On June 23, 2024, Cyble Research & Intelligence Labs (CRIL) researchers noted that a Russian hacktivist group with a wide audience called “People’s Cyber Army” (aka Народная Cyber Армия) and their allies HackNeT announced DDoS attacks on multiple French websites ahead of the Olympics. People’s Cyber Army stated that this attack was a “training DDoS attack.”
This is the first documented attack on French websites by state-affiliated Russian hacktivists during the run-up to the Paris Olympics. People’s Cyber Army is linked to APT441 (commonly known as Sandworm, FROZENBARENTS, and Seashell Blizzard).
Given the connection of the attackers with APT44, we believe it is important to investigate this attack, as judging by the consistency of the group’s statements, they intend to carry out large-scale attacks during the Summer Olympics in Paris.
This analysis aims to analyze the incident and the alleged hacking activities of the People’s Cyber Army and HackNeT against France.
In the posts on their Telegram channel on June 23, 2024, hacktivist groups People’s Cyber Army and HackNeT shared screenshots claiming DDoS attacks on several French websites and screenshots of their domain downtime monitoring website, ‘check-host.net,’ in support of their claims of successful DDoS attacks.
Figure 1: Official Telegram channel of People’s Cyber Army
The first post on the People’s Cyber Army Telegram channel regarding the announcement of their campaign to target the Paris Olympics was published on June 23, 2024, at 0840 hours UTC.
Near simultaneously, People’s Cyber Army also posted about a DDoS attack on the website of Festival La Rochelle Cinéma (Fema) (festival-larochelle.org) at about 0830 hours UTC, along with a check-host.net link in support of their claims. Three hours later, the second Group, HackNeT, also joined the campaign by forwarding the same post from People’s Cyber Army’s Telegram channel.
Figure 2: Official Post from HackNet’s Telegram Channel
After a short duration, HackNet posted another message on their telegram channel claiming to DDoS the website of the French palace cum cultural and exhibition center, Grand Palais (Paris) (grandpalais.fr).
Figure 3: Second post from HackNeT Telegram Channel
The People’s Cyber Army of Russia (aka Народная Cyber Армия) is a prolific hacktivist group that has been implicated in several high-profile cyberattacks, one of the most significant being an attack on Ukraine’s nuclear agency. The group has also been identified to be associated with APT44 (commonly known as Sandworm, FROZENBARENTS, and Seashell Blizzard).
The group’s first mention dates back to March 2022, when its first Telegram channel was launched. Since then, the group has changed the channel’s name several times. It is currently known as CyberArmyofRussia_Reborn and has 51,000 subscribers.
Handles attributed to CyberArmyofRussia_Reborn:
The People’s Cyber Army regularly conducts joint attacks with other pro-Russian hackers – NoName057(16), HackNet, CyberDragon, and UserSec Collective.
It is a politically motivated group with pro-Russian views. Before attacks, the group publishes a justification for attacking a company or country on its Telegram channel.
Figure 4: People’s Cyber Army Telegram Profile
The DDoS tool created, promoted by the hacking group, and suspected in this incident is coded in Python. The tool features different techniques for carrying out Layer 4 and Layer 7 attacks. The tool utilizes both multithreading and multiprocessing to send requests simultaneously, increasing the effectiveness of the attack. Additionally, it has proxy support to hide the attacker’s IP address, making it harder to track the attack. Some of the tools observed by CRIL that the People’s Cyber Army promulgated in March 2022 can be seen in the image below:
Figure 5: Hacking Tools promulgated by People’s Cyber Army
They have also been observed to be encouraging their Telegram subscribers to use these tools to support them by posting brief tutorials about installing and using the tools, as can be seen in the image below:
Figure 6: Telegram Post describing the use of DDoS tools
HackNeT is a pro-Russian group that began operations in February 2023. It should not be confused with the Xaknet group. According to open sources, they are two different teams. Xaknet was linked to the private military company Wagner, according to one version, and the Russian security services, according to another. However, Xaknet ‘s channel, with more than 27,000 subscribers, has been inactive since November 2023.
HackNeT also conducts politically motivated attacks and usually joins NoName057(16), People’s Cyber Army, CyberDragon, 22C, and UserSec Collective in attacking Ukraine, NATO members, and other targets.
Figure 7: HackNeT’s Telegram Profile Image
Indicators | Indicators Type | Description |
[214436a0c7623e84e8078a3b141b7d9c, 82c4739158099fe156aa1b23409c9bf5f96eb9d5 , 35c75ba64f1658bd9442afa255b671e3fe9cb93ffb4821270074a85fca966c3f] | [MD-5, SHA-1, SHA-256] | Windows Executable -ddos.exe |
[ 4711b96b395c7ced1e0c2f2d0b1786c6, dc203816c0bb91614d270a129ac968ee45f1b7d2 , bbbd97e1c525f811fbd16e2a48989cfa3e3164aa3b21824108dd3f8f5394bd7 ] | [MD-5, SHA-1, SHA-256] | Linux Binary – ddos_free |