Full Report
Groups calling themselves IT Army of Russia and TwoNet are newly active on Telegram, coordinating operations and seeking new members, researchers at Intel 471 said.
Analysis Summary
# Threat Actor: IT Army of Russia & TwoNet
## Attribution & Identity
Two new pro-Russian hacktivist groups observed emerging in recent months: **IT Army of Russia** and **TwoNet**. Researchers suggest they may be rebrands of previously known threat actors, but exact links remain unclear. They operate similarly to established Russian hacktivist groups such as NoName057(16), KillNet, and XakNet Team. Both groups primarily coordinate operations via the Telegram messaging app.
## Activity Summary
Both groups are engaged in cyberattacks supporting Russian interests, particularly against Ukraine and its allies.
* **IT Army of Russia:** Appeared in late March 2025. Posts claimed attacks on Ukrainian websites and leaked stolen data. They actively recruit insiders working in Ukraine’s critical infrastructure.
* **TwoNet:** Surfaced in January 2025. Promoted attacks against government and infrastructure targets in Ukraine, Spain, and the U.K. Claimed partnerships with other pro-Russian actors.
## Tactics, Techniques & Procedures
- Distributed Denial-of-Service (DDoS) attacks.
- Website defacements.
- Data theft and leaks (e.g., leaked databases).
- Open-source intelligence (OSINT) gathering and recruitment of insiders via Telegram.
- Intelligence submission via Telegram bot.
## Targeting
- **Sectors:** Critical infrastructure, government, small Ukrainian businesses, and educational platforms.
- **Geography:** Ukraine and its allies, specifically mentioned targeting entities in Poland, Spain, and the U.K.
- **Victims:** Small Ukrainian businesses; a Ukrainian real estate search platform; a Polish educational platform.
## Tools & Infrastructure
- **Malware families used:** PanicBotnet (used by IT Army of Russia for DDoS operations).
- **Infrastructure:** Telegram messaging app (primary coordination channel), Duty-Free cybercrime forum (IT Army of Russia communication).
- **Other:** Telegram bot used by IT Army of Russia for intelligence submission and target suggestion.
## Implications
The emergence of IT Army of Russia and TwoNet indicates a continued shift and reorganization within the Russian hacktivist ecosystem, potentially representing the resurfacing or rebranding of previous actors. Their focus on coordinating attacks via Telegram suggests established, low-barrier methods for rapid mobilization against specific targets, leveraging both cyberattacks and potentially insider assistance.
## Mitigations
- Implement robust DDoS mitigation strategies across public-facing infrastructure.
- Enhance internal monitoring for unusual activity related to insider recruitment or intelligence gathering efforts communicated via collaboration platforms like Telegram.
- Maintain vigilance against data leaks following claimed intrusions on public-facing websites and databases.