Check Point Software has released its observations around the current conflict in Eastern Europe.
CPR says it is closely monitoring Telegram throughout the current Russia-Ukraine conflict, documenting a 6-fold increase in Telegram groups themed on the war on the day Russia invaded Ukraine. CPR has characterised these groups into three:
- Flash News and Updates (71% of groups observed)
- Hacking\Hacktivist groups targeting Russia (23%)
- Ukraine donation requests (4%)
- Other subject relating to the conflict, some non-active and have no users (2%)
Characteristics and Examples of Group A: Flash News/Updates
- Very active
- Thousands of messages a day, 24/7
- Report unedited, non-censored feeds from war zones
- Share unverified and possible misinformation
Figure 1. Live news channel “Russia vs. Ukraine Live news” with over 110K users on Telegram
Figure 2. Ukraine War report channel, with over 20K users on Telegram
Characteristics and Examples of Group B: Hacktivists Targeting Russia
- Comprise of hackers, IT professionals, and other “IT fans”
- Groups are used to coordinate attacks and decide targets
- Groups assist each other in executing attacks and sharing results
- Some groups consist of over 250,000 users
- DDoS most common attack request, followed by SMS and call-based attacks
Figure 3. A shout out for SMS and call-based attacks on Russian targets
Figure 4., the “Mark” group is calling users to attack Russian websites, providing URL’s.
Characteristics and Examples of Group C: Donations Scams
- Most donations ask for cryptocurrency
- Groups have tens of thousands of users
- Many groups are suspicious and likely fraudulent
Figure 5. Group raising funds through Bitcoin and Ethereum accounts – Over 20k Users
Figure 6. Ukraine Donation Support Group on Telegram
Quote: Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software:
“Telegram has become a digital forefront of the conflict, where people are choosing sides online. We’re seeing people from all corners of the world organizing themselves and resources to support either Russia or Ukraine. Some groups are coordinating cyberattacks to target Russia. Other groups are serving as information and news hubs to report a raw side of the war. And other groups are requesting funds to either support Ukraine or commit fraud. All in all, we’ve seen a 6-fold surge in Telegram groups themed on the Russia-Ukraine war the day Russia invaded Ukraine. I strongly recommend people to watch their Telegram activity closely and the types of people you may come in contact with. There’s a side on Telegram looking to take advantage of supporters of either Ukraine or Russia. Right now, we’re sharing what we see on Telegram and our initial observations. We’ll continue to monitor Telegram activity in the weeks ahead.”
Cyber Safety Tips for Telegram Users
- Don’t press random links. Don’t press on links that have origins unfamiliar to you, especially in times of crisis and extreme circumstances. Criminals might leverage and exploit the situation to try steal credentials, private details and other personal information by sending out malware or phishing links.
- Beware of suspicious requests. If a message from an unknown source makes a request or a demand that seems unusual or suspicious, this might be evidence that it is part of a phishing attack.
- Think twice before sending money. Sending money to unknown sources requesting assistance may often result in fraud. Beware with whom you are communicating and what kind of information you are being asked to provide. Social media messages is not the platform for large financial transactions, especially to unrecognised sources.
- Verify your sources. Consume news feeds and seek “truth” from reliable sources that you can trust.