FreeDurov (Hacktivist Campaign) – Malware

Overview

The arrest of Telegram CEO Pavel Durov by French authorities on August 24, 2024, has sparked a widespread hacktivist campaign under the banners of #FreeDurov and #OpDurov. This movement, driven by a collective of hacktivist groups, has unleashed a torrent of cyberattacks targeting French organizations and infrastructure. Spearheaded by prominent pro-Russian and pro-Islamic hacktivist groups, the campaign has employed Distributed Denial of Service (DDoS) attacks and data breaches to voice their dissent and demand Durov’s release. Within days of the arrest, over 50 French entities had been targeted, making it one of the most coordinated hacktivist operations in recent memory.

The campaign was initiated by two key groups—Cyber Army of Russia Reborn (CARR) and RipperSec—on the day of Durov’s arrest. Their posts, shared via Telegram channels, not only marked the start of #FreeDurov but also set the tone for the aggressive wave of attacks that followed. Within hours, other hacktivist collectives such as EvilWeb, CyberDragon, and UserSec joined the fray, escalating the operation into an international cyber assault. By leveraging their networks, these groups collaborated to disrupt critical French services, including governmental websites, educational institutions, and private sector entities.

Targets

Public Administration

Retail Trade

Information

How they operate

Central to the campaign is the widespread use of DDoS attacks, which have been deployed against over 50 French websites, including governmental, educational, and private sector domains. Groups such as the Cyber Army of Russia Reborn (CARR) and CyberDragon have played pivotal roles in executing these attacks. These DDoS campaigns overwhelm targeted servers with excessive traffic, rendering them inaccessible to legitimate users. The tools employed range from publicly available botnets to custom-developed scripts like RipperSec’s proprietary MegaMedusa, which allows for precise and scalable attack execution.

Beyond DDoS, the campaign has also seen the adoption of hack-and-leak strategies, primarily by the pro-Russian group EvilWeb. This technique involves infiltrating servers to exfiltrate sensitive data, which is then leaked publicly to amplify the campaign’s impact. EvilWeb has reportedly accessed and disclosed partial databases from French governmental websites, adding an element of cyberespionage to the operation. These breaches are believed to have been facilitated by exploiting known vulnerabilities in unpatched systems and leveraging compromised credentials from previous data leaks.

Collaboration among hacktivist groups has been a hallmark of the #FreeDurov campaign, with entities like CARR, UserSec, and CyberDragon often coordinating their efforts. Communication occurs primarily through encrypted Telegram channels, where targets are identified, attack strategies are shared, and outcomes are celebrated. The campaign has also employed “cyber swarming,” where multiple groups simultaneously attack the same target, maximizing disruption and complicating mitigation efforts. This coordinated approach underscores the increasing sophistication of modern hacktivism, as well as the seamless integration of ideological alignment and technical capability.

The #FreeDurov campaign’s operation reveals a concerning evolution in hacktivist tactics. It blends traditional DDoS and breach methods with advanced coordination and bespoke tools, challenging conventional defenses. For cybersecurity professionals, it underscores the importance of proactive measures, including regular patching, robust DDoS mitigation strategies, and the monitoring of encrypted communication channels. As hacktivism continues to evolve, campaigns like #FreeDurov serve as a stark reminder of the vulnerabilities in digital infrastructures and the need for vigilance in an era of politically motivated cyber warfare.

References:

• Hacktivists Call for Release of Telegram Founder with #FreeDurov DDoS Campaign