in a Telegram post. They declared the first aim of their campaign to be the paralysis of SWIFT, a worldwide system utilised in more than 200 nations that enables member institutions to send money across borders quickly and safely. As of writing, SWIFT has not reported any outages following the announcement.
However, an attack attributed to the Darknet Parliament group was announced Tuesday 20 June 2023, with the website of the European Investment Bank (EIB) experiencing a complete outage.
Who are the groups behind the Darknet Parliament coalition?
Historically, Killnet was a DDoS attack tool only subscribers could rent and use. Following the war in Ukraine, the group emerged as a pro-Russian hacktivist group, attacking countries and organisations that supported Ukraine. The group have worked alongside many other hacker groups and even merged with some such as XakNet – a group that have been known to target critical infrastructure.
Anonymous Sudan is an Islamic hacktivist group, emerging January of this year. Amongst numerous attacks in 2023, they have most recently claimed responsibility for June’s attacks on Microsoft’s Outlook and cloud services. Many experts suspect that the group may operate from Russia, despite the name. Nevertheless, the group’s motivations overlap that of other Russian hacker groups – leading to this joint operation.
REvil (Ransomware + evil) is a ransomware hacking group that also provides Ransomware as a service (RaaS), previously being sold by ‘PINCHY SPIDER’ taking ~40% of the profits as payment. Unlike the other two hacktivist threat actors, REvil appear more financially motivated. The group was taken down by Russia’s Federal Security Service in 2021, but the group started to reappear in May of 2022.
How could this impact your organisation?
The formation of the Darknet Parliament coalition signals a significant increase in the impact it could have when targeting organisations. Collaboration between the groups is likely to lead to enhanced technical capabilities, increased financial resources, and the pooling of knowledge and expertise – making it even more challenging to defend against their attacks.
The collective resources, like that seen in Darknet Parliament, could be utilised to identify and exploit vulnerabilities more effectively, a wider arsenal of zero-day vulnerabilities and the creation of advanced malware variants that are harder to detect and neutralise. Combined, these enhance the group’s ability to target a broader range of organisations simultaneously. This united ransomware front is also likely to result in an exponential increase in the number and scale of attacks.
The increased technical proficiency, larger attack surface, number and coordination of attacks raises the stakes for Western organisations on their radar. The attacks have the potential to cripple critical infrastructures, disrupt essential services, and cause severe economic and societal disruptions. Significantly higher ransoms could be demanded from their victims, leaving them with even more challenging decisions when contemplating whether to pay extortion demands or risk the potential consequences.
How to bolster your organisation’s defence
As threat actors evolve, so must organisations to successfully defend against them. While the emergence of a ransomware coalition presents a formidable challenge, organisations can take proactive measures to defend themselves against this unified threat:
- Strengthen Cyber Security Posture: Organisations must ensure robust cyber security measures are in place, including regular software updates, DDoS mitigation services and protections, strong network segmentation, multi-factor authentication, advanced threat detection systems and the utilisation of Cyber Threat Intelligence. Regular security audits and assessments should be conducted to identify and address vulnerabilities promptly.
- Heighten Employee Awareness: One of cyber security’s weakest links is still human error. Regular training sessions can inform staff members about the dangers of ransomware attacks, social engineering strategies, and safe online conduct, which lowers the possibility of successful intrusion.
- Backup and Disaster Recovery: Implementing a comprehensive backup strategy and disaster recovery plan is essential. Regularly backing up critical data and storing it in offline or remote locations can help minimise the impact of ransomware attacks and speed up recovery.
- Collaboration and Information Sharing: Strong relationships can promote the sharing of threat intelligence, enabling the early detection and mitigation of potential coalition attacks.
- Engage Law Enforcement: Companies should notify law enforcement authorities of any ransomware occurrences as soon as possible so that they may get the data they need for an investigation and possible operations to combat the coalition.
While the full impact from the newly formed Darknet Parliament group is yet to be seen, the potential consequences of the alliance are concerning. Based on the success we can expect unification in more hacker groups, undoubtedly posing unprecedented threats to organisations across the globe. However, by implementing robust cybersecurity measures, fostering collaboration, and enhancing overall resilience, organisations can better defend against the ever-evolving tactics of cybercriminals, regardless of whether they operate alone or as a coalition.
Gemserv provides Cyber Threat Intelligence (CTI) services, including tooling, consultation, analysis and reporting. Gemserv’s CTI tool solution can support any organisation with (among many other use cases):
- Sector and Region Threats
- Technology Stack Monitoring
- Supply Chain Security (24/7 alerting)
- Brand and Social Media Monitoring