Telegram becomes digital front in Ukraine – but beware

On the day Russia invaded Ukraine last week, Check Point Research (CPR) measured a 6-fold increase in Telegram groups themed on the war. 

71% of the new Telegram groups observed by CPR are pushing flash news of unedited and often unverified information, while 23% of these Telegram groups are set up to coordinate cyber-attacks on Russia, mostly in the form of Distributed Denial of Service (DDoS) attacks. Another 4% of the new Telegram groups request cryptocurrency donations to support Ukraine. 

CPR found that some Telegram groups coordinating cyber-attacks on Russia boast more than 250,000 users. 

“Telegram has become a digital forefront of the conflict, where people are choosing sides online,” says Oded Vanunu, head of products vulnerabilities research at Check Point Software. 

“We’re seeing people from all corners of the world organising themselves and resources to support either Russia or Ukraine. Some groups are coordinating cyber-attacks to target Russia. Other groups are serving as information and news hubs to report a raw side of the war. And other groups are requesting funds to either support Ukraine or commit fraud. 

“All in all, we’ve seen a 6-fold surge in Telegram groups themed on the Russia-Ukraine war the day Russia invaded Ukraine. I strongly recommend people to watch their Telegram activity closely and the types of people you may encounter. There’s a side on Telegram looking to take advantage of supporters of either Ukraine or Russia.” 

Check Point advises the following cyber safety tips for Telegram users:

1. Don’t click random links. Don’t press on links that have origins unfamiliar to you, especially in times of crisis and extreme circumstances. Criminals might leverage and exploit the situation to try steal credentials, private details, and other personal information by sending out malware or phishing links
2. Beware of suspicious requests. If a message from an unknown source makes a request or a demand that seems unusual or suspicious, this might be evidence that it is part of a phishing attack.
3. Think twice before sending money. Sending money to unknown sources requesting assistance may often result in fraud. Beware with whom you are communicating and what kind of information you are being asked to provide. Social media messages is not the platform for large financial transactions, especially to unrecognized sources.
4. Verify your sources. Consume news feeds and seek “truth” from reliable sources that you can trust. 

CPR says it is closely monitoring Telegram throughout the current Russia-Ukraine conflict, and has characterised the conflict-related groups into three: 

1. Flash News and Updates (71% of groups observed)
2. Hacking\Hacktivist groups targeting Russia (23%)
3. Ukraine donation requests (4%)

Other subject relating to the conflict, some of which are non-active and have no users, make up the remaining (2%).

CPR provided the following characteristics and examples of each group:

Group A: Flash News/Update

Key Characteristics: 

• Very active
• Thousands of messages a day, 24/7
• Report unedited, non-censored feeds from war zones
• Share unverified and possible misinformation 

Examples: 

Group B: Hacktivists Targeting Russia 

Key Characteristics: 

• Comprise of hackers, IT professionals, and other “IT fans” 
• Groups are used to coordinate attacks and decide targets
• Groups assist each other in executing attacks and sharing results
• Some groups consist of over 250,000 users
• DDoS most common attack request, followed by SMS and call-based attacks

Examples: 

Group C: Donations Scams

Key Characteristics: 

• Most donations ask for cryptocurrency
• Groups have tens of thousands of users 
• Many groups are suspicious and likely fraudelent

Examples: