Cyber Threat Actor: We Are Russian Hackers Community
| Actor Type | Location | Known Incidents |
Activist
|
—
|
3 incidents |
|---|
Profile
The threat actor known under aliases including "2023-11-03," "Pro-Russian Cyber Activists," "Pro-Russian Hackers," and "We Are Russian Hackers Community" operates as a pro-Russian collective engaged in disruptive cyber operations. Publicly aligning with Russian geopolitical interests, this group has targeted entities across multiple countries, including Denmark, the Netherlands, and Canada. Their operations focus on sectors such as municipal services, transportation infrastructure, maritime ports, and financial institutions, with attacks often timed to coincide with geopolitical events or symbolic dates. While the group’s organizational structure remains undefined in public reporting, their activities consistently emphasize disruption over financial gain or espionage, leveraging hacktivist tactics to amplify their political messaging.
The group predominantly employs distributed denial-of-service (DDoS) attacks to overwhelm target websites and services, causing temporary outages. In the Danish municipal attacks, they demonstrated operational transparency by preemptively warning potential targets, suggesting a dual intent to maximize psychological impact while showcasing capability. Targeting appears opportunistic but strategically aligned with Russian interests, as seen in the Netherlands incident where Arriva and the Port of Den Helder were disrupted following a Dutch minister’s visit to Ukraine. No malware families, custom tooling, or initial access vectors beyond DDoS are explicitly documented in attributed incidents, indicating a reliance on widely available disruption techniques rather than advanced persistent threats.
Public attribution by entities like the Danish Center for Cybersecurity and the group’s own claims via Telegram channels confirm their pro-Russian alignment, though no direct state sponsorship is explicitly asserted in available sources. Their attack on Toronto-Dominion Bank marked the first publicly acknowledged cyber incident against a Canadian financial institution since Russia’s invasion of Ukraine, highlighting their willingness to target high-profile entities for symbolic effect. While their campaigns lack the complexity of state-sponsored operations, the group’s consistency in targeting NATO-associated nations and critical service providers underscores their role in Russia’s broader hybrid conflict strategy. The absence of ransom demands or data exfiltration in reported incidents reinforces their primary objective of service disruption and propaganda dissemination.
