(Bloomberg) -- A pro-Russian “hacktivist” outfit that targeted Ukraine and its allies may be tied to the Kremlin, according to preliminary research from a US-based cybersecurity firm.

Mandiant Inc. told Bloomberg News that Russian intelligence operatives were likely behind a recent breach of an unnamed organization, resulting in the theft of data. Information stolen in that breach wound up in the hands of  XakNet, a pro-Russian “hacktivist” group that’s previously denied it’s government-affiliated. Mandiant declined to identify the victim organization. 

Cybersecurity experts have worried for months about the prospect of cyberattacks from Russia against Western countries, concerns that haven’t fully materialized. Mandiant’s findings suggest that the Kremlin is nonetheless carrying out cyber operations in service of propaganda efforts, apparently using a state-sponsored hackers to provide data to a group that masquerades as independent activists. 

“It’s important we scrutinize the actors who claim to be Russian hacktivists because the intelligence services regularly use that façade to carry out their operations,” said John Hultquist, Mandiant’s vice president of intelligence analysis. “If we wait until after a major attack to ask who is really behind these personas, it may be too late.”

XakNet, which US officials say have been active since March, has claimed credit for several cyber incidents targeting Ukraine. Those include the defacement of a news ticker during a live March broadcast on Ukraine 24 TV — which falsely reported that President Volodymyr Zelenskiy surrendered to the Russians — and the defacement of a Ukrainian bank. 

The US government and private sector have meanwhile expressed warning about groups like XakNet and the use of propaganda as Russia wages its war in Ukraine. Microsoft Corp. recently said propaganda efforts are part of a three-pronged strategy by the Russian government, in addition to military and cyber attacks.

Mandiant believes XakNet and a similar group, known as Killnet, have directly coordinated some of their activity, although it’s unclear whether Killnet is backed by Russian authorities. Hacktivists are often motivated by political or social causes, rather than financial gain or personal interest. 

Mandiant’s research also harkens back to an incident that seemingly involved an innocuous hacker, but ultimately turned out to be the work of state-sponsored attacker, such as when US officials determined that Russia’s military intelligence service, or GRU, fabricated a Twitter persona, known as Guccifer 2.0, to leak documents stolen from the Democratic National Committee in 2016. Those disclosures led to acrimony within the party during the final months of the presidential campaign.

XakNet has threatened to target Ukrainian organizations in response to perceived attacks on Russia. The US and its intelligence allies said recently that XakNet and others pose cyber threats to critical infrastructure “as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States, and US allies and partners.” 

On Monday, Killnet claimed responsibility for a distributed denial-of-service attack against Lithuania after the country blocked goods to the remote Russian region of Kaliningrad, with government agencies reporting an “intense” wave of cyberattacks.

A representative for the Russian embassy in Washington didn’t immediately respond to an email seeking comment. 

US officials have repeatedly urged companies to update their software and increase threat detection capabilities in the face of Russian aggression in cyberspace. Nearly two-thirds of Russian cyber espionage targets outside Ukraine were NATO countries, Microsoft’s report found. 

©2022 Bloomberg L.P.