Disrupt and Demoralize, Deniably, Part 2

Solntsepek Telegram Account Casts Light on Network of “Hacktivist” Assets Contributing to Russian Information Operations

Oct 20, 2023

This is Part Two of a study of Solntsepek (Солнцепёк), a Russian-speaking persona on the Telegram social media platform that Ukrainian cybersecurity officials have identified as a mouthpiece for Russian military hack-and-leak campaigns against Ukraine’s government. Part One of this report described the first major disruptive operation that Solntsepek claimed. This section looks at Solntsepek’s evolving role in a network of Russian-speaking hacktivist personas led by JokerDPR (Джокер ДНР), shedding light on the relationship between Russian intelligence services and the “hacktivist” personas they fabricate or coopt.

Ukrainian cybersecurity official Viktor Zhora, in a June 21, 2023 interview, enumerated three types of people who “represent Russian offensive capabilities” and who often share tasks, targets and resources:

“hackers in uniform,” i.e. military or security agency employees;
cybercriminal groups that “coordinate activities with their chiefs in the Kremlin or wherever”; and
“activist groups who are competing for attention and funding of more official offensive units.”

Solntsepek and other members of the JokerDPR network clearly have some relationship with Russian state interests, including with hackers from Russia’s military intelligence service, the GRU. Circumstantial evidence (discussed further below) also suggests possible relationships or mutual support with the entities behind the anti-Polish so-called Ghostwriter campaign and the media empire of the Russian mercenary-propagandist entrepreneur Yevgeniy Prigozhin, who reportedly died in August 2023.

However, it is unclear whether these hacktivist personas belong in Zhora’s first category -- fabricated personas invented as masks for uniformed hackers – or the third category – eager-beaver hacktivists whom the GRU coopted to serve as mouthpieces but who also might have their own interests and problems.

This section looks at Solntsepek’s changing role in the JokerDPR network and its relationships with other hacktivist personas and with Russian military or intelligence services. Comparing Solntsepek with clearly invented personas such as Guccifer 2.0, on the one hand, and with coopted independent entities such as Killnet on the other, the Natto Team finds evidence for both alternatives.

Solntsepek’s Role in JokerDPR’s “Retinue”: From Research Assistant to the Bigtime

Solntsepek, a Russian-language Telegram channel, began on April 25, 2022, a few months after the full-scale Russian invasion of Ukraine. As Ukrainian hacktivist Andriy Baranovych (who goes by the username “Sean Townsend”) put it, Solntsepek, "is not a ‘group’, but the latest disguise (вивіска) of the GRU of the Russian Federation.”

Screenshot of Front Page of Telegram Channel, t[.]me/solntsepekZ, cached on October 11, 2023

The account name Solntsepek (Russian: Солнцепёк, also transliterated Solntsepyok), literally “Blazing Sun,” is the name of a thermobaric rocket launcher used since Soviet times. “Solntsepek” was also the name of a 2021 film sponsored by mercenary and information warfare entrepreneur Yevgeniy Prigozhin, whom the Natto Team has discussed in multiple postings (here, here, here, here, here, here and here). The “Solntsepek” film, set in 2014, “featured mercenaries fighting to keep Ukraine’s government from committing genocide, [and] read more like a blueprint for the real invasion that occurred the following year,” in the words of one study. It is unclear whether the people behind the Solntsepek persona had the film in mind when choosing the name.

In line with its fiery name, the Solntsepek Telegram persona often ends its posts with “We will burn them to ashes.” The Solntsepek Telegram channel claimed 27,906 subscribers as of October 11, 2023.

On its Telegram front page, Solntsepek pictures the cannon and identifies itself as “Telegram channel of the database Solntsepek (hxxps://solntsepek[.]com), where data of all Ukrainian warriors, Nazis, and their leaders is leaked. For leaking the data of Ukrainian siloviki,” it adds, using a term referring to military and security personnel. The partner website constitutes a database of the doxxed soldiers. The website previously had the domain names solntsepek[.]info and solntsepek[.]org.

Solntsepek specializes in doxxing or “deanonymizing” Ukrainian soldiers, often referring to them as “Nazis” or “war criminals.” It resembles a pro-Russian counterpart to the long-standing Ukrainian group Myrotvorets, which posts data on pro-Russian figures. (Other Russian databases of Ukrainian leaders and other “war criminals” exist as well. One of them, named Nemezida, is an offshoot of the pro-Russian “hacktivist” group RAHDit. Another comes from a company called ANO Dialog, reportedly created with sponsorship by Sergey Kiriyenko [also spelled Kirienko], a top Russian official overseeing Russian-occupied territories of Ukraine).

The Solntsepek account’s style evolved over time. At first it used pictures of targeted Ukrainians that appeared to come from social media postings and depicted them in ordinary settings, in effect showing them in a sympathetic light. But in 2023 most of the pictures looked like mug-shots of the subjects, usually in military uniforms. This may have been a choice designed to reduce the subjects’ humanity, or reflected Solntsepek’s changing sources of information. Also of note: a seemingly disproportionate number of the people Solntsepek doxxes come from the territorial defense group of Ternopil region, an area in western Ukraine, far from the fighting; possible explanations for this appear in an appendix, below.

From Research Assistant....

In its first year, Solntsepek appeared to function as a sort of research assistant taking orders from JokerDPR and doing open-source research to flesh out information that JokerDPR had first obtained. Solntsepek would post messages from JokerDPR’s Telegram channel, in which JokerDPR provided an initial batch of information on a Ukrainian target and the suggestion, such as this one from June 30, 2022: “I think my followers from the Solntsepek database will look into this list” (t[.]me/JokerDPR/141). On July 25, 2022, JokerDPR provided basic information on several Ukrainian military officers and wrote, “I think that I will entrust my loyal followers from Solntsepek, who specialize in this kind of thing, with collecting more detailed information on them” (t[.]me/JokerDPR/148).

Solntsepek would follow up on these requests. On July 14, 2022, for example, Solntsepek said, “JokerDNR told us very interesting information on the most greedy accomplices of Ukrainian special services and asked us to find out their personal information. Your wish is my command.” Solntsepek’s message reposted a message in which JokerDPR had claimed, “My spies in the SBU (Ukrainian state security) have shared important information that will interest the Russian special services” and shared the names of three Ukrainians from then-occupied territories whom the SBU had allegedly recruited to spy on the Russian occupiers (https://t[.]me/solntsepekz/96). Soon thereafter, Solntsepek would post the person’s picture and information from their social media accounts.

Screenshot made September 29, 2023 from a Solntsepek Telegram posting dated July 14, 2022, t[.]me/solntsepekZ/96

Another persona who followed Solntsepek and vice versa (https://t[.]me/solntsepekZ/188) was “Unofficial Bezsonov” (@NeoficialniyBeZsonoV). This channel identified itself as belonging to Daniil Bezsonov, an official of the so-called “Donetsk People’s Republic” (DPR), a Russian-installed government in occupied eastern Ukraine. “Unofficial Bezsonov” noted in an August 23, 2022 posting, “The existence of databases like Solntsepek and Nemezida, which collect and publish the data of Ukrainian bastards, shows that our special services are working,” (t[.]me/solntsepekZ/188), apparently implying that Russian or DPR intelligence services were involved in Solntsepek’s work. Nemezida (t[.]me/nemeZ1da_ru) describes itself as a “volunteer project of the RaHDIt team” dedicated to publicizing information about “modern-day Nazis and their accomplices.” (RaHDIt, short for Russian Angry Hackers Did It) was one of the groups with which Solntsepek would later say it had cooperated on an operation. The fact that a DPR official praised Solntsepek and another of JokerDPR’s “followers” suggests ties with the DPR government, which we discuss more below.

.....To the Bigtime.....

On April 25, 2023, exactly one year after Solntsepek’s founding, JokerDPR suddenly ushered it into the bigtime (t[.]me/solntsepekZ/696) with the announcement that Solntsepek had hacked Ukraine’s Ministry of Regions — as Natto Thoughts described in a previous posting. Interestingly, Solntsepek did not itself claim this hack; rather, the better-known account JokerDPR made the announcement, as if acting as a patron to this junior partner, to use JokerDPR's more established readership to boost Solntsepek’s audience.

Solntsepek’s “debut” occurred just two weeks after US-based cybersecurity company Recorded Future had profiled JokerDPR — characterizing it as a player in Russian information warfare “possibly with the coordination of the Russian state” — and just a week after Google’s Threat Analysis Group reported that Russian military hackers used the Telegram channel 'CyberArmyofRussia_Reborn' [Cyber Army of Russia Reborn, or CARR]1 to post data they had stolen. After this publicity, possibly JokerDPR’s handlers considered it too risky to have JokerDPR or CyberArmyofRussia_Reborn continue to serve as fronts for the military hackers. Ukraine’s Computer Emergency Response Team (CERT-UA) noted in a September 2023 report that Solntsepek had supplanted CyberArmyOfRussia_Reborn in this role. After its April 2023 “debut,” Solntsepek mentioned JokerDPR more rarely, suggesting it had “graduated” from its subordinate position in JokerDPR’s network.

JokerDPR and Their Network

Who is Joker DPR?

JokerDPR created its first Telegram channel on October 21, 2019. After being blocked in March 2022, JokerDPR reopened a second channel under same name, RecordedFuture reported in April 2023.

As of mid-October 2023 the JokerDPR channel claims nearly a quarter of a million subscribers.

Screenshot of front page of the JokerDPR Telegram account, cached October 19, 2023, https://web.archive.org/web/20231011021905/t.me/jokerdpr.

It has noisily claimed hacks of sensitive targets such as a Ukrainian military troop control system called Delta. Russian state media RIA Novosti cited JokerDPR in a May 2023 article claiming that Ukrainian commander-in-chief Valerii Zaluzhnyi was seriously wounded. Pro-Kremlin Russian news source Izvestia published an interview with the head of JokerDPR in September 2023.

Delusions of Grandeur

JokerDPR describes themselves as “not a person, not a group, but an idea.” Recorded Future’s profile assesses that JokerDPR is a group of people “that is reliant upon a coordinated human infrastructure of Ukrainians who sympathize with Russia and like-minded threat actors to gather the sensitive information that the group publishes.” JokerDPR basked in this attention, gleefully citing that article in a post on April 21, 2023, saying “The research department of Recorded Future, a major American private intelligence company specializing in cybersecurity, highly rated my contribution to the humiliation of the Ukrainian clowns and their American bosses. Joker is an idea, which is called to swallow up and change this lying world.”

JokerDPR has delusions of grandeur. JokerDPR described themselves on June 17 as the “suzerain” of a group of “my hackers.” JokerDPR sometimes mentions another account called “Vassal of the Joker,” which appears to be a sort of mirror account, reposting JokerDPR’s own postings (https://tgstat[.]ru/channel/@vassal_of_the_Joker). JokerDPR often uses rhetorical flourishes, such as the “delicate strings of my intellect,” to emulate the “unstable genius” personality of the Joker character in the Batman stories.

JokerDPR refers to Solntsepek as one of “my followers.” Solntsepek took orders from JokerDPR, at least during its first year of existence, as described above. A few weeks after ushering Solntsepek into the bigtime, on May 14, 2023, JokerDPR wrote, “All of you know that my hackers are the most productive in the world....my ambitions are growing, and my hackers have decided to increase their team and are declaring a recruitment of volunteers into our cyber-troops. Those who are selected will learn to manage world chaos and will create history together with Joker. And will be able to earn a little bit. Send your resume here @harley_quinn_resume_bot. And remember, it’s not about money at all. A-ha-ha-ha-ha-ha-ha-ha...” (The reference to Harley Quinn is a nod to a sidekick of the Joker character in Batman stories).

JokerDPR as a retired-criminal-turned-hacktivist?

Vlad Horohorin (a.k.a. BadB), originally from the Donetsk region of Ukraine, served time in a US prison for credit card theft, was deported to Israel in 2017, and went to work with a cybersecurity consulting company that employs Russian ex-hackers. His Telegram page t[.]me/s/cybersecs currently features a Ukrainian flag, suggesting sympathy with Ukraine. Posting on November 1, 2022, after JokerDPR claimed the attack on the Delta system, Horohorin speculated that JokerDPR was the new identity for “Joker’s Stash,” a credit card seller who claimed to retire after international law enforcement seized its servers in 2021. Horohorin hypothesized that the Joker’s Stash actor may have moved to the DPR and rebranded itself as JokerDPR because the “law of the jungle” reigns there; Joker would face less pressure from Russia’s Federal Security Service (FSB) than he would in Russia (t[.]me/s/cybersecs/1571). Recorded Future’s Levi Gundert conjectured in May 2023 that, if JokerDPR really did represent Joker’s Stash coming out of retirement, then this criminal-reborn-as-hacktivist might also revive his financial fraud activity as well. (The Natto Team is unaware of any revival of Joker’s Stash-related fraud activity as of mid-October 2023, although members-only “jokerstash” websites do exist in the .at (Austria) and .su top-level domains).

Network Includes Well-Known Pro-Russian Hacktivist Personas

In a June 17, 2022 posting (t[.]me/JokerDPR/124), JokerDPR boasted of being on a list that the Ukrainian Defense Ministry’s IPSO [information and psychological special operations] office maintains of “the top 5 most dangerous [social media] resources.” JokerDPR continued, “Besides your suzerain Joker, some of my followers are on the list: the hacker group Beregini; the Telegram channel “Khersonskiy vestnik [Kherson Herald],” the database “Nemezida,” and the database “Solntsepek.” JokerDPR repeated a favorite phrase, adding a characteristic crazy-person flourish: “Joker is not a person and not a group of people. Joker is an idea that is being spread throughout the whole world and in arithmetic progression increases the army of enemies of the Ukrainian clown regime. It’s crazy—it’s like gravity—you just have to set it off. Ah-ha-ha-ha-ha-ha-ha-ha....

The Atlantic Council’s Digital Forensic Research (DFR) Lab, in a late-2022 profile of JokerDPR’s network, identified other accounts that the JokerDPR Telegram account mentioned between March 2020 and August 2022. JokerDPR postings mentioned Solntsepek, Beregini, and Khersonskiy vestnik, i.e. some of the same organizations JokerDPR counted as its followers in the June 17 post. Additionally, Recorded Future has reported that JokerDPR has claimed to cooperate with hacktivist accounts named “Sprut”, “Limma”, and the famous “Killnet” (discussed further below).

By September 6, 2023, JokerDPR and Solntsepek would claim to have cooperated with an even broader range of pro-Russian hacktivists to target countries that support Ukraine. JokerDPR’s Telegram posting on September 4 read “My hackers and I decided to join in a united attack on accomplices of the Ukrainian clowns who support the Kyiv regime from outside. We are: JokerDPR, Beregini, RaHDIt, Killnet, Zаря, Wagner, XakNet Team, BEAR.IT.ARMY, NoName057(16), Black Wolfs, Vосход, Cyber Army of Russia (Народная CyberAрмия), Patriot Black Matrix, DEADFOUD, Xecatsha, BEARSPAW.” JokerDPR listed two Lithuanian websites that it claimed “my hackers” had defaced: a Cadillac dealership and an encyclopedia.

JokerDPR’s post also linked to an article in Kremlin-friendly Russian news source Izvestiya. This article cited claims of an even broader coalition, saying that between 16 and 30 pro-Russian hacker groups had united to attack Polish and Baltic sites with varying levels of severity, ranging from parking meters up to a Latvian police database. Izvestiya cited “exclusive commentary” from JokerDPR and other participants. JokerDPR boasted, “There are no limits to Russian patriots....my hackers will get into absolutely every vulnerable place.” Asked about a breach of parking meters, which one of their group had apparently claimed, JokerDPR argued that this action was significant because it paralyzed transport infrastructure and showed Europeans that their well-being was illusory.

Two days later, Solntsepek posted about this broad anti-Baltic hacktivist campaign, adding its own boasts. Solntsepek’s September 6 post (t[.]me/solntsepekZ/1071) read, “The hacker group Solntsepek continues a massive attack on the information resources of the Baltic region! As part of a joint action together with hackers from Beregini, RaHDit, KILLNET, Zаря, JokerDPR, Wagner, XakNet Team, NoName057, Black Wolfs, BEAR IT ARMY, Vосход, Народная CyberАрмия, Patriot Black Matrix, DEADFOUD, Xecatsha, BEARSPAW, ZulikGroup, and Anonymous Russia, our team carried out a DDoS attack on government sites of various municipalities of Estonia.” This operation against foreign countries appears to be a change from Solntsepek’s former focus solely on Ukraine.

Hacktivist personas in this network support each other by reposting each other’s work. For example, on May 16, 2023, the Telegram channel of hacktivist persona “CyberArmyOfRussia_Reborn” [CARR] reposted an item from the Solntsepek group’s channel, claiming an attack on Kyiv Internet providers. The reposting suggests that the two groups were cooperating.

Post from Solntsepek, reposted on the Telegram channel of CyberArmyofRussia_Reborn, May 16 2023

Division of Labor in JokerDPR’s Network

Different members of the network fulfilled different functions. Killnet, for example, often targeted foreign supporters of Ukraine (more on Killnet later). For its part, with the exception of the joint anti-Baltic campaign of September 6, 2023, the Solntsepek account focused on targets within Ukraine.

Troll-and-Kill List

One function of the Solntsepek channel was as a troll-and-kill list. The channel provided the information it had collected on Ukrainians and called on its Telegram subscribers—presumably fellow pro-Russians—to troll or even do them physical harm. Solntsepek would write, “friends, say hello to these people...” (t[.]me/solntsepek/675) or “I don’t think he’ll survive until his next big birthday...” as in the following examples:

In a posting from July 6, 2022 (t[.]me/solntsepekz/73), for example, Solntsepek focused on a Ukrainian fighter named Artem. Listing details of the fighter’s biography, Solntsepek snidely noted, “He was never married and has no girlfriend (maybe he is waiting for the legalization of same-sex marriages), then concluded, “You can send your ‘good wishes’ to Artem via Telegram....we will post the most original ones in the channel. Our prognoses on Artem’s life: he won’t live until his next big birthday. We sent the lowdown on him to the necessary places, and they have assured us that he will not end up in the list of prisoners,” implying that Russian forces or occupation officials would kill him rather than capture him.

The reference to “the necessary places” suggests that Solntsepek and JokerDPR were identifying targets for the Russian military or security services. Solntsepek explicitly claimed on occasion to have shared stolen documents with Russian security structures and media. (t[.]me/solntsepekZ/1008) JokerDPR and Solntsepek sometimes say information they have found “will interest” the special services (t[.]me/JokerDPR/144) or have been given to “interested” security agencies (t.me/solntsepekZ/1008).

On April 14, 2023, Solntsepek posted (t[.]me/solntsepekZ/675), “Hello friends. We followed up on a tip from JokerDPR on people from the Ukrainian project Victory Drones, who specialize in training drone operators and in the purchase and repair of UAVs.... Each one has at least two telephone numbers and a bunch of social media pages, so we will be glad if you tell them hello from project Solntsepek.” The list includes the name of Masi-Mustafa Nayyem, an Afghanistan-born lawyer and soldier in the Ukrainian army whose brother Mustafa Nayyem set off the Euromaidan movement in 2013 and now serves as deputy head of the Ministry of Regions, as the Natto Team reported previously. (More on Victory Drones here).

On June 21, 2022, JokerDPR claimed that a purported Ukrainian security service insider was outrageously asking bribes of $5000 each for scanned copies of agent case files (t[.]me/JokerDPR/132). JokerDPR asked Solntsepek to expose this person publicly. Solntsepek duly did so, adding that the man “is now an enemy to all. It is interesting, who will get to him first?” (t[.]me/solntsepek/35).

Propaganda to Ukrainians Under Occupation and In the Trenches

Solntsepek also promoted pro-Russian propaganda aimed at Ukrainian soldiers and at civilians under Russian occupation, such as in parts of Kharkiv and Kherson. On November 2, 2022 Solntsepek introduced Radio Zhizn [lit. “Radio Life”], reposting the station’s promotional blurb: “Radio Zhizn is not just a project. For some, it is a real opportunity to save and preserve themselves. For Ukrainian citizens, Zhizn is information that Ukrainian media won’t tell you. For Ukrainian soldiers, Zhizn is a real opportunity to avoid death in the trenches. For the curious, Zhizn is news and chat. Make the right choice, make a sound decision” (t[.]me/solntsepekZ/335).

Screenshot of posting from Solntsepek Telegram channel, November 2, 2022, t[.]me/solntsepekZ/335

The description suggests Radio Zhizn’ is the Russian occupiers’ answer to Ukraine’s “I Want to Live” hotline, which encourages Russian soldiers to surrender and save their lives.

Returning the favor, on May 17 2023 Radio Zhizn praised Solntsepek for breaching and defacing websites of regional administrations throughout Ukraine. Radio Zhizn’s message said “Our comrades from the Solntsepek project have declared a real cyberwar against all of Ukraine and we simply have no right not to support them.”(t[.]me/solntsepekZ/755).

Screenshot of posting on Solntsepek Telegram channel, reposting from the Radio Zhizn channel, May 17, 2023, t[.]me/solntsepekZ/755

Solntsepek reposted items from the “Kharkov Narodnyy [People’s Kharkov]” Telegram account. One of these, dated May 24, 2023, in honor of the “first anniversary of the creation of the Military-Civilian Administration of Kharkov Oblast!”, tried to put a good spin on what had happened since Russia occupied that region. The posting, complete with a video, cited “humanitarian aid” and social payments that it said the Russian occupation authorities had provided. It ended, “Whatever happened, there is only one outcome! We will liberate OUR dear Russian Kharkov Oblast from Nazi yoke! We will rebuild everything that has been destroyed and will establish a peaceful life once and for all!” (t[.]me/solntsepekZ/774). Kharkov Narodnyy postings about supposed Ukrainian misdeeds often end with the phrase, “Do you need this kind of Ukraine?”

The April 25, 2023 operation against Ukraine’s Ministry of Regions, described in our previous posting, suggests a certain division of labor in complex hack-and-leak operations, with an apparent coordination of messages to preserve deniability while spreading the message to several different audiences. The JokerDPR and Solntsepek Telegram channels -- likely aimed at Ukrainians who lived in occupied territories or harbored sympathies to Russia — portrayed themselves as hacktivists uncovering Ukrainian corruption and misdeeds. At the same time, according to Ukrainian officials, the people who originated the campaign – apparently the Sandworm group of Russian military hackers -- also fed to Ukrainian media a story that falsely cited the minister as criticizing CERT-UA and its foreign partners. The Ukrainian officials say the Russian threat actors were seeking to discredit CERT-UA. This division of labor amplified for multiple Ukrainian and global audiences an image of the Ukrainian government as weak, insecure and divided.

JokerDPR’s Network and Russia’s Information-War Ecosystem

As mentioned above, JokerDPR’s network contains familiar names of “hacktivist” personas that multiple analysts have identified as receiving support or taking direction in some way from Russian special services. Ukrainian officials doubt that independent idealistic hacktivism exists in Russia at all. Rather, Ukrainian cybersecurity official Illia Vitiuk said in April 2023, “More than 90% of all cyber attacks targeting Ukraine are either conducted by special services or by state sponsored groups,” and Russian officials use the threat of arrest to pressure Russian cybercriminals into cooperating with them against Ukraine. (For more on these evolving communities of Russian “patriotic” cybercriminals and the “carrots and sticks” that the Russian government can exert to induce cooperation with Russian intelligence, see Natto Thoughts postings here and here). The JokerDPR network’s sources of information and possible funding, as well as other clues, flesh out the contours of its relationship with Russian government entities, but also raise new questions.

Sources of Information: Ukrainian Intelligence Insiders or Russian Military Hacker Hauls?

Recorded Future assessed that JokerDPR is a group of people “reliant upon a coordinated human infrastructure of Ukrainians who sympathize with Russia and like-minded threat actors to gather the sensitive information that the group publishes.” Knowing what we do about Solntsepek’s role as a mouthpiece for the Russian military hacker group Sandworm, we consider here whether they really obtained their information from pro-Russian Ukrainians, or whether their information may instead have come from uniformed Russian hackers.

It is unclear where JokerDPR obtained the leads that it supplied to Solntsepek. The information — often comprising birthdate, passport number and date, registered address, taxpayer ID, telephone number, and email address -- resembles the kind of official information that might have come from a leaked Ukrainian government or subscriber database and could have come either from corrupt Ukrainian insiders or from Russian hackers. Cybersecurity researchers at DarkOwl have compiled information on numerous leaks of Ukrainian databases in the 2021-2022 period; several databases available on the underground site RaidForums and on the Telegram channel DB Leaks, for example, contain information like passport and taxpayer ID numbers.

JokerDPR’s postings often referred to “my people in the SBU,” referring to Ukraine’s state security service, implying that JokerDPR had sympathetic inside sources in the SBU who were selling him information on Ukrainians. The problem of infiltration of the SBU was real, as Russian agents allegedly sought to place pro-Russian spies within the SBU. On July 17, 2022 Zelensky sacked his SBU chief and the Prosecutor General and said, “more than 60 employees of the prosecutor’s office and the Security Service of Ukraine remained in occupied territory and were working against the state.”

The Solntsepek persona also implied that all of its operations drew on sympathetic insiders at target organizations. Its postings about breaches of Ukrainian entities usually end with the phrase, “p.s., thank you to the people who care in the [name of victim organization],” implying that they had inside help (t[.]me/solntsepekZ/778, t[.]me/solntsepekZ/846).

RecordedFuture assessed that JokerDPR’s claims of having inside sources within the Ukrainian government might or might not be true: they write, “The documentation appears to be authentic, suggesting that part of Joker DPR’s human infrastructure may be embedded within the Ukrainian government or military. Conversely, Joker DPR may simply exaggerate the involvement of Ukrainian actors in its infrastructure as part of a greater attempt to undermine public faith in Ukrainian government and military institutions.”

Another possible source of JokerDPR’s leads is Russian intelligence services.

In an April 15, 2023 posting, JokerDPR referred to a “sponsor” who “showed the so-to-speak holey computers in the office of clown Zelensky.” (Спонсор показа [sic], так сказать, дырявые компьютеры офиса клоуна Зеленского) (t[.]me/JokerDPR/422). The term “sponsor” in the US often refers to a government entity that provides tasking to a contractor; JokerDPR’s use of the term suggests the possibility that it receives nonpublic information, as well as tasking and funding, from someone in the Russian government.

As mentioned above, “Unofficial Bezsonov” (@NeoficialniyBeZsonoV), whose author identified themselves as DPR official Daniil Bezsonov, wrote that the existence of Solntsepek and other databases of Ukrainian “bastards” “shows that our special services are working” (t[.]me/solntsepekZ/188), apparently implying that Russian or DPR special services were involved in the obtaining of data or in Solntsepek’s work.

Whispergate Kill Lists?

One possible Russian intelligence source of leads for JokerDPR’s network is the Whispergate campaign. As mentioned in the previous NattoThoughts posting, initial reports claimed that the Russian hackers who attacked the Ministry of Regions in April 2023 had taken advantage of data from a January 2022 attack. This likely refers to Whispergate, a wiper-and-exfiltration-and-defacement attack from January 14 2022 that the UK, EU, US and others have attributed to Russian military hackers. As Natto Team has reported elsewhere, the Whispergate compaign targeted some 70 Ukrainian government sites with data exfiltration, data wiping, and website defacement. Soon after that attack, dark web user “FreeCivilian” offered to sell information on millions of Ukrainians as well as data from 48 Ukrainian government domains. FreeCivilian is one of the ostensibly hacktivist groups that the GRU has integrated into its wiper-and-information-operations “playbook,” Mandiant’s term described in our previous post.

Ukrainian officials have surmised that Russian strategists used data on Ukrainian citizens, stolen during Whispergate, to create “kill lists.” A report the UK’s Royal United Services Institute (RUSI) published in February 2022, just days before the invasion, citing Ukrainian military and intelligence officers, said Russia’s FSB had used Whispergate-derived information in its invasion plan. Russian strategists planned to use the information to identify potential collaborators and identify anti-Russian individuals for arrest or assassination, the report said. Indeed, several pro-Ukrainian social media accounts tweeted in April 2022 that during the Russian occupation of the Kyiv suburb of Bucha, the Russians “worked according to pre-prepared lists. They were looking for veterans of... law enforcement agencies, owners of hunting weapons. The order was to liquidate when found. Where did they get all the lists with names and addresses – this is a question!” The Whispergate campaign provides one possible answer.

The data with which JokerDPR and Solntsepek doxxed Ukrainians may have originated from leaks like those that followed the Whispergate campaign rather than, as JokerDPR claimed, SBU insiders. Russian strategists may have originally intended to use the data during an intended occupation of Ukraine, but after their all-out offensive failed, they may have fallen back on revealing the data little-by-little via the Solntsepek Telegram channel for demoralizing effect. Solntsepek’s doxing activity might be what Ukrainian hacktivist Andriy Baranovych (Sean Townsend) referred to as “Plan B” when he said, "...’Plan A’ was that after a week-long blitzkrieg (Ukraine will fall - ed.) they will start a counter-guerrilla war. That is why "Solntsepek" publishes "deanons", these were supposed to be kill lists. Since they didn't have any "plan B", they continue to do the same thing and try to change their tactics."

Update January 9 2024: CERT-UA Details JokerDPR Followers’ Phishing Tactics:

On December 19, 2023, CERT-UA provided details on the modus operandi of JokerDPR “followers,” “aimed at obtaining unauthorized access to the accounts of the Google, Ukr.Net, and Outlook mail services , as well as EXMO and Binance cryptocurrency exchanges. To implement the malicious plan, the attackers use Tucows / Namecheap registrars to create distinctive domain names and corresponding web pages imitating legitimate services. Subsequently, the links are distributed via e-mail, including from legitimate compromised accounts. If access is obtained, mail correspondence and files are downloaded from storage, after which, using the received data, an infomercial is prepared with subsequent publication of distorted information.”

Where Does the Money Come From?

On June 21 2022, JokerDPR claimed that a corrupt SBU official was asking $5000 each for scanned copies of agent case files (t[.]me/JokerDPR/132). Whether or not this claim has any basis in reality, and even if $5000 is an outrageous amount, it implies that JokerDPR normally pays at least hundreds of dollars to corrupt Ukrainian officials for each piece of information. In addition, when JokerDPR declared on May 14, 2023 that it was recruiting people, it promised to pay them. Where does that money supposedly come from? JokerDPR’s apparent largesse raises the question of whether it has powerful backers such as a Russian intelligence service or a patriotic information warfare “entrepreneur.”

This appearance of largesse contrasts with the scrounging that other hacktivist personas had to do. Killnet leader Killmilk, by late 2022, was pleading for support from Russian officials or business sponsors, and by 2023 was reportedly resorting to extortion and hacking-for-hire to earn money.

As mentioned above, in an April 15 2023 posting, JokerDPR referred to a “sponsor” who “showed the so-to-speak holey computers in the office of clown Zelensky” (t[.]me/JokerDPR/422 ). JokerDPR’s use of the term “sponsor” suggests the possibility that it receives tasking and funding, as well as nonpublic information, from someone in the Russian government.

“Donetsk People’s Republic” Propaganda Machine

Part of JokerDPR’s name refers to the Russian-installed “Donetsk People’s Republic” in occupied eastern Ukrainian territory since 2014. Recorded Future hypothesized that JokerDPR has some connection to that region, while ex-hacker Horohorin speculated that JokerDPR may be the former carder Joker’s Stash who fled to the DPR.

JokerDPR’s network appears to have fit into a well-developed DPR-based propaganda machine linked to the post-2014 Russian-installed separatist “governments” in the region. In 2017 BBC Russia profiled (English summary here) a pro-Russian Ukrainian nicknamed Daliant Maximus, who served as a software coder and propaganda video creator for the "Ministry of State Security" and “Interior Ministry” (MVD) of the "Donetsk People's Republic." According to the BBC report, Daliant made a brash claim about CyberBerkut, an anti-Ukrainian hacker group that the UK government, the US Senate Intelligence Committee and NATO have identified as a pseudo-hacktivist persona that is controlled by or coordinates with the GRU. Daliant claimed that CyberBerkut was “a ‘division’ of the MVD of the DPR,” using initials referring to the “Interior Ministry” of the Russian-installed separatist government there. The CyberBerkut group itself must not have objected to Daliant’s claim, because his videos appear on CyberBerkut-controlled social media. Daliant’s claim that this persona was subordinate to the Russian puppet government in the DPR seems strange, since CyberBerkut activity also took place elsewhere in Russia. The BBC article also hypothesized links between this “propaganda machine” in Donetsk and the Internet Research Agency (IRA) in St. Petersburg, the troll farm that the mercenary/propagandist Yevgeniy Prigozhin controlled, and which Natto Team has discussed here and here.

In any case, this DPR propaganda machine was “deanonymizing” Ukrainian fighters as early as 2017. Daliant “also declared that he leaked the personal details of Ukrainian soldiers to a hacker group,” the BBC wrote. It is unclear whether those propaganda efforts by a local showman in 2017 had any relationship with personas like JokerDPR in 2023, but the 2017 article shows that computer and information experts from Donetsk region do play some role in Russian information operations.

Other Russia-linked hacker groups also reportedly reside in the contested eastern regions of Ukraine. For example, a cyber threat group that targeted Ukrainian government entities between 2014 and at least 2019 also reportedly registered the domain name for the “Ministry of State Security” of the so-called Luhansk People’s Republic (LPR), suggesting it performed IT services for that “ministry.” That same threat group has targeted Ukrainian government entities with open-source QUASARRAT and the RATVERMIN malware, which in some cases launched the publicly available Hidden Tear ransomware to encrypt files on the victim system. The Russian-style modus operandi of this threat group – seemingly combining espionage with destructive malware – and its association with one of the Russian-installed separatist governments add plausibility to the above-mentioned claim by Daliant that a security agency in the DPR had ties with GRU-linked hacker group Cyber Berkut.

As mentioned above, JokerDPR is often mentioned by the Telegram accounts of ChVK Media, WarDonbass, and “Unofficial Bezsonov,” reportedly the account of a DPR official. These suggest ties with Yevgeniy Prigozhin’s propaganda empire, as further explained below, and with the DPR government.

*Update December 1, 2023: In a November 30 article, the Center for European Policy Analysis (CEPA) analyzed Russia’s propaganda campaign targeting residents of Ukrainian territories occupied since February 2022. Finding few local media workers willing to collaborate, the Russian occupiers brought in people from Russia or from the previously occupied DPR and LPR. A Russian state TV executive opened a media school to train young residents in journalism and blogging. In addition to these supply challenges, the occupiers have also faced demand challenges; pro-Russian Telegram channels attempting to show the occupation in a positive light have found few subscribers. “‘More people are subscribed to the ‘official’ Telegram channels of the [Russian-appointed] governors’, [Ukrainian journalist Serhii Nikitenko] said. ‘At least there they can find the information needed for living in the occupied territories’. The Russians exploit these subscriptions by posting propaganda material on the channels alongside official notifications.” This CEPA report helps put into context the interaction of the Solntsepek and JokerDPR accounts with those of Radio Zhizn, “Kharkov Narodnyy [People’s Kharkov],” “Khersonskiy vestnik [Kherson Herald],” and DPR official Bezsonov. If the person behind the JokerDPR account is indeed from the DPR, they may be one of those people tasked with nurturing new propaganda cadres in the occupied territories.

Ties with Other Russian State Hackers and Information “Entrepreneurs”

Analyses of the JokerDPR network have also found possible ties with another Russia-linked state campaign, Ghostwriter, and with the media empire of Russian mercenary/propagandist Yevgeniiy Prigozhin.

Ghostwriter:

Mandiant has reported that in mid-2022 JokerDPR and Beregini apparently coordinated with Ghostwriter, a hacking and disinformation campaign that focuses on undermining Poland and its support for Ukraine. The Atlantic Council’s DFRLab concurred in tentatively linking JokerDPR and Beregini with Ghostwriter. (Note: Mandiant has demonstrated Ghostwriter’s association with the Belarusian government. However, technical aspects and strategic features of Ghostwriter additionally suggest ties with Russian military hacker group APT28 and Sandworm, as Recorded Future has pointed out. Recorded Future hypothesized that GRU hackers or other Russian government entities may have used Belarusian territory or infrastructure or provided training or conducted joint operations with Belarusian personnel in Ghostwriter-related operations. More discussion of the attribution of Ghostwriter appears here.

Prigozhin Media Empire

The 2017 BBC Russia study hypothesized that entities involved in the DPR propaganda network at that time may have had ties with Prigozhin’s IRA troll farm. More recently, according to DFR research, JokerDPR has also received publicity from another part of Prigozhin’s “galaxy”: the Telegram account called CHVKMedia, which apparently manually reposted JokerDPR posts hundreds of times during the 2020-2022 period. It is unclear how close this relationship was. JokerDPR’s and Solntsepek’s postings did not noticeably change after the Prigozhin’s failed mutiny of June 23-24 2023 and the subsequent disbanding of Prigozhin’s media assets, suggesting they are not extremely close. As mentioned above, the 2017 BBC report hypothesized ties between Prigozhin’s propaganda empire and the GRU-linked CyberBerkut “hacktivist” persona. Finally, the persona name Solntsepek resembled the name of a Prigozhin-produced film, which again might reflect general admiration for the solntsepek cannon’s fiery image rather than conscious reference to that film or to Prigozhin.

Cover Personas: Cooptation or Fabrication:

As mentioned above, Ukrainian cybersecurity official Viktor Zhora, in a June 21 2023 interview, enumerated three types of people that “represent Russian offensive capabilities” and share tasks, targets and resources: “hackers in uniform,” cybercriminal groups that “coordinate the activities with their chiefs in the Kremlin or wherever,” and “activist groups who are competing for attention and funding of more official offensive units.”

Expert opinions differ on whether particular hacktivist personas are identities that uniformed hackers, such as the GRU hacker groups Sandworm and APT28 have fabricated, as they allegedly did with Guccifer 2.0 and DC Leaks in the 2016 US presidential election. Alternatively, are some of these personas independent criminal or hacktivist groups that GRU hackers coopt as deniable cover for data leaks? Ukrainian hacktivist Andrey Baranovych (Sean Townsend) suspects that Solntsepek is an unsophisticated group now under Sandworm’s control, acting as “an ‘affiliate’ for smaller work that is smaller-scale than that of its ‘senior colleagues’.”

Mandiant makes a similar conclusion about some groups that resemble Solntsepek. They assess that moderators of the famous group Xaknet either are GRU officers themselves or work directly with them. However, Mandiant also surmises that some pro-Russian “hacktivist” groups also contain ordinary people who merely “coordinate” with the uniformed hackers. “It seems likely that some or all the users engaged with these channels are Russian-speaking civilians who are not intelligence officers. It is possible that the hundreds of users engaged with these channels are inauthentic, though we judge that to be unlikely.”

A look at examples of the two extremes — Killnet as an independent activist group and Guccifer 2.0 as a purely fabricated identity — shows that Solntsepek shares similarities with both.

Killnet: You Can’t Make This Stuff UP

The famous pro-Russian hacktivist entity Killnet likely falls into Zhora’s third category — a real activist group seeking attention and funding from state officials, rather than an empty persona fabricated by uniformed hackers. Killnet has boasted of massive DDoS operations against countries that support Ukraine. The Telegram channels of the Killnet group and its sometime leader “Killmilk” show such ups and downs that it is hard to envision as a completely fabricated sock-puppet account.

Killnet began as a petty criminal group, selling DDoS tools, but appears to have joined the Russian patriotic cause after the 2022 full-scale invasion. During 2022, Killnet’s Telegram postings included boasts of attacks on Ukraine’s supporters, announcement of the appointment of a ransomware criminal to its leadership, and pleas for Russian officials to give it attention and funding. On May 1 2023, Killnet (now calling itself a private military company, implying it was a cyber counterpart to Prigozhin’s Wagner group), announced its third restructuring. According to @Cyberknow20, a widely cited Twitter account that tracks hacktivist operations, Killnet has claimed it now includes “4 divisions of specialists of different levels....former cyber criminals....former colonels from various special services (not only from Russia). Today we are ready to offer our fatherland not only protection, but also a system for eliminating intruders of various levels around the world.” Killnet said it would charge prices for such attacks, depending on their complexity.

Killnet represents a criminal-turned-patriotic-hacker entity that has to keep proving its patriotism, through attacks on Ukraine and its friends, and also paying the bills. Killnet may have a direct relationship with Russian military or security officials; it seemed to have inside information on the February 24 full-scale invasion even before the invasion occurred.

Killnet’s DDoS attacks, including on many US health services, are loud but not necessarily very destructive, experts say. However, Killnet has also been attempting to extort targets as one of many funding methods, Bleeping Computer wrote in August 2023, citing Israeli research company Kela. In 2023 alone, according to that report, Killnet “set up a hack-for-hire service in March 2023, announced a new DDoS-for-hire service in July 2023, and launched a 'Dark School' training program selling nine hacking courses to interested hackers in May 2023” as well as announcing a “a cryptocurrency exchange platform that charged a service rate between 3-4%.” Other methods for helping hacktivist groups stay afloat, according to Kela, include “stealing and selling data, selling malware and botnet licenses, demanding ransom from victims, or even offering hack-for-hire services aimed at targets with no political significance.”

*Update November 24 2023: On November 21, 2023, Kremlin-friendly Russian publication gazeta[.]ru said groups of pro-Russian hacktivists had grown “fed up” with Killnet leader Killmilk [also spelled Kilmilk] and deanonymized him (hxxps://www.gazeta[.]ru/tech/2023/11/21/17878753.shtml). They claimed he is really Nikolay Nikolayevich Serafimov, born 16 May 1993, married, and rumored to have formerly served time for drugs. His ex-associates say Serafimov is good as a "brandmaker" and "blogger/info-gypsy," but technically weak. The list of hacktivist groups gazeta[.]ru cites — "Dark Femida (which claims to be a publication about cybercrime), Abbadon, NET-WORKER, ForceDDoS, CyberArmy_coordinator, Leader_russ, Stumer_Patriot, Legit_hubb, BTC and not only." Except for “CyberArmy_coordinator,” the other groups are distinct from the groups that allegedly joined with JokerDPR and Solntsepek in the above-mentioned September 2023 attacks on Baltic countries. Commenting for gazeta[.]ru, self-proclaimed hacker-turned-cybersecurity-expert Pavel Sitnikov hypothesized that Killmilk was brought down by "gang war between overseers" over funding "in the context of the possible formation in Russia of an official cyber army." (He used the term “razborki,” which the Natto Team discussed here). Russia’s digital minister had recently spoken of creating a cyber army within the Russian Defense Ministry, but cyber-geopolitics analyst Oleg Shakirov says this talk of a cyber army has been going on for years and has never led to anything. Note that, according to gazeta[.]ru, the “Dark Femida” publication (which could be loosely read as “Dark Justice”) is led by one Petr Vrublevskiy, who may be the son of Pavel Vrublevskiy, a Russian businessman who has served time for cyber crimes; Pavel Vrublevskiy does have a son named Petr, who has attracted scandal in the past. Verifying gazeta[.]ru’s claims will require further research.

In some ways, like Killnet, Solntsepek resembles the third category, the eager-beaver actor in the ecosystem Zhora named. At the same time, in Killnet the category of activist spills over into Zhora’s second category, that of criminal.

Fabrication?

Other evidence suggests Solntsepek could be a complete fabrication by elite GRU hackers.

The date of Solntsepek’s creation, April 25, 2022, could simply be part of a spontaneous wave of patriotic/opportunist hackers, or alternatively it could suggest that Russian GRU hackers deliberately created the persona. In April 2022, Russian military hackers and their cover personas had experienced setbacks. The US government and Microsoft had taken down GRU websites and a botnet; on April 12 ESET and CERT-UA announced the discovery of Sandworm’s latest version of industrial malware; and on April 20, US, UK, Canada, Australia, and New Zealand cybersecurity authorities issued a joint advisory titled “Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure” that listed both APT groups and “Russia-aligned” criminal groups, with the latter including hacktivist personas Killnet and Xaknet. The public uncovering of these Russian state tactics and groups may have pushed the GRU to create new personas for deniability.

Even after its creation, the Solntsepek account did not start posting until June 2022. Then Solntsepek spent a year doing small-time doxxes, under JokerDPR’s tutelage, before being used as a mouthpiece for the MinRegion hack. This is similar to the actions of GRU hackers in 2016, when they created the DCLeaks website themselves and “created a DCLeaks Facebook page using a preexisting social media account under the fictitious name ‘Alice Donovan’,” according to the US Justice Department. The Alice Donovan persona, impersonating an American investigative journalist, first published in February 2016. The GRU had apparently created the account at least four months before using it to leak stolen US Democratic Party files in 2016. (For more detail on Guccifer 2.0 and Alice Donovan, as well as Russian state hackers’ creation of other fictitious personas, see this report from the Carnegie Endowment, a US-based think tank).

The Solntsepek Telegram account also provides little news of human interest, simply providing the announcements of the latest doxx or defacement with brief comments, unlike the more voluble Killnet. In addition, the Solntsepek website bears the notation “support our project,” with a number that appears to be a Bitcoin address. According to blockchain.com, this address has never received any donations.

All of this suggests that there may be no independent actor behind the Solntsepek account.

Combined Fabrication and Cooptation?

The mix of real activists and fabricated personalities becomes more complicated as Russian intelligence services increasingly “franchise” or farm out information operations to authentic-sounding voices. As Natto Team showed in the report "Troll Humor," a Russian operation thought to be tied with Prigozhin’s IRA troll farm created false personas with the purpose of coopting real people. The operatives created English-language websites – PeaceData, slanted to the political left and NAEBC, slanted to the right. They posed as English-speaking editors and recruited native English-speaking freelance writers under false pretenses. Some of the freelancers expressed surprise and shock when they learned that the “editors” who recruited them were IRA-created fake personas with profile photos generated by artificial intelligence. (More analysis of the PeaceData campaign appears here).

Conclusion

Disinformation researchers at organizations such as Graphika, the Stanford Internet Observatory, the Atlantic Council’s DFR Lab and the Center for Countering Digital Hate have developed sophisticated techniques for detecting and tracking false social media accounts and networks using clues such as creation dates, fake pictures, cross-platform activity. Specialists have developed frameworks with names like DISARM, RICHDATA, AMITT, and the Online Operations Kill Chain to help organizations detect and counter false social media personas and information operations

As international conflicts continue and the 2024 elections in the US and elsewhere approach, officials and experts have warned about misleading artificial intelligence-generated “deepfakes” and discussed whether artificial intelligence will “supercharge the age of disinformation.” Digitally altered images have already appeared in political contests in the US and in Turkey. Inauthentic accounts with AI-generated profile pictures amplified misleading messaging pegged to the East Palestine rail disaster, and falsified images purporting to depict an explosion at the Pentagon caused stock markets to dip briefly, both mentioned here. Misinformation and disinformation have also characterized online discussions of the October 2023 conflict between the Palestinian group Hamas and Israel, as BBC journalist Shayan Sardarizadeh has shown.

How can ordinary users detect false social media personas and messaging? As we wrote in our first report, “Putin: The Spy As Hero,” a good start is the mnemonic SIFT, a reminder to “Stop, Investigate the source of information, Find better coverage, and Trace claims, quotes and media to the original context.” An image search tool can show whether pictures really depict what the authors say they do or were borrowed from other settings.

How can you detect an audio or video deepfake? A May 2023 article provides survival tips for ordinary people. Examples include:

“Have a secret code word that every family member knows, but that criminals wouldn't guess,” in case someone synthesizes the voice of a loved one”
“look for certain clues on video calls, including their supposed paramour blinking too much or too little, having eyebrows that don't fit the face or hair in the wrong spot, and skin that doesn't match their age….”
“Ask the other person in the video call to turn their head around and to put a hand in front of their face….deepfakes often haven't been trained to do them realistically.”

Appendix:

Why Ternopil?

An unscientific tally of Solntsepek postings suggests the channel disproportionately features soldiers of the territorial defense unit in Ternopil, a town in western Ukraine that is far removed from the battle lines. This attention may have several causes.

1) It furthers the messaging of branding Ukrainians as Nazis; Ternopil attracted negative attention in 2021 by naming a stadium for a Nazi-allied Ukrainian militia leader. Solntsepek’s postings on Ternopil territorial defense personnel often refer to them as “Volkssturm,” using a Nazi term for a national militia.

2) The disseminating of information on the Ternopil territorial defense could reflect Russian aspirations for a new front line—this time pitting Ukraine against its current ally Poland. Putin has occasionally broached the idea of dividing up Ukraine between Russia and Poland, including a statement on July 21 2023 that a nationalist Russian commentator characterized as “100% an invitation to divide up Ukraine...along the Zbruch,” referring to a river separating the Khmelnytskyy and Ternopil regions of Ukraine.

3) Solntsepek actors may simply happen to have abundant information on Ukrainians in Ternopil and may have been releasing the information, regardless of its military value, to keep its readers’ attention.

*Updated November 25 2023 with report of deanonymization of Killnet leader Killmilk. Updated December 1 2023 with new information on Russia’s propaganda network in occupied Ukrainian territories.

Update November 4 2024: On July 19, 2024, the US Treasury Department imposed sanctions on Yuliya Vladimirovna Pankratova (Pankratova) and Denis Olegovich Degtyarenko (Degtyarenko), whom it identified as “the group’s leader and a primary hacker, respectively,” for their roles in Cyber Army of Russia Reborn activity against US critical infrastructure. The Treasury Department said CARR had begun in 2022 with “low-impact” DDoS attacks on Ukraine and its supporters. Since late 2023, “Using various unsophisticated techniques, CARR has been responsible for manipulating industrial control system equipment at water supply, hydroelectric, wastewater, and energy facilities in the U.S. and Europe.” In particular, “In January 2024, CARR claimed responsibility for the overflow of water storage tanks in Abernathy and Muleshoe, Texas, posting video of the manipulation of human-machine interfaces at each facility on a public forum. The compromise of the industrial control systems resulted in the loss of tens of thousands of gallons of water. Additionally, CARR compromised the supervisory control and data acquisition (SCADA) system of a U.S. energy company, giving them control over the alarms and pumps for tanks in that system. Despite CARR briefly gaining control of these industrial control systems, instances of major damage to victims have thus far been avoided due to CARR’s lack of technical sophistication.” In early May, Treasury said, Degtyarenko “developed training materials on how to compromise SCADA systems and was possibly looking to distribute the materials to external groups.”

Natto Thoughts