Hacktivists in the DUMPS in Solidarity With Ukraine
Pro-Ukrainian hackers are a little down in the DUMPS these days—the DUMPS cybercriminal forum, that is, which encourages cyberattacks against Russia and Belarus.
“Information services, leaks or other services on our forum are allowed in relation to only two states, these are the Russian Federation and Belarus,” a mission statement on the forum stated. “Topics that mention other countries are not allowed. This is the main rule of our forum.”
DUMPS was established in late May 2022 and looks much like any other cybercrime forum, featuring “a section for trading illicit material, carding, malware and establishing accesses to targeted networks,” researchers at Digital Shadows wrote in a blog identifying and detailing the forum. “At present, this forum is open to members without any vetting or registration process, however, there is an ongoing request for an invite system that may become the main method of gaining access if the forum builds its notoriety.”
Support of Ukraine’s efforts to repel Russia after the February invasion is what sets the DUMPS apart from other forums. The war waged by Putin has divided the cybercriminal community with actors choosing sides based on their “backgrounds, political beliefs, or other nationalistic drivers,” the researchers explained. “Some internet users have taken it on themselves to take an active role in the conflict, targeting Russian organizations with targeted data breaches, distributed denial of service (DDoS) attacks, and defacement activity.”
By taking that “unique position,” DUMPS has put a target on its back. “If the forum develops into a well-known and successful project, it will likely become a target of counter activity from Russia-supporting cybercriminals,” the researchers said.
“The brazen nature of the forum is perhaps best emphasized by the forum administrator actually posting their location, which points to a residential apartment in Kyiv,” they explained. “The roof of the building contains an insult towards Vladimir Putin, which if you want to run through Google translate, go right ahead: ‘путин хуйло.’ We’ve no idea if this location is actually the admin’s home, however, it emphasizes the spirit of defiance and resistance in which the forum is built.”
Much of what goes on in the forum, Digital Shadows said, is aimed at sharing data leaks, advertising DDoS attack services, forged and stolen identity documents and anonymous and bulletproof hosting services. It includes sections for trading initial accesses, carding, instant messaging and social networks and spam, though researchers said they were empty. “By far the largest section of the forum is the ‘Leaks’ section, in which users shared data stolen from Russia-based government and private institutions,” the researchers wrote. “This includes several well-known and important Russian government institutions and utilities providers.”
Users can order DDoS attacks through a DDoS-as-a-service offering on the forum with attacks ranging from 500 Gpbs with a one-hour attack priced at $80 per hour or $500 for 24 hours of Layer 4 to Layer 7 DDoS attacks priced at $600 for 24 hours.
“DDoS attacks and defacement activity have returned in a major way since the onset of the war, which has largely been committed by an army of hacktivist actors operating on behalf of both sides of the conflict,” the researchers said, noting that “DUMPS Forum—and indeed similar forums in the future—have a big role to play in this hacktivist resurgence, with hacktivism having significant success” in disrupting and sabotaging Russian entities.
“There isn’t necessarily an uptick in DDoS attacks; these are commonly advertised on other Russian- and English-language cybercriminal forums,” said Roman Faithfull, cyberthreat intelligence analyst. “However, given that some of the content on DumpForums appears directed at actors with a low level of technical proficiency, DDoS-as-a-service (DDoSaaS) offerings will likely be of interest to anti-Russian beginner hacktivists as they do not require a high level of technical knowledge to request, only capital.”
Probiv, or information services, for Russian and Belarussian government agencies, financial institutions and mobile network carriers, is a centerpiece of DUMPS. Probiv is a “service offered mainly on Russian-language cybercriminal platforms in which a user provides a piece of personal data belonging to an individual and—in return for a fee—receives other information associated with this target,” like a quid pro quo of sorts, the researchers said.
Among the items found in this section are details from Russian platforms, information gleaned from wanted lists, criminal records, data on ticket sales for transportation out of Russia and lists of citizens with illegal weapons.
“In addition to Ukrainian patriotic hackers, this list also suggests that the administrators and users of DUMPS Forum are also highly interested in Russian partisans, or individuals within Russia who are sympathetic to their cause,” information Russia wants to prevent its citizens from accessing, according to Digital Shadows. According to DUMPS Forum, the forum has been banned for any individual within Russia.
The researchers noted that by providing content “almost exclusively written in Russian” and which at first blush may seem “odd,” given the forum’s anti-Russia stance, the forum may limit its reach. But it “likely represents the forum’s goal of targeting members within the Russian federation—who likely do not speak Ukrainian—while also appreciating that almost every Ukrainian will speak Russian either fluently or to a good level,” they said. “While there are some posts translated to English, the contents of the site will likely not be accessible to non-Russian speakers.”
As the forum grows, its profile will likely be raised and that might bring unwanted attention. “We’ve seen previously rival cybercriminal forum’s attempting to take each other down through targeted data breaches or DDoS activity,” Digital Shadows said. “While some content is reportedly hidden from public view, all content can be viewed if you have an account and ‘like’ the post if you want to view a download link.”
The forum has already drawn the attention of Russian intelligence. “The Russian government announced that it had blocked access to DUMPS on its territory on June 10, 2022. In response, the forum administration created a .onion domain for the platform,” Faithfull said. “In addition to gaining attention from the Russian state, it is likely that the forum and its users may become a target for pro-Russian hackers.”
Some members are also pushing for an invite-only system due to concerns about operational security risk.
The Digital Shadows researchers expect DUMPS Forum to play an “important role” in the Ukrainian war “as a hub for hacktivists and patriotic cyberthreat actors, as a symbol of resistance and making a demonstrable difference on the cyber battlefield.” And it may very well inspire others to follow suit.
“DumpForums is still in its early stages, but already has a small but active and enthusiastic userbase,” said Faithfull. “Time will tell whether the forum continues to grow, though it does already have sections dedicated to more financially motivated cybercrime, such as carding and initial accesses, though these remain empty at the time of writing.”