EvilWeb (Hacktivists) – Threat Actor

EvilWeb
Location	Russia
Date of Initial Activity	2024
Suspected Attribution	Hacktivists
Motivation	Hacktivism
Software	Website Servers Database

Overview

EvilWeb is a pro-Russian hacktivist group that emerged in March 2024, quickly establishing itself as a prominent player in the world of cyberattacks. The group operates with a dual focus on hack-and-leak tactics and distributed denial of service (DDoS) attacks, employing a strategy that combines data exfiltration with disruption efforts. The group’s primary motivation stems from its alignment with pro-Russian narratives, particularly in response to geopolitical events. While EvilWeb’s activities are still relatively new, the group has rapidly gained attention for its aggressive campaigns targeting both Western and European entities. The group’s involvement in the #FreeDurov operation, launched in response to the arrest of Telegram CEO Pavel Durov, showcased its growing influence in the hacktivist community.

One of the key characteristics of EvilWeb is its focus on data leaks, where the group claims to have obtained sensitive information from high-profile organizations, particularly in the U.S. and European sectors. Along with leaking data, EvilWeb has carried out DDoS attacks, aiming to disrupt the availability of critical services and websites. This blend of cyberattacks enables the group to not only make a statement through data breaches but also cause real-world disruptions. By targeting government agencies, airport services, and critical infrastructure websites, EvilWeb’s operations can have both symbolic and tangible effects on their targets. The group’s use of Telegram as a communication platform has made it easier for them to rally supporters and showcase their attacks.

Common targets

Information

Public Administration

Retail Trade

France

Attack Vectors

Web Browsing

How they operate

Data Exfiltration and Leak Tactics

One of the core elements of EvilWeb’s technical approach is data exfiltration, often used in conjunction with leak-and-hack tactics. The group targets high-value organizations, with a specific focus on government agencies, critical infrastructure, and large corporations in the U.S. and Europe. After gaining unauthorized access to the systems of these entities, EvilWeb exfiltrates sensitive data, which can include anything from internal communications to personal identifiable information (PII) and financial records. Unlike traditional data theft, EvilWeb combines exfiltration with public leaks, sharing stolen data with the public via platforms like Telegram and sometimes on dark web forums. The motivation behind this dual strategy is both to embarrass the targeted organizations and to further their political agenda by exposing sensitive information that can cause reputational damage.

EvilWeb has shown expertise in infiltrating various organizational infrastructures using a combination of social engineering, phishing, and exploiting vulnerabilities in outdated or misconfigured software. Once inside the network, the group typically deploys tools to escalate privileges, allowing them to gain deeper access to critical systems. Their attacks often include exploiting known zero-day vulnerabilities or leveraging brute-force attacks to bypass authentication systems. Once access is secured, they can move laterally within the network, gathering data to exfiltrate, and setting up tools for later stages of attack.

DDoS Attacks: A Mechanism for Disruption

In addition to their data leaks, EvilWeb is heavily involved in distributed denial of service (DDoS) attacks, which are designed to overwhelm the target’s network infrastructure and render their websites and services inaccessible. To launch these attacks, EvilWeb uses a variety of botnets and compromised devices to generate massive traffic volumes aimed at crashing the servers of their targets. DDoS attacks are often used in tandem with their hacking operations to create immediate disruption, rendering websites temporarily inoperable while the group publishes their stolen data.

EvilWeb has been reported to use sophisticated techniques in launching DDoS attacks, including volumetric attacks, protocol attacks, and application layer attacks. These types of attacks allow the group to choose the most effective means of disrupting the target, depending on the vulnerabilities they have discovered within the network. In addition to the traditional use of botnets, EvilWeb has been known to exploit cloud services and content delivery networks (CDNs) to amplify the effects of their DDoS campaigns.

Telegram: A Platform for Coordination and Propaganda

EvilWeb’s use of Telegram is another aspect of their technical operations that enables them to organize, communicate, and carry out their attacks with ease. Telegram’s encrypted, user-friendly platform allows them to create private channels where they can coordinate their campaigns and share updates on targets and progress. Their channel also serves as a means to publicize their operations, sharing details of successful data leaks and the consequences of their DDoS attacks. This direct and unfiltered communication with the public amplifies their messages and increases the visibility of their actions, all while bypassing traditional media channels. The group has leveraged Telegram’s global reach to recruit like-minded individuals, growing their community of members and sympathizers, which in turn aids their operations.

EvilWeb’s use of Telegram as a communication and propaganda tool extends beyond basic announcements. The group often shares detailed technical information about their attacks, including the specific vulnerabilities they exploit and the tools they use, which can serve both to encourage followers to join their cause and to create a sense of fear among their targets. This public-facing strategy is also a form of psychological warfare, intending to sow distrust among the public regarding the security of their own governments and corporations.