The most recent Accenture Global Incident Report (the Report) shows that cyber-attackers have political views and are divided between support for Russia or Ukraine.

According to the Report, entitled “Global Incident Report: Threat Actors Divide Along Ideological Lines over the Russia-Ukraine Conflict on Underground Forums,” the war between Russia and Ukraine has caused an unusual rift in Russian-language cyber forums (mostly ransomware gangs) between those supporting Russia and those supporting Ukraine.

The rift is highly unusual. According to Accenture, “For the first time, in the more than 10 years that Accenture’s Cyber Threat Intelligence (ACTI) team has been tracking dark web activity, we’re seeing previously coexisting, financially motivated threat actors divided along ideological factions.”

Accenture’s research shows that “Pro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors…and are increasingly attempting to target Russian entities in support of Ukraine. However, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting “enemies of Russia,” especially Western entities due to their claims of Western warmongering.”

The pro-Russian threat actors are targeting Western “resources, government, media, financial and insurance industries.” The pro-Russian culprits include Conti, LockBit, and CoomingProjects ransomware gangs. Since the motivation for ransomware groups is pivoting to politics instead of “opportunistic prospects for financial gain,” this “target switch is leading to a higher threat level for Western organizations.” According to Accenture, this shift poses a significant risk to Western critical national infrastructure.

Accenture’s conclusion is dire: “Having monitored underground forums for more than a decade, ACTI notes that the current split on the underground and the large-scale transitions to an ideological motivation by what were previously financially motivated groups is unprecedented and may bring about far-reaching consequences.”

Accenture provides mitigation tips, including patching vulnerabilities that Conti has used in recent incidents. Accenture’s research can be accessed here.