1. Overview
XakNet Team is a pro-Russian hacktivist group that emerged in the first half of 2022 in the wake of Russia’s full-scale invasion of Ukraine. The group claims to support Russia’s military objectives and engages in a mix of cyber attacks, data leaks, and coordinated disinformation campaigns. XakNet operates primarily through Telegram, where it publishes victim lists, leaked documents, and ideological statements.
The group does not appear to pursue financial gain. Instead, its operations are politically and militarily motivated, often timed to coincide with major developments in the Russia-Ukraine war. XakNet is part of a broader network of Russian-aligned hacktivist collectives, including KillNet and NoName057(16), and is likely supported or encouraged by elements of the Russian state.
2. Origin and Evolution
XakNet first gained visibility in March 2022 following cyber attacks and leaks targeting Ukrainian government entities. Its initial messaging portrayed it as a grassroots group of “patriotic Russian IT volunteers,” although subsequent analysis of its operations suggested a level of coordination and technical capability indicative of more structured support.
Throughout 2022 and 2023, XakNet expanded its targeting to include NATO-aligned countries, international organisations, and companies perceived to support Ukraine. It has been involved in defacement operations, phishing campaigns, and the release of internal documents and emails stolen from compromised accounts.
The group has also attempted to create influence by framing its leaks as evidence of Western hypocrisy, corruption, or anti-Russian agendas.
3. Tactics, Techniques, and Procedures (TTPs)
XakNet Team primarily engages in disruptive and psychological operations. Its tactics include:
- Credential harvesting and email compromise
Phishing campaigns aimed at stealing login credentials from government and NGO staff (T1566.001, T1078) - Data leaks
Publishing internal documents, emails, and credentials from compromised organisations (T1530). Data is often cherry-picked to support propaganda narratives. - Website defacement
Tampering with public websites to display anti-Western or pro-Russian messages (T1491.001) - Social media and disinformation
Use of Telegram and Twitter to distribute fake documents, doctored screenshots, or narrative-driven interpretations of leaks (T1585, T1587.001) - Collaboration with other hacktivist groups
Joint campaigns and media amplification with KillNet, UserSec, and Anonymous Russia
4. Targeting Profile
XakNet Team targets organisations that align with Western military, political, and humanitarian efforts. Common targets include:
- Ukrainian ministries and military-affiliated infrastructure
- Government agencies in NATO countries
- NGOs and civil society groups supporting Ukrainian aid
- Defence contractors and security think tanks
- International organisations such as the EU, NATO, and OSCE
- Media outlets critical of the Kremlin
The UK has not been exempt, with government-affiliated organisations, media platforms, and universities being mentioned in propaganda channels.
5. Notable Campaigns and Victims
XakNet’s campaigns have included:
- Leaks of emails from Ukrainian government staff during early 2022
- Alleged breaches of NGOs operating in Eastern Europe, with selective leaks published on Telegram
- Targeting of NATO officials and think tank researchers with phishing emails and fake document traps
- Joint operations with KillNet targeting websites in Estonia, Latvia, and Lithuania
- Claims of data breaches against British and German defence consultancy platforms, though attribution remains debated
XakNet often exaggerates the impact of its operations, and some claimed leaks have been determined to be low-sensitivity or previously exposed data.
6. Technical Indicators
While technical sophistication varies, common indicators include:
- Phishing domains mimicking webmail login pages for government and NGO platforms
- Use of open-source tools for credential harvesting and basic lateral movement
- Defacement using shared content management system vulnerabilities
- Telegram-based command and control for narrative distribution
- Leaks posted on anonfiles, Mega, and custom Telegram channels
The group avoids advanced malware and persistence methods, relying instead on opportunistic access and public leaks for impact.
7. Defensive Measures and Recommendations
To defend against XakNet Team operations:
- Enforce multi-factor authentication across all cloud and webmail accounts
- Monitor for login attempts from unusual geographies or Tor exit nodes
- Patch public-facing content management systems and web applications
- Train users to recognise phishing emails, especially those posing as journalists or NGOs
- Monitor Telegram and breach forums for mentions of your organisation
- Develop incident response protocols for reputational damage caused by data leaks or defacements
Organisations involved in Ukraine-related operations should elevate threat levels and coordinate with relevant national CSIRTs.
8. Attribution and Alliances
While XakNet claims to be an independent Russian hacktivist group, its alignment with Kremlin narratives, timing of attacks, and amplification by state-affiliated media suggest state influence or at least strategic coordination.
XakNet collaborates with other groups such as KillNet, NoName057(16), UserSec, and Anonymous Russia. These groups often conduct separate but parallel attacks to amplify disruption and overwhelm defenders.
9. Conclusion
XakNet Team is a pro-Russian hacktivist actor with a primary focus on cyber-enabled influence operations. Its strength lies not in technical sophistication, but in its ability to combine data leaks with propaganda, misinformation, and psychological disruption. While the damage caused by XakNet’s campaigns is often limited in scale, the reputational and geopolitical impact can be significant, especially for organisations involved in defence, diplomacy, or public communication.
UK organisations should remain vigilant to social engineering attempts, phishing, and disinformation campaigns linked to XakNet and its affiliates.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
