The arrest of Telegram CEO Pavel Durov in France over the weekend sparked a series of cyberattacks against French websites by hacktivists protesting Durov’s detention.
French authorities said Durov’s arrest was related to Telegram’s lack of moderation and failure to cooperate with law enforcement agencies, which they said enabled crimes such as drug trafficking, distribution of child sexual abuse material and fraud, the BBC reported.
The law enforcement action was met with a wave of online backlash, with many calling the move an affront to internet privacy and freedom of speech.
Shortly after Durov’s arrest at Le Bourget Airport in Paris, numerous hacktivists began to publicize their intention to retaliate, calling on their followers to target certain French websites in a cyberattack campaign referred to as “opDurov.”
On Sunday, cybersecurity consultant Clément Domingo, who goes by SaxX online, posted information about 10 sites affected by distributed-denial-of-service (DDoS) attacks as part of opDurov, including screenshots of four sites apparently made inaccessible due to the attacks.
These sites included the official French government site for information on public services, the website of French newspaper La Voix du Nord, the website of the National Agency for the Safety of Medicines and Health Products (ANSM) in France, and the site of French agricultural union Confédération Paysanne.
SaxX noted that the attacks appeared to be limited to DDoS disruptions rather than attacks involving data exfiltration or ransomware.
As of Monday afternoon, the Public Service, La Voix du Nord and Confédération Paysanne sites appeared to be back up, but SC Media was not able to access the ANSM website.
Who are the hacktivist groups protesting Durov’s arrest?
Multiple hacker groups appear to be involved in attacks targeting French websites, using the hashtags #FreeDurov and #opDurov.
The Russian Cyber Army Team, also known as the People’s Cyber Army, announced over the weekend that it would be targeting the ANSM website, and invited “other Russian hacker movements” to participate in a “week of attacks on French internet portals” in response to Durov’s arrest, according to a screenshot posted by threat intelligence feed FalconFeeds.io.
The Russian Cyber Army Team also claimed responsibility for a DDoS attack on the website of Syane, a public body that manages energy and digital network infrastructure for the Haute-Savoie region of France. The site appeared to be online again as of Monday afternoon.
The People’s Cyber Army believed to be linked with APT44, or Sandworm, a Russia-backed cyber sabotage group that has played a significant role in cyberattacks against Ukraine during the Russia-Ukraine war, according to Cyble Research & Intelligence Labs (CRIL). CRIL researchers reported in July that the People’s Cyber Army had already commenced DDoS attacks against French websites in June in preparation for attacks they planned to conduct during the Paris Olympics.
The hacktivist group tends to conduct attacks supporting Russian interests, and is known for its effective DDoS techniques, according to Radware. The group has been active for more than a decade and was previously involved in attacks on Ukraine’s nuclear agency and large-scale attacks against Estonian organizations in 2007.
FaclonFeeds.io also reported Sunday that the People’s Cyber Army collaborated with another group, UserSec, in attacks against the National Court of France and the Administrative Tribunal of Paris. Both of the targeted domains appeared to be inaccessible as of Monday afternoon.
UserSec is another pro-Russia group known for its attacks on Ukraine and NATO members during the Russia-Ukraine War, Cybernews reported in 2023.
However, Russian hacktivists are not the only threat actors targeting French organizations under the banner of “FreeDurov.” A screenshot posted by cyberundergroundfeed on X Sunday showed that Malaysia-based hacktivist group RipperSec claimed responsibility for a DDoS against French financial website PriceBank, in a posting that included the message “Free Pavel Durov.” The PriceBank website appeared to be online as of Monday afternoon.
