Disrupt and Demoralize, Deniably

“Blazing Sun” Anti-Ukrainian Cyber Campaign Exemplifies Russian Military Hacker Group’s Disruption-and-Information-Operations “Playbook”

Introduction: Undermining Support for Ukraine With Hacktivist Personas

As the war of attrition in Ukraine drags on, Russian President Putin appears to be betting that Ukraine’s allies will eventually tire of supporting that country. Strains in that support have already appeared, with the September 30 victory of a populist in Slovak elections, tensions between Poland and Ukraine, and the US Congress’ September 30 adoption of a spending package that averted a US government shutdown but did not include additional military funding for Ukraine.

As countries debate further aid to Ukraine, Russia’s leadership continues its years-long efforts to erode that country’s reputation. One key theme has been to portray Ukraine as hopelessly corrupt. Indeed, Ukraine struggles with the Soviet legacy of corruption, as NattoThoughts has discussed here and here. Advocates for Ukraine express hope that a new generation there can finally shake off that legacy, and Ukrainian popular support for anti-corruption efforts is high. 

But Russian information operations have deliberately kept Ukrainian corruption at the forefront of global discourse for years, as anticorruption expert Josh Rudolph has stressed. In one such operation, a pro-Russian former member of Ukraine’s parliament sought to erode US support for Ukraine by deliberately amplifying reports of Ukrainian corruption, the London-based Royal United Services Institute has reported, citing a US criminal indictment and sanctions declarations against the parliamentarian.  

Also amplifying the corruption theme are social media campaigns posing as concerned pro-Russian “hacktivists” who break into email accounts and leak data to discredit Ukraine’s current government. Given the regimentation of Russia’s information space, analysts suspect that very few of these “hacktivist” social media personas are people genuinely motivated by a thirst for justice; rather, Russian intelligence services fabricate so-called sock-puppet accounts, or coopt real people who are already active on social media, to publicize compromising data that the intelligence service hackers have stolen. A historical example is Guccifer 2.0, a “hacktivist” persona whom Russian military hackers allegedly created to disseminate stolen US Democratic Party documents during the 2016 US election.

A more recent social media persona, named Solntsepek, burst on the scene in April 25, 2023, when its Telegram account announced that it had crippled computer systems at a Ukrainian ministry and had stolen documents showing the officials’ corruption and inefficacy. Ukraine’s Computer Emergency Response Team (CERT-UA), in a September 25 2023 update on Russian cyber threat activity, identified Solntsepek as a mouthpiece for the infamous Russian military hacker team Sandworm. According to the report, Sandworm has been carrying out destructive attacks, such as wiping data from computer servers, followed by document leaks “in Telegram channels de-facto controlled by a group mimicking ‘independent volunteers’.” Previously, the Sandworm group had used the @CyberArmyofRussia_Reborn (Cyber Army of Russia Reborn, or CARR)¹ Telegram channel for this purpose, but “starting from the 25th of April 2023, they are using a @solntsepekZ Telegram channel instead for better OpSec,” said CERT-UA, using an abbreviation for operational security. CERT-UA also reported that after the hack of an unnamed ministry, the attackers had compromised the account of a Ukrainian journalist, causing his publication to publish “a fake comment from the head of the ministry [and] unreliable information about the alleged inaction of CERT-UA. The information was spread in one of the Telegram channels, which is associated with the Sandworm group.” 

Though CERT-UA did not specify it, both of these quotes refer to an April 25 attack on Ukraine’s Ministry of Community and Territorial Development, also known as the Ministry of Restoration or the Ministry of Regions (MinRegion). As we saw in our “Rebuilding Ukraine” post, this agency oversees the transportation infrastructure, grain exports, reconstruction and maintenance of the country’s damaged buildings, and much else; a blow to the ministry’s reputation could endanger huge sums of reconstruction funds from international donors. The story of the April 25 incident provides a case study of the struggle to control the information space.

The Sandworm modus operandi that CERT-UA’s September  report described, exemplified by the Solntsepek attack on the Ministry of Regions, also featured in a July 12 report by cybersecurity company Mandiant. Mandiant dubbed it the “GRU disruptive playbook,” using the initials for Russia’s military intelligence service. This “playbook” combines cyber attacks to hobble Ukrainian institutions with information operations to boast of those achievements and to demoralize victims. This fits a long pattern of Russian cyber-enabled information operations, particularly at key times such as elections. Russia and other adversary countries will likely attempt information operations to influence voters in the leadup to the 2024 elections in the US and elsewhere.

In a follow-up article, the NattoTeam delves more deeply into Solntsepek’s role in a network of hacktivist personas, looking at their division of labor, where they got their money and information, and their relationship with the state. 

The “Blazing Sun” Campaign

Pro-Russian Persona “Solntsepek” Claims Attack on Ukraine’s Ministry of Regions

On April 25 2023 a formerly obscure Telegram channel burst on the scene with a claim to have attacked MinRegion. The channel, which had about 22,000 subscribers at the time, is entitled Solntsepek (also transliterated Solntsepyok; the Russian original, Солнцепёк, literally “blazing sun,” is also the name of a thermobaric rocket launcher used since Soviet times). The channel purports to be a pro-Russian hacktivist entity that doxes (publicizes personal data on) Ukrainian soldiers. It has a partner website, which constitutes a database of the doxxed soldiers

Screenshot of Front Page of Telegram Channel, t[.]me/solntsepekZ, cached on April 25, 2023

At 7:25 am on April 25, Solntsepek reposted several messages from the Telegram channel of JokerDPR (Russian account name: Джокер ДНР; can also be written JokerDNR), who appears to be a senior figure in a network of pro-Russian hacktivist personas (t[.]me/solntsepekZ/696). (We discuss the JokerDPR network in the subsequent posting). 

Screenshot taken September 29 2023 from Solntsepek Telegram account, posting dated April 25, 2023, reposting an item from the JokerDPR Telegram account, hxxps://t[.]me/solntsepekZ/696

JokerDPR claimed, “my hacker followers from the Solntsepek group  got access to ALL the computers of the agency that contained internal secret documents. Here, for example, enjoy!” It posted allegedly stolen data that it claimed showed corruption in the ministry and failures of highly paid cybersecurity experts to protect the agency’s computer systems (t[.]me/solntsepekZ/696). At 12:31 that day, Solntsepek forwarded a JokerDPR post that said JokerDPR was reading the documents Solntsepek had leaked, and claiming that they show sloppy cybersecurity and corrupt kickbacks in Ukraine’s state contracts (t[.]me/solntsepekZ/698). An initial review of the allegedly leaked documents -- a smattering of contract materials, budget figures, and employee records -- does not immediately show how they prove these claims.

The Weekly Mirror’s Hall of Mirrors

The specifics of the actual disruptive breach can only be deduced, as the perpetrators made sweeping claims and repeated demoralizing messages, while the Ukrainian government provided little explicit detail on this breach, apparently attempting to limit the reputational damage that publicity about the incidents could cause. A chronological look at the reports and denials, based on cached copies, gives a feeling for the sensitivity of the matter. Although we cannot judge whether certain specifics were indeed Russian disinformation or were accurate information too sensitive to publicize, clearly the attack seriously disrupted the work of MinRegion.

An article appearing at 17:17 on April 25, 2023 in reputable Ukrainian news source Дзеркало Тижня (Weekly Mirror, zn[.]ua) said Regions minister Oleksandr Kubrakov confirmed that hackers had breached systems at the ministry. The minister said the hackers obtained access to Ministry systems by analyzing technical information that appeared after a “breach of a web service of the Ministry in January 2022” and by using the password of a former employee, according to the article. It also cited Kubrakov as allegedly blaming CERT-UA and some Western cybersecurity partners for weakly defending the ministry. 

The reference to January 2022 likely refers to Whispergate, a wiper-and-exfiltration-and-defacement attack from January 14 2022, which the UK, EU, US and others have attributed to Russian military hackers. As Natto Team has reported, the Whispergate compaign targeted some 70 Ukrainian government sites with data exfiltration, data wiping, and website defacement. Soon after that attack, dark web user “FreeCivilian” offered to sell information on millions of Ukrainians as well as data from 48 Ukrainian government domains. FreeCivilian is one of the ostensibly hacktivist groups that the GRU has integrated into its wiper-and-information-operations “playbook,” discussed below.

On April 26 several news aggregators published another article under the zn[.]ua masthead that spoke of extensive damage at MinRegion. The article cited the ministry’s IT chief, Ruslan Yakovlev, as saying CERT-UA investigators estimated that over 100 servers for interacting with the public had been irrevocably destroyed; service information on over 1500 employee computers had been encrypted; over 300 terabytes of reserve copies of service documents and databases had been destroyed; and the system for protected communications with regional representatives and with state document exchange services had been disrupted. 

By April 29, however, ZN[.]ua had changed its April 25 story to say “There was no hacker attack on Mingerion [sic] (Хакерської атаки на Мінгеріон не було). The report has been deleted due to the hacking of the personal mail and ZN account of the editorial staff.” Given Ukraine’s wartime policies for unifying media messaging, ZN[.]ua likely received instructions from the Ukrainian government to retract the earlier story. Note that the ZN[.]ua headline misspelled the ministry’s name (“MinGerion” rather than “MinRegion”); this may be a simple typographical error, but another possible interpretation is that the editors were using “Aesopian language” to hint that this retraction statement was inaccurate. The revised article’s URL retains the old title, “Oleksandr Kubrakov Confirmed a Hacker Attack on the Ministry.”

Although the story appears to have been fed to ZN[.]ua through a journalist’s compromised account, it is unclear whether this story was indeed a complete fabrication. Minister Kubrakov’s alleged statement, openly criticizing Western cybersecurity partners, is likely a fiction; Kubrakov would surely be disinclined to alienate global supporters at a time when he was courting Western aid. (A later Solntsepek posting would carry a similar quotation purporting to show disunity in the Ukrainian government; that posting claimed that the head of Ukrainian public broadcasting criticized CERT-UA’s performance during a June 14 attack there (t[.]me/solntsepekZ/852). The public broadcasting service’s own statements on June 14 contradict this claim).

At the same time, even if the hackers did feed the story to ZN[.]ua, they may have based it on a grain of truth. Indeed, MinRegion’s main site, minregion.gov[.]ua, has been difficult or impossible to access since April 25. Another site for the Ministry of Regions, mtu.gov[.]ua, also appears to have been down from April 25, briefly up on May 2, and sporadically down again for two more months, judging from cached copies on web.archive.org. When it was up on May 2, the mtu.gov[.]ua website gave ordinary positive news, with no mention of a hack. The Ministry’s Telegram channel and Twitter feed for the days surrounding April 25 look normal.

Overview of cached copies of minregion.gov[.]ua website on web.archive.org, screenshot taken September 26, 2023. Red indicates server errors. Orange indicates that the URL was not found.

On April 27 Ukrainian news source from-ua[.]org reported, citing Ukrainian cybersecurity officials, that hackers had indeed breached a journalist’s account to post the initial article on zn[.]ua but that the Ministry had also really suffered a major cyber attack. On April 29, Opora, a Ukrainian political transparency organization, also took note of zn[.]ua’s contradictory reporting.

CERT-UA Describes Sandworm Attack on an Unnamed Ministry that Sounds like MinRegion

On April 29 CERT-UA published a report (English summaries here and here) on a destructive attack that had disrupted the computer systems of an unnamed Ukrainian state agency; this report likely refers to the Ministry of Regions. The CERT-UA report said the threat actors had obtained access to a virtual private network (VPN) using stolen login information; then they had used a modified version of RoarBat to identify certain types of files, then archived and deleted files using the legitimate WinRAR program. The perpetrators had used Group Policy to create and distribute a scheduled task to run the script. 

Many details of the operation resembled those of a January 2023 attack on Ukrainian news agency Ukrinform, CERT-UA said. It said the Telegram channel of the group called “CyberArmyofRussia_Reborn” (CARR) had claimed the January incident, whereas the April incident had been advertised on a different Telegram channel, which CERT-UA did not name at the time. Nevertheless, CERT-UA surmised that both incidents were likely the work of the infamous Russian military hacker group Sandworm, responsible for the global Petya.A (NotPetya) pseudo-ransomware attack of June 2017 and other operations against Ukrainian and global targets.  

It seems likely that this report was referring to the MinRegion hack; it appeared soon after that incident, it referred to a combination of destructive activity and information attacks, and it cited a similar incident in January involving another hacktivist account called CyberArmyofRussia_Reborn (CARR). CARR has reposted items from Solntsepek’s channel, suggesting it was part of the same hacktivist persona network, as we shall explore in a future posting.

Solntsepek Tries to Maximize Publicity

The Solntsepek Telegram channel took further steps to publicize the MinRegion hack and reiterate the message about Ukrainian government corruption and CERT-UA’s deficiencies. The channel’s authors clearly cared a lot about how Ukraine and the world responded to their attempts. 

On May 11, Solntsepek announced it had breached Corbina Telecom and other Ukrainian communications providers. A Corbina customer said she received a message on a building-wide chat group that said, “It is interesting that the website of the Ministry of Regions has not been opened for quite some time.” Also on May 11, Ukrainian television station 24TV reported that a Russian group of hackers targeted their website, just a week before the station planned to publish a “major investigation into a high-ranking Russian GRU officers” (https://24tv[.]ua/uvaga-sayt-24-kanalu-zlamali-rosiyski-hakeri_n2311487).

Solntsepek would also go on to other hacks and leaks, with the same message of the unreliability and corruption of Ukraine’s government and attacks on Ukraine’s war effort. In a May 30 posting, Solntsepek listed their “achievements” so far (https://t[.]me/solntsepekz/807).

Screenshot taken October 6, 2023, from May 30 2023 posting on https://t.me/solntsepekz/807

Possibly inspired by Solntsepek’s  list, in a July 3 article, Ukrainian IT-focused website dev[.]ua provided fuller information on these incidents. The dev[.]ua article cited Ukrainian cybersecurity authorities as saying that Solntsepek’s destructive attacks were likely the work of Sandworm, the GRU hacker group. The appendix below shows NattoTeam’s verbatim translation of Solntsepek’s May 30 posting, with its list of claimed breaches, interspersed with translated comments from dev[.]ua’s July 3 article.

One item that appeared in Solntsepek’s May 30 list did not appear in dev[.]ua’s article, suggesting its sensitivity. Solntsepek wrote, “On May 25 we hacked ALL the district, municipal and regional administrations of Ukraine. As a result of our attack we successfully obtained all internal documents and all correspondence, in which we found ample confirmation of the TOTAL CORRUPTION at all levels of power in Ukraine. On the sites of the administrations was placed a photo of Zelensky in his usual CLOWN nose!!! You can read about the attack here!

In a May 25 post, Solntsepek had bragged that Ukrainian media were reporting about the breaches of local administrations all over Ukraine (t[.]me/solntsepekZ/778). It had showed screenshots of defacements in local administrations’ sites, showing Solntsepek’s announcement cited above. 

Screenshot taken September 29, 2023 from Solntsepek posting dated May 25, 2023, purportedly showing screenshots of Ukrainian local media defaced with Solntsepek’s message, t[.]me/solntsepekZ/778

The Dev[.]ua’s omission of this incident is understandable. A breach of municipalities likely reflects badly on the Ministry of Regions, who oversees them. Indeed, the hackers may have used data or access obtained in the April 25 breach of MinRegion breach; one of the early reports on that earlier breach said it had affected a protected communications system between MinRegion and the municipalities. 

Another Ukrainian periodical, focus[.]ua, also published an article following up on the dev[.]ua report, and also had to remove sensitive information about the Ministry of Regions. A July 3 cached article in focus[.]ua reiterated details, including the alleged Kubrakov quote, from the initial April 25 zn[.]ua report. By July 5, focus[.]ua had also altered its article to remove this quote, giving the exact same wording as dev[.]ua gave in its update: that the original April 25 zn[.]ua article “turned out to be a fake put out by Russia to discredit Ukrainian cyber forces.” 

Perhaps not surprisingly, given Solntsepek’s efforts to cultivate its image as an independent hacktivist, Solntsepek did not repost the dev[.]ua report that claimed Solntsepek was a mouthpiece for the Sandworm Russian military hacker group. However, Solntsepek eagerly reposted the Focus article with Kubrakov’s alleged criticism of Ukrainian cybersecurity. Further bolstering the message of Ukrainian cybersecurity vulnerabilities and corruption, Solntsepek reposted several times a link to an critical article that former Security Service of Ukraine (SBU) officer Konstantin Korsun had published on June 15, entitled, “The hack of Suspilnyy [the public broadcaster] is the result of the imitation of reforms of national cybersecurity.”

Subsequent Solntsepek Attacks

NattoTeam’s review of Solntsepek’s subsequent Telegram postings show it claimed more attacks on media and communications providers and on entities associated with Ukraine’s war effort. A list appears in the Appendix below. On September 6 it claimed to have participated in distributed denial-of-service (DDoS) attacks to disrupt a series of Estonian websites. It claimed to be acting as part of a joint operation with numerous well-known pro-Russian hacktivist groups, including JokerDPR, Killnet, CyberArmyofRussia_Reborn (CARR), and others (t[.]me/solntsepekZ/1071). This operation against foreign countries appears to be a change from Solntsepek’s former focus solely on Ukraine.

Solntsepek Activity Fits the GRU Playbook

The 2023 Solntsepek campaign exemplifies the Sandworm modus operandi that the September CERT-UA report outlined, and which a July 12 report from cybersecurity company Mandiant dubbed the “GRU disruptive playbook.” In this playbook, hackers from Russia’s GRU military intelligence service unleash wiper malware and other sophisticated tools to hobble key Ukrainian government entities, then use supposedly hacktivist personas on social media to publicize these feats, burnish Russia’s hacker street cred, and demoralize Ukraine’s population and supporters. Mandiant listed some of these personas: CyberArmyofRussia_Reborn [CARR], XakNet Team, Infoccentr, and Free Civilian. Google’s Threat Analysis Group (TAG) also reported in April 2023 that GRU hackers “created and controlled” the CyberArmyofRussia_Reborn [CARR] Telegram channel to leak data they have stolen.

As the September CERT-UA report hypothesized, Solntsepek is likely the latest Telegram persona that GRU hackers began to use after public revelations about JokerDPR and about CyberArmyOfRussia_Reborn [CARR] made those personas more subject to scrutiny. CERT-UA said this in its September report. As Ukrainian hacktivist Andriy Baranovych (Sean Townsend) put it, Solntsepek, "is not a ‘group’, but the latest disguise (вивіска) of the GRU of the Russian Federation.”

This Playbook Fits Long Pattern of Russian Cyber-Enabled Information Operations…

Russia‘s GRU has a long history of cyber-enabled information operations, coordinating sophisticated attacks on computer systems with propaganda and disinformation to demoralize and influence target populations and decisionmakers. 

• In the 2016 US election hack-and-leak operations, GRU military unit 26165 (associated with hacker group names such as APT28 and Fancy Bear) worked together with GRU military unit 74455 (associated with group names such as Sandworm and Telebots) to steal US Democratic Party data and weaponize it against the Democratic candidate, while the Internet Research Agency – the troll army led by mercenary entrepreneur Yevgeniiy Prigozhin – used sock-puppet accounts to amplify false narratives, according to reports and indictments from Special Counsel Robert Mueller, as well as US Intelligence Committee reports. 

• The so-called MacronLeaks campaign, aimed at bolstering pro-Russian right-wing nationalist Marine Le Pen’s presidential bid against Emmanuel Macron in 2017, involved a disinformation operation of “rumors, fake news, and even forged documents,” led by Russian state media and American alt-right, followed by a hack-and-leak of documents, amplified by thousands of bot accounts, as an Atlantic Council post-mortem summarizes the campaign. A US court indicted six GRU officers in 2020 for taking part in the hacking part of the operation.  

• In the above-mentioned 2022 Whispergate campaign, which the US has attributed to “Russian military cyber operators,” the hackers breached Ukrainian government websites and defaced them with a message in the Ukrainian, Russian and Polish languages, saying "be afraid and expect the worst."

• Shortly before the 2022 invasion, a DDoS attack briefly disrupted two Ukrainian state-owned banks in Ukraine, and panic-mongering text messages falsely claimed that ATMs belonging to those banks were down. The US and UK governments attributed these operations to Russia’s military intelligence service, and on 19 February 2022 the US Cybersecurity and Information Security Agency warned that foreign governments could pair cyber threat activity against critical infrastructure with disinformation.

• In March 2022, a wiper operation targeting a Ukrainian organization coincided with the hijacking of a Ukrainian news feed with the false message that Ukraine was surrendering to Russia.

…..Some More Effective than Others

This coordination in hack-and-leak operations does not always work smoothly. 

• In Ukraine’s first election after the Revolution of Dignity in 2014, GRU cover persona CyberBerkut attempted to breach Ukrainian election commission websites and alter the results to show falsely that an ultra-nationalist party had won — a move that would have discredited Ukraine’s revolution. Ukrainian defenders discovered and blocked this attempt; however, Russian media, apparently prepared beforehand to report on this, did not get the message; they falsely reported that the ultra-nationalist had won.  

• A similar error in timing occurred in one operation Mandiant observed. There, the GRU hacker using CADDYWIPER to wipe a victim machine “was unable to complete the wiper attack before the Telegram post boasting of the disrupted network. Instead, the Telegram post preceded CADDYWIPER’s execution by 35 minutes.” Although the operation failed to work as planned, the “close sequencing between the wiper deployment and Telegram posts” convinced Mandiant that “UNC3810 [the GRU hacker team] and Cyber Army of Russia engaged in forward operational planning to orchestrate the cyber and information operations components of the operation.”

• The Macron Leaks operation failed to sway voters to Le Pen because the hackers mis-timed the leaks to begin just before the “period of silence” and thus could not amplify them, while for its part the Macron team was primed for such a campaign and responded immediately “with crucial context and rebuttals.” The Macron team had even “planted fake e-mails with names such as David Teubey and Greg Latache, which would be instantly recognizable to a French audience as absurdist caricatures.” Finally, the leaked documents themselves were simply boring and failed to capture interest among French voters, according to the Atlantic Council.

Prospects for 2024

Although some of these Russian attempts at complex information operations failed, they show high-level coordination of efforts between the GRU hackers and Russian strategists who oversee state media reporting and social media campaigns. The 2016 US election interference likely originated with the Russian President himself, US Senate investigators found. It is unclear that efforts such as the Solntsepek campaign have such high-level backing; rather, as NattoTeam has argued, Russian influence operations often resemble throwing spaghetti at the wall to see what will stick. Putin’s speeches and state media set the tone and identify targets, and Putin loyalists compete to attack those targets, allowing Putin to deny direct involvement. 

The Solntsepek actors, and even the GRU hackers themselves, likely seek to burnish their patriotic credentials by boasting of their achievements in disrupting and discrediting the Ukrainian government. It is unclear whether the claims and boasts of the Solntsepek Telegram channel, with its 22,000-odd subscribers, had any effect on audiences in Ukraine or elsewhere. They do, however, contribute to a constant hum of Russian propaganda portraying Ukraine as hopelessly corrupt, Nazi, and incapable of defending itself against cyber attacks. In one sense, their main audience may be their sponsors in Russia. Although propaganda by the Solntsepek cover persona may have had little effect, the Sandworm military hackers’ disruptive activities and information exfiltration do seem to have been a blow to Ministry of Regions computer systems — although not necessarily worse than the physical damage Ukrainian critical infrastructure has endured from Russian shelling 

Russian military hackers will likely attempt cyber-enabled information operations to influence elections in 2024, including a Ukrainian election scheduled for March (which might not happen, due to martial law conditions) and the November US election. 

Researchers debate questions such as  the effectiveness of various Russian propaganda messages on various audiences; how significantly AI might increase the risk of election disinformation; and whether Russian personnel for cyber and information operations are stretched to their limit or limitless. (NattoThoughts has discussed the changing ecosystem of Russia’s cyber threat actors here and here).

A New York Times analysis cited US officials’ weighing the risks that Russian influence efforts pose to the US election. Protective factors — such as increased skepticism toward claims on social media — weigh off against aggravating factors, such as the September 28 decision by the X (formerly Twitter) platform to disband a global disinformation monitoring team. In any case, the article concludes, Putin has a strong incentive to attempt to influence the US political discourse to reduce military support to Ukraine. For now, the actors behind personas like Solntsepek are glad to help.

In a subsequent report we explore the story of Solntsepek as part of JokerDPR’s network of hacktivist personas, looking at their division of labor, where they got their money and information, and their relationship with the state. 

Appendix:

Solntsepek’s May 30 2023 “Achievements List”

Following is NattoTeam’s verbatim translation of Solntsepek’s May 30 posting (https://t[.]me/solntsepekz/807), with its list of claimed breaches, interspersed with translated comments from the list in dev[.]ua’s July 3 article, in italics:

• On April 25 the hackers of the Solntsepek group carried out an attack on the Ministry of Development of Communities and Territories of Ukraine, obtaining access to all of the agency’s computers and paralyzing its work. Details of the attack are at this link! 

  • April 25 — the local network of the Ministry of Community Development and Territories of Ukraine was hacked. 

  • [The original article dev[.]ua published on July 3 included the alleged quote from the original April 25 zn[.]ua article, with a quote from Regions minister Kubrakov, criticizing CERT-UA and its Western partners]

  • [By July 5 the article had been updated to read as follows:] UPD [Update]. Previously, there was a quote from the Minister of Community Development Oleksandr Kubrakov. But it turned out that it was a Russian fake to discredit Ukrainian cyber services. That's why we removed the fake information. 

• On 11 and 16 May, Ukrainian providers that provide Internet to the Ukrainian military and to Ukrainian state enterprises came under our hammer. Details here and here.

• BONUS: Ukraine’s Channel 24 “Channel 24 has come over to the side of Good and has published our appeal!!! Then Ukrainian journalist Dmitriy Gordon took its turn in the relay race and also published the results of our attack!!!’

  • May 11 - the "Channel 24" website was hacked. Then the Russians began promptly publishing fake news on the website with threats to President Volodymyr Zelenskyi and Ukrainians.

  • May 11 — attack on Ukrainian providers. According to the Russians, these were Citylan, Gigabit-net, UOS, UA Group, FiberNet and others. Providers Corbina Telecom and Znet reported hacking and mailing to users by Russian hackers.

  • May 16 — attack on the "Gordon" website. Then the editors temporarily lost access to the site's admin panel, due to which the attackers were able to post an anti-Ukrainian statement on the main page of the publication. The attack began at approximately 15:50 Kyiv time, but the website was restored at approximately 17:15. 

• On 23 May the Solntsepek group hacked a strategic enterprise of Ukraine’s defense-industrial complex—the Southern Mining and Processing Plant. As a result of the attack, the plant’s logistics and the production control and monitoring process were disrupted. Details of the attack here!  

• Bonus: the press service and leadership of the Southern Mining and Processing Plant tried to hide the effects of our cyberattack, but we published photos from cameras in the plant. Their work is AT A STANDSTILL!!! 

  • May 25 [sic] — attack on the Southern Mining and Processing Plant. According to the statement of the Russian hackers, they managed to "destroy more than 30 servers and about 2,000 computers." At that time, the press service of the Ukrainian company stated that if there were any attempted attacks, they were repulsed, and all consequences were eliminated. 

• On May 25 we hacked ALL the district, municipal and regional administrations of Ukraine. As a result of our attack we successfully obtained all internal documents and all correspondence, in which we found ample confirmation of the TOTAL CORRUPTION at all levels of power in Ukraine. On the sites of the administrations was placed a photo of Zelensky in his usual CLOWN nose!!! You can read about the attack here!

  • [The Dev[.]ua article did not mention this incident]. 

• [The dev[.]ua list also included the following incident that occurred after the posting of Solntsepek’s list]: On June 14, hackers attacked the websites of "Suspilny,” [referring to the National Public TV and Radio Company of Ukraine]. 

Subsequent Attacks Solntsepek Claimed

NattoTeam’s review of Solntsepek’s subsequent Telegram postings show it claimed more attacks on media and communications providers and on entities associated with Ukraine’s war effort, including the following:

• June 20: Obolon, which supplies beverages to the military (t[.]me/solntsepekZ/872)

• July 5: Ukraine’s State Statistics Administration (t[.]me/solntsepekZ/913] — with documents that they claim show proof of Korsun’s critical article of June 15

• July 5: Regional administration website in Brovary (t[.]me/solntsepekZ/914)

• July 31: Ukrainian communications providers SOHONet and RackPlace — with a claim to have  stolen information about a military equipment provider (t[.]me/solntsepekZ/978)

• July 31: Transko logistics company—with documents allegedly showing illegal grain shipments (t[.]me/solntsepekZ/977) 

• August 15: Ukraine’s military intelligence service’s strategic electronic intelligence system (t[.]me/solntsepekZ/1008)

• August 31: Ukrinterenergo, a state-owned company that supplies electricity to national security-sensitive facilities (t[.]me/solntsepekZ/1051 – t[.]me/solntsepsekZ/1060)

• September 6: Several Estonian entities (t[.]me/solntsepekZ/1071). Solntsepek claimed that this was part of a “joint operation with the hackers Beregini, RaHDit, KILLNET, Zаря, JokerDPR, Вагнер, XakNet Team, NoName057, Black Wolfs, BEAR IT ARMY, Vосход, CyberArmyOfRussia_Reborn [Народная CyberАрмия], Patriot Black Matrix, DEADFOUD, Xecatsha, BEARSPAW, ZulikGroup, Anonymous Russia.”

• September 27: Faust and Harnet Internet providers, which provide communications for Ukrainian military and regional administration entities

• *Update Thursday December 14 2023: Solntsepek claimed responsibility for a major cyber attack on the systems of Kyivstar, Ukraine’s top mobile phone and Internet service provider, and posted screenshots purporting to show access to Kyivstar systems. The incident disrupted ATM service, credit card processing and missile alert systems in parts of the country, according to several media reports. Kyivstar CEO Oleksandr Komarov initially characterized the incident as ““the largest cyberattack on telecom infrastructure in the world.” The Solntsepek Telegram post claimed to have “destroyed 10,000 computers, more than 4,000 servers, and all cloud storage and backup systems.” The SBU wrote on December 13, likely referring to Solntsepek, “One of Russia’s pseudo-hacker groups claimed responsibility for the attack. It is a hacking unit of the…..GRU, which in this way publicly legalizes the results of its criminal activities.” A Kyivstar Facebook post urged customers not to panic and assured them their personal data is safe; it also stated “rumors about the destruction of our "computers and servers" are fake;” it is unclear how this assurance squares with Kyivstar’s initial reports of extensive damage. The @Cyberknow20 account on X (formerly Twitter), which tracks groups like Solntsepek, predicted that Solntsepek would likely attempt to use the Kyivstar attack for additional “info ops” in order to “sow more societal chaos and also reduce confidence in kyivstar and, by extension, the Ukraine governments ability to provide and protect its people.” [Note: a Telegram channel calling itself “We Are New Killnet & Deanon Club,” fresh from a change in leadership at that group, posted on December 12, “Today we are back. An attack was carried out on Ukrainian mobile operators, as well as on some banks. Today we were just testing what our new colleagues are capable of….” (t[.]me/killnet/23]. Some reports said this represented Killnet’s claim of responsibility for the Kyivstar attack. More likely it represented either an empty boast or a claim of responsibility on behalf of pro-Russian hackers more broadly. Part 2 of this report looks into Solntsepek’s relationship with Killnet].

*Updated December 14 2023 to reflect Solntsepek’s claim of Kyivstar attack.

1

Update November 4 2024: On July 19, 2024, the US Treasury Department imposed sanctions on Yuliya Vladimirovna Pankratova (Pankratova) and Denis Olegovich Degtyarenko (Degtyarenko), whom it identified as “the group’s leader and a primary hacker, respectively,” for their roles in Cyber Army of Russia Reborn activity against US critical infrastructure. The Treasury Department said CARR had begun in 2022 with “low-impact” DDoS attacks on Ukraine and its supporters. Since late 2023, “Using various unsophisticated techniques, CARR has been responsible for manipulating industrial control system equipment at water supply, hydroelectric, wastewater, and energy facilities in the U.S. and Europe.” In particular, “In January 2024, CARR claimed responsibility for the overflow of water storage tanks in Abernathy and Muleshoe, Texas, posting video of the manipulation of human-machine interfaces at each facility on a public forum. The compromise of the industrial control systems resulted in the loss of tens of thousands of gallons of water. Additionally, CARR compromised the supervisory control and data acquisition (SCADA) system of a U.S. energy company, giving them control over the alarms and pumps for tanks in that system. Despite CARR briefly gaining control of these industrial control systems, instances of major damage to victims have thus far been avoided due to CARR’s lack of technical sophistication.” In early May, Treasury said, Degtyarenko “developed training materials on how to compromise SCADA systems and was possibly looking to distribute the materials to external groups.”