People’s Cyber Army of Russia | |
Other Names | Cyber Army of Russia CARR |
Location | Russia |
Date of initial activity | 2022 |
Suspected Attribution | Hacktivists |
Motivation | Hacktivism |
Software | Website Networks |
Overview
Common targets
- Information
- Public Administration
- Retail Trade
- France
- Ukraine
- Estonia
- Georgia
- Azerbaijan
Attack Vectors
Web Browsing
Software Vulnerabilities
How they operate
PCAR’s technical operations are largely centered on the execution of large-scale DDoS attacks. These attacks aim to overwhelm servers and networks by flooding them with illegitimate traffic, rendering websites and services inaccessible. The group frequently utilizes a distributed botnet infrastructure, often leveraging compromised IoT devices and servers. By employing tools like HTTP flooders, UDP amplifiers, and Layer 7 DDoS methods, PCAR can bypass basic mitigation measures and sustain prolonged outages. For example, during the #FreeDurov campaign, the group coordinated attacks across multiple targets in France, overwhelming services such as government websites, educational platforms, and private sector entities. These attacks are often accompanied by public disclosures on PCAR’s Telegram channels, amplifying their impact by showcasing technical success and fueling psychological disruption.
In addition to DDoS campaigns, PCAR demonstrates the ability to target SCADA systems—critical for managing industrial operations such as water utilities, power grids, and transportation networks. Leveraging vulnerabilities in outdated systems and exploiting weak access controls, PCAR has successfully compromised industrial control systems in the United States, Poland, and France. These attacks indicate a deep understanding of SCADA protocols, as well as the ability to manipulate and disrupt operational technology (OT) environments. Targeting critical infrastructure requires a higher level of technical expertise, highlighting the group’s capabilities and potential access to state-sponsored tools or intelligence.
The group’s operational success is further enhanced through coordination with other pro-Russian threat actors and the use of encrypted communication platforms like Telegram. PCAR often collaborates with groups such as CyberDragon and UserSec, amplifying attack power and expanding its reach across various sectors. Telegram serves as a key operational hub, where PCAR publishes attack announcements, shares target lists, and disseminates propaganda to its followers. These public-facing activities allow the group to maintain a perception of power while encouraging crowd-sourced contributions, such as individual participants joining DDoS campaigns using open-source tools or scripts shared within the group’s ecosystem.
PCAR also utilizes hack-and-leak operations as part of its technical playbook. In these operations, compromised databases are exfiltrated and selectively leaked to inflict reputational damage and cause operational disruptions. For example, the group has claimed responsibility for leaking sensitive data from government websites, showcasing their technical ability to exploit web application vulnerabilities, execute SQL injection attacks, and escalate privileges within targeted systems. These leaks are often accompanied by messaging that aligns with Russian geopolitical narratives, highlighting PCAR’s dual role as a disruptive hacktivist group and an influence operation tool.
In conclusion, the People’s Cyber Army of Russia operates on a technically advanced level, combining DDoS attacks, SCADA system compromises, hack-and-leak operations, and strategic collaborations with other threat actors. By leveraging advanced tools, vulnerabilities, and public platforms for coordination, PCAR is able to conduct large-scale, impactful cyber campaigns. Their alignment with state-sponsored actors and focus on critical infrastructure further distinguishes them from traditional hacktivist groups, cementing their role as a formidable force in the evolving landscape of cyber conflict.
