Constella Web Logo white e1703116556868

Constella Intelligence Investigation into Russia-Ukraine Cyber Threat Discussions

Berlin Ukraine Image

Over the past several days, the world has watched as the Russian invasion of Ukraine has intensified. The hostility of the crisis has escalated significantly, resulting in an invasion, deemed a “special military operation” by Russian President Vladimir Putin, last week. Many experts believe that the situation will continue to escalate further, with increased hostility both on the ground and in cyberspace, intensifying the digital threat landscape.

In recent days, several Ukrainian financial and government websites were shut down due to a Russian cyber threat – the second time in the past week that this has happened. While government and security officials were able to restore the online platforms an hour later, it is a significant challenge that will likely occur again throughout the period of this crisis. In response to escalating hostilities, the international decentralized “hacktivist” group Anonymous declared its intent to target Russian digital infrastructure, already claiming credit for several cyber incidents, including DDoS attacks.

The cyber threat landscape directly impacts government institutions, public and private organizations, and the individuals that make up the general public. Understanding the depth of the deep and dark web (DDW) and the breadth of interactions across these landscapes is now an essential asset to effectively anticipate emerging risks and threats.

To better understand the deepening connections between the escalating crisis in Ukraine and the digital cyber threat landscape, Constella Intelligence’s Threat Intelligence team used Analyzer, Constella’s proprietary cloud-based platform for massive analysis of the digital public sphere, to analyze recent conversations related to both the crisis and cyber threats occurring across the surface, social, deep and dark web.

By leveraging Constella’s technological and analyst capabilities to better understand the key narratives, trends, and signals of risk emerging from public conversations in real-time, we can anticipate risks and vulnerabilities to organizations and individuals by gauging the key topics on the digital agenda. In this case, a quick snapshot of activity in the digital public sphere along with deep and dark web forums offered rich insight into the intensification of the conflict in Ukraine.

Constella’s Threat Intelligence team detected a significant increase in discussions about the crisis in Ukraine in the digital public sphere. In particular, mentions of the conflict doubled between February 21 and February 22. This indicates an intensifying digital informational landscape that is not only paying attention to the growing cyber threats but also openly commenting on and discussing the presence of these threats. For example, conversations spiked dramatically between February 20th and 21st, more than doubling from 382,648 results to nearly 840K results. Similarly, from the 18th to the 19th of February, we saw conversations related to “cyberattacks” skyrocket nearly 1500%. Further analysis of the growing presence of information about Ukraine online can produce new insights into how this dynamically changing conversation impacts key actors, such as private companies, governments, etc. across the world. This is especially critical amidst a threat landscape that is slated to intensify and increase corporate and reputational risk for companies globally.

Leveraging Constella’s proprietary platforms enabled for comprehensive analysis of the deep and dark web, like Hunter, our Threat Intelligence team analyzed conversations found on deep and dark web forums related to the crisis in Ukraine. These posts, while focused more on opinion and general concern for the looming conflict and its impacts, offer unique insight into dark web activity and intel to understand how activity in this space might serve as an indicator of future events of importance on the public agenda.


Above is a screenshot of a comment on a dark web forum from February 5, 2022.

The post, which mentions the previous Russian invasion of Crimea, offers a foreshadowing of what the world is now faced with today. The author mentions significant Russian troop deployment to the Russia-Ukraine border, and notes that a deployment of that size “has not been seen since World War II.” These conversations are complementary to and, in some cases, precede mainstream media narratives addressing the same themes.

Additionally, Constella detected data breach sales on the dark web, consisting of Personally Identifiable Information (PII) of Ukrainians, pulled from stolen passports and banking information online.

These issues and stolen information are an example of expanding currents of illicit activity that complicate the global threat landscape for companies, public organizations, and individuals.

Stolen information and cyber threats have grown to become a looming form of attack in the conflict between Russia and Ukraine and will only continue to grow in the coming years.

Constella will continue to assess suspicious digital activity related to the Ukraine-Russia crisis on the deep and dark web, while also closely monitoring the increased threat signals—including threat actors’ efforts that may imply either brand, geopolitical, or individual risks for organizations—across the public sphere in connection to the crisis in Ukraine. As cyber threats grow, Constella will assist in the anticipation, identification, and mitigation of threats to companies and individuals in the digital sphere.

Let us help you stay one step ahead.