Exploring the People’s Cyber Army of Russia: Hacktivists or State-Sponsored Threat?

At Foresiet, we closely monitor emerging cyber threats and geopolitical cyber conflicts. One of the most intriguing players in this landscape is the People’s Cyber Army of Russia, also known as the Cyber Army of Russia Reborn. This group has become a significant force in Russia's hacktivist scene, conducting disruptive activities against various countries.

But is this group a mere hacktivist movement or a sophisticated state-sponsored threat actor? Let’s delve into their origins, operations, and recent developments.

Who is the People’s Cyber Army of Russia?

The People’s Cyber Army of Russia is a prominent group within the Russian hacktivist scene, involved in cyber threat activities that extend far beyond Russia's borders. Their operations are characterized by a strategic use of DDoS attacks, along with other disruptive tactics, aimed at damaging critical infrastructure and financial systems of their adversaries. Most notably, the group has been linked to several attacks on Ukraine, underscoring its role in the ongoing cyber conflict that shadows geopolitical tensions in the region.

Logos Cyber Army of Russia

The Cyber Army of Russia’s origins are reportedly embedded within the broader landscape of Russian cyber warfare, a domain historically marked by denial of service attacks, disinformation campaigns, and other disruptive actions.

The group’s activities reflect a continuation of tactics seen in earlier Russian cyber operations, such as the notable attacks on Estonia in 2007 and during the Russia-Georgia conflict in 2008, where Russian state actors, including the GRU (Russia’s military intelligence agency), played prominent roles.

Pro-Russian Cyber Alliances

Within the pro-Russian cyber landscape, two notable alliances have formed: High Society and the Holy League.

Recent Developments and the Case of Pavel Durov

Recently, the People’s Cyber Army of Russia has been involved in a controversy that links cyber activities with broader geopolitical conflicts.

Pavel Durov, the co-founder and CEO of Telegram, was detained by French authorities in connection with an investigation into criminal activity on the instant messaging platform.

In response, the People’s Cyber Army targeted pro-Russian hackers who began launching attacks on French organizations, including government websites, as part of their retaliatory campaign.

This incident highlights the fluid and often reactionary nature of cyber warfare, where hacktivist groups can quickly mobilize to support or retaliate based on unfolding geopolitical events.

The involvement of prominent figures like Durov further complicates the narrative, suggesting a broader network of influence and the potential intersection of cyber activities with corporate and governmental spheres.

Hacktivist Movement or State-Sponsored Actor?

While the People’s Cyber Army of Russia exhibits many traits of a hacktivist movement—such as decentralized operations and ideologically driven attacks—their sophisticated tactics, strategic targets, and alignment with Russian geopolitical interests raise questions about potential state sponsorship.

The group’s activities align closely with Russian state objectives, particularly in their choice of targets and timing, which often coincide with broader political or military maneuvers.

Moreover, the participation of the Cyber Army of Russia in coordinated alliances like High Society and the Holy League points to an organized and potentially state-supported effort to leverage cyber operations as a tool of national strategy. This blurring of lines between hacktivism and state-sponsored cyber warfare is a hallmark of modern cyber conflicts, where nation-states may leverage or even directly control hacktivist groups to achieve strategic objectives without overt attribution.

The Evolution of the Cyber Army of Russia’s DDoS Capabilities

The Cyber Army of Russia has developed its own DDoS tool, building upon the Aura-DDoS code previously utilized by the Killnet Group.

Screenshot tools download; Telegram

This evolution demonstrates the group’s growing technical sophistication and strategic adaptations.Inside the DDoS Tool Modified Aura-DDoS Code. The Cyber Army of Russia’s DDoS tool is a modified version of the Aura-DDoS tool, known for its effectiveness in attacks carried out by the Killnet Group.

Aura-DdoS Tool Screenshot

The tool’s availability for Microsoft, Linux, and Android platforms ensures that it can be widely deployed, increasing its impact and accessibility for various users within the Cyber Army of Russia.The modifications enhance its capabilities and align the tool with the group’s specific needs.

User Manual and Multi-Platform Availability

Accompanying the DDoS tool is a 3-page user manual, guiding users on deploying the tool across various operating systems, including Microsoft,

User manual for usage

Linux, and Android. This accessibility expands the tool’s reach and ease of use among different platforms.

Technical Capabilities: Bypassing Cloudflare Protections

A standout feature of the DDoS tool is its ability to bypass Cloudflare’s reverse proxy protections, including UAM, CAPTCHA, and BFM.

Additionally, it offers network and transport layer DDoS capabilities, enhancing its disruptive potential.

Screenshots of tool usage

Attacking Methods

Connections to Killnet and the Legion-Cyber Spetsnaz

The tool’s code heritage traces back to the Aura-DDoS tool used by the Killnet Legion-Cyber Spetsnaz squads. This connection underscores the collaborative and evolving nature of pro-Russian cyber groups in enhancing their cyber warfare capabilities.

Tactics and Techniques

Conclusion

The People’s Cyber Army of Russia represents a complex and evolving threat in the cyber domain, operating at the intersection of hacktivism and state-sponsored activity. Whether acting independently or as an extension of Russian state interests, their actions underscore the growing role of cyber operations in modern geopolitical conflicts. As the cyber landscape continues to evolve, the activities of groups like the People’s Cyber Army of Russia will likely remain a key area of concern for governments and organizations worldwide.

Understanding the motivations, alliances, and tactics of such groups is essential for developing effective countermeasures and protecting critical infrastructure from the growing threat of politically motivated cyberattacks.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.