Inside Ukraine’s Decentralized Cyber Army
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
On May 11, the website of RuTube, Russia’s largest streaming service and YouTube competitor, was taken offline for three straight days in what the company called the “largest cyberattack” it had ever suffered.
At the end of the cyber onslaught, a volunteer group of technologists and hackers known as Ukraine’s IT Army claimed responsibility on its official Telegram channel, calling the attack “the biggest victory of the cyber war.” The hackers also claimed to have changed admin passwords, deleted and stole internal data, and even blocked employee’s access cards to the company’s server rooms, locking people in.
Ever since it was launched just two days after Russia invaded Ukraine, the IT Army has claimed several victims, including Mvideo, a large Russian consumer electronics chain; QIWI, a popular Russian payment service provider; Asna, a network of more than 10,000 pharmacies in Russia; and EGAIS, the Russian government’s unified state automated alcohol accounting information system.
The group has been a central figure in the fight that Ukraine and Russia are waging in cyberspace, and it’s breaking new ground in terms of what a volunteer, quasi-hacktivist group can do in the context of a war.
“The IT Army of Ukraine is a unique and smart construct whose organizational setup and operational impact will likely inform the art of cyber and information warfare in future conflicts,” Stefan Soesanto, a senior cybersecurity researcher at the The Center for Security Studies (CSS) in Zurich, wrote in a report about the IT Army. “On the public side, the IT Army serves as a vessel that allows the Ukrainian government to utilize volunteers from around the world in its persistent [Distributed Denial of Service] activities against Russian government and company websites. As of 7 June 2022, this includes 662 targets. On the non-public side, the IT Army’s in-house team likely maintains deep links to—or largely consists of—the Ukrainian defense and intelligence services.”
Do you have information about the activities of Ukrainian or Russian hacking groups? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com
Silas Cutler, a cybersecurity researcher at Stairwell, agreed, telling Motherboard that “what we’re seeing in terms of the IT Army represents what cyberwar actually will look like.”
“It very much is people taking up arms and doing what they can without large coordinated development teams,” Cutler added. “And I think it’s simply just another way that cyber warfare is fought.”
Much like the kinetic war being fought on Ukrainian territory, the cyber war wasn’t expected to go this way.
Some expected Russia to take over Ukraine relatively easily. Almost five months later, the Ukrainians have mounted a fierce resistance and successfully pushed back Russian troops. In cyberspace, most expected Russia to have a field day, unleashing its elite hacking units to turn off the grid, something it already did twice in the past. They expected Russia to unleash highly sophisticated and disruptive attacks like NotPetya. Russia hasn’t been completely unsuccessful in this regard. Its hackers have used several strains of wiper malware—malicious programs designed to destroy data—against targets, including an American satellite internet provider. But in cyberspace too, the Ukrainians have mounted a fierce resistance and struck back.
Soesanto told Motherboard that before the war the assumption was that Russia “had thoroughly penetrated Ukrainian critical infrastructures and—if so—had prepositioned tooling prior to the invasion on February 24.”
That doesn’t seem to have been the right assumption, but there could be various explanations for that: Maybe Russian hacking units were unprepared for the invasion, or maybe Ukrainian infrastructure was more resilient than previously thought, or Ukrainians cyber defenders are doing a good job, or Western intelligence agencies are helping them, according to Soesanto.
What’s happened, then, is a sort of guerilla cyber war. Ukraine’s cyber capabilities seem to largely be made up of volunteers, and their mandate is to do whatever they possibly can as part of a large, decentralized organization.
Marina Krotofil, a cyber security professional of Ukrainian origin who has consulted with the government, agreed that cyber war in the context of Russia hitting critical infrastructure, and IT infrastructure with complex and novel attacks, methods, and tools, “did not happen.”
“Russia for sure directed significant effort at Ukraine’s digital infrastructures but they have not showcased any novel/unseen strategies, tools or techniques,” Krotofil told Motherboard in an online chat. “Most attempts were opportunistic—penetrating organizations they could get in and the attack scenarios were standard such as leakage of data or wipers.”
The IT Army was created by Mykhailo Fedorov, Ukraine’s Vice Prime Minister and Minister of Digital Transformation, in a tweet that linked to a Telegram group.
After the tweet, the Ministry of Digital Transformation posted a message on its Telegram channel, calling for volunteers. “We urge you to use any vector of cyber and DDoS attacks on Russian resources,” the post read.
In the first ever post in the official IT Army Telegram channel, the group announced: “Task #1: We encourage you to use any vectors of cyber and DDoS attacks on these resources,” listing 31 Russian banks, businesses, and government websites.
As of this writing, the IT Army’s official Telegram channel has almost 250,000 subscribers, and the group has been active almost daily since its inception. In the beginning, however, the members of the IT Army were flying blind.
“We literally had nothing, not even ideas on how it should work, because it came out of the blue,” a member of the IT Army, who asked to remain anonymous to protect himself, told Motherboard in a phone call. “Frankly speaking, we had to invent everything from scratch.”
Motherboard reached out to the member using an email address linked to the official email address that the IT Army advertises on its Telegram group. A person behind the official email address told Motherboard that the other address is used by the IT Army as well.
The member said his role is managerial, evaluating what’s working and what’s not, and devising strategies for future operations. He said he joined the IT Army out of a will to help his country fight against the Russians, like many others of his fellow Ukrainians.
“When the war broke out, many people started to look at how they could help the country, to win or survive. And frankly speaking, of course, not everyone is ready for military service, to go to the frontline, shoot, and die, and all those things,” he said. “So many people thought about joining the DDoS attacks because it’s quite impactful to put pressure on the civil and military in Russia.”
Since then, the IT Army has mostly used DDoS as its weapon of choice—to the point that it’s now releasing its own DDoS tools. But over time, the group has carried out other types of cyberattacks, more or less sophisticated.
In early April, the group defaced the websites Sukhoi[.]ru (Russian aircraft manufacturer) and Gazprom[.]ru (a majority Russian state-owned energy company), uploading fake statements by Sukhoi’s general director Yuri Slyusar and Gazprom’s CEO Alexie Miller, criticizing the Russian government for the war in Ukraine.
Shortly after, the IT Army hacked Rossgram, Russia’s Instagram clone. The group claimed to have breached its beta sign-up database, created a fake Rossgram app, sent invites to the beta sign-ups, and pushed notifications to users who installed the fake app saying Rossgram was hacked, and, finally, leaking the beta sign-up database online.
But the IT Army’s successes, and activities, didn’t always find widespread support.
“In my opinion, it would be wrong [for the government] to endorse this activity, but as a citizen, as a person who wishes our country to prevail in this absolutely unprecedented, unbelievable war in the 21st century, I would be grateful for their help in weakening our enemy,” Victor Zhora, the deputy head of the SSSCIP, told Motherboard in a phone call.
The IT Army’s existence is “the indication of the will of Ukrainians to defend their country in cyberspace,” and their actions have forced Russians to defend themselves from cyberattacks, which meant they weren’t able to focus all their forces on attacking themselves, Zhora added.
Zhora made it clear that his agency is dedicated to “cyberdefense” and does not coordinate any offensive activities.
The Ministry of Digital Transformation did not respond to repeated requests for comment on whether they work directly with the IT Army. The Ministry does, however, post updates on the IT Army’s activities both in press release on its official site, as well as on its official Telegram channel.
“In my opinion, it would be wrong [for the government] to endorse this activity.”
Krotofil said that at least at the beginning “cyber space became a gray unregulated area where individuals from all over the world may participate and do whatever they want,” which meant that the IT Army volunteers’ “activities were not regulated and may be were not always driven by good judgment as those people were and are civilians who do not have proper knowledge how to act strategically.”
But over time that’s changed, the volunteers adopted “proper ‘rules of conduct’ […] to limit attacks on unrelated targets,” and “the activities became more regulated and better thought over and some groups for sure conducted useful [open source intelligence] work or permitted operations on the territory of Ukraine,” she told Motherboard in an online chat.
Soesanto told Motherboard in a phone call that the IT Army is now committed to fewer targets, but is better organized and “methodologically structured.”
At the same time, groups like the IT Army have made tracking what hackers are doing in the conflict a bit harder for researchers.
“The number of amateurs and volunteers since the start of the war in Ukraine, that have jumped in to attempt to help one side or the other playing at being some kind of ‘cyber soldier’ has made tracking what’s going on more difficult at times,” Shane Huntley, the head of Google’s Threat Analysis Group, told Motherboard in a phone call. “It takes work to determine what is a serious government attack and what might be some overenthusiastic amateurs.”
The future of the IT Army, at this point, is very much an open question.
One of the reasons the Ukrainian government hasn’t out and out endorsed the IT Army is because, in some way, some of its actions are questionable. Is it legitimate to target civilian websites and companies in times of war? For now, western cybersecurity experts have not chimed in, but that could change, especially if the IT Army continues targeting Russia once the war is over.
“If the narrative switches toward, ‘OK, you’re hitting Russian civilian infrastructure, and we’re not fine with that, because it violates norms and international law,’ then I think it will be a kind of bad image for Ukraine,” Soesanto said,
“Will this just be something they shut down? Which is the responsible thing?” Cutler said, speculating on the future of the IT Army. “It’ll be also interesting to see what new groups form out of this as well, because if you’ve got a group of people that all joined into this with a common goal, became familiar working with each other in an operational capacity, when the conflict ends, are they going to disband, or are they going to push forward?”
According to the IT Army member, the group “will be done on the same day when the war is over, because practically the meaning of this is to put more pressure on the enemy, and I don’t see any point to keep it active when the war is over.”
It’s too early to write the full story of what will happen hacking-wise in the rest of the war; surely there are operations that have happened that we haven’t heard about, or may never hear about.
“The fog of war and the propaganda on both sides makes it very difficult to assess what is going on in cyberspace beyond the hacktivism stuff, IT Army, and the phishing campaigns that [Ukraine’s cybersecurity agency] SSSCIP is disclosing every week,” Soesanto said. “In a year from now we are probably going to be much wiser when it comes to all the military cyber operations that we currently don’t see and know nothing about.”
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.
READ MORE HERE