Russian Hacktivist Group Targets Political Websites with DDOS Attacks

A Russian hacktivist group calling itself “The People’s Cyberarmy” called on its members to target the American Democratic party website at https://democrats.org with DDOS (Distributed Denial of Service) attacks this morning, November 8th, 2022, which is Election Day in the United States. A post in their Telegram channel, “CyberArmyofRussia_Reborn”, which has more than 7,000 subscribers contained targeting instructions, and the channel contains links and instructions to downloadable DDOS tools.

The group itself uses fairly unsophisticated attack methods and does not have a high likelihood of succeeding at taking down the democrats.org site, as the attack instructions include an IP address for the site that is one of four Fastly CDN IPs. This indicates not only that the site itself already has DDOS mitigation in place, but that the attackers are targeting it in a way that is unlikely to achieve their goals.

While this group does not appear to consist of particularly skilled attackers, and has until now primarily targeted Ukrainian websites, Google-owned cybersecurity firm Mandiant has noted that it has coordinated with the Russian state-sponsored threat group known as APT-28 in the past.

Skilled attackers frequently use the chaos caused by DDOS attacks as cover to gain or escalate access to a system, or to exfiltrate sensitive information. In this case it is likely that the purpose of the attacks is simply to make a statement. While the attacks on the Democratic party website have not been successful at the time of publication, they appear to have added the website of the Mississippi secretary of state, who is currently a Republican, to the list of targets.

The fact that the target URL is an easily cacheable PDF file would make it significantly more difficult to successfully take down the site but the website at www.sos.ms.gov appears to be down at this time, indicating that the group is having considerably greater success. We expect ongoing attacks on local and regional government sites throughout election day, and may update this post as more information becomes available.

Note regarding research posts that include political references: In the past we have found that posts related to an election, or that mention a political party or figure, tend to produce fiery rhetoric in the comments. We’re leaving the comments open on this post, but please note that we won’t be approving  comments that are inflammatory or designed to promote a political debate on this blog. Our focus is on reporting data that helps cybersecurity analysts identify indicators of compromise, attackers, and their tactics, techniques and procedures. If you have data to bring to the conversation, we welcome your input!
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.