Create an FP account to save articles to read later and in the FP mobile app.

Sign Up

ALREADY AN FP SUBSCRIBER? LOGIN

Don’t Underestimate Ukraine’s Volunteer Hackers

Kyiv’s “IT army” could undermine Russia’s war narratives.

By Jennifer Shore, a graduate student at Princeton University’s School of Public and International Affairs.

A man in a blue jacket walks away holding a gun on a city street. A Guy Fawkes mask is on the back of his head.

April 11, 2022, 3:51 PM

Cyberconflict between nation states is usually fought in the shadows, only trickling out into the public view in bits and pieces. So Moscow took an unusual step on March 29 when it issued a public statement that accused the United States of being behind a “cyberwar” against Russia, detailing what it claimed were cyberoperations by “anonymous hackers and provocateurs” backed by the U.S. government and threatening “grave consequences.” Amid warnings by the White House that Russia is exploring cyberattack options against the United States, the Russian statement may indicate a real threat to U.S. infrastructure.

The source of Moscow’s fiery rhetoric is a volunteer international hacker movement that has been targeting Russia since the start of its invasion of Ukraine. When Ukraine came under a barrage of Russia-linked cyberattacks leading up to and during the invasion, there was little the Ukrainian government could do to fight back. Kyiv has yet to establish the offensive military cyber force that Ukrainian President Volodymyr Zelensky issued a decree to form last August.

That is probably why on Feb. 26, Ukrainian Vice Prime Minister Mykhailo Fedorov took a step no other government official in the world likely ever has: He publicly called on volunteer hackers to take down another country’s websites. And he had a list of 31 Russian government, bank, and corporation websites ready to go. Within days, Ukraine had amassed an “IT army” of more than 400,000 volunteers.

This undertaking risks escalation that will be hard to contain, as Moscow seeks to associate attacks by pro-Ukraine hackers with Western governments and may use that as a false pretext to target Western infrastructure. Although these volunteer hackers will almost certainly not have widespread destructive effects, in the long term, their actions could also undermine Russian war narratives, reduce domestic support in Russia for the invasion, and weaken Russian ransomware groups.

The IT army’s opening salvo was temporarily taking down the websites of the Russian foreign ministry, stock exchange, and a state-owned bank—all within days of Fedorov’s call to arms. They also claimed to target at least 10 other Russian websites, including those of Russia’s principal security agency and the Kremlin. Since the initial attacks, the IT army has been posting lists almost daily of additional Russian civilian and government websites in its Telegram channel and directing its participants to collectively target these sites. Some participants in the hacktivist campaign also worked under the banner of Anonymous, the loosely organized international hacker activist collective. Popular Anonymous-affiliated social media accounts declared “cyberwar” on Russia shortly after the invasion and subsequently claimed cyberattacks against Russian state TV and other high-profile targets. These claims have not all been independently verified, but in some cases, the targeted websites were inaccessible for hours at a time.

The hacktivists have predominantly used relatively unsophisticated distributed denial-of-service (DDoS) attacks, which overload websites with traffic, temporarily rendering them inaccessible but causing no long-term damage. Individuals can easily participate in DDoS attacks from anywhere in the world, with little technical skill, by using readily accessible tools online to join a group of computers simultaneously targeting a given website.

Hacktivists may be seeking to expand their tactics to include data leaks. Within two days of the invasion, actors operating under the banner of Anonymous began claiming to have hacked and leaked documents and email data from targets such as Russia’s censorship agency, Belarusian weapons manufacturer Tetraedr, and Russia’s space agency. (These specific claims have not been independently verified.)

The pro-Ukrainian hacktivists will almost certainly not be able to match Moscow’s cybercapabilities, since hacktivists lack the sophisticated offensive cybertools and resources that are traditionally the domain of state actors. However, it would also be a mistake to underestimate these groups.

Behind the veil of Anonymous and the IT army is a wide range of individuals with varied levels of technical expertise. They are located both inside and outside of Ukraine, though the exact geographic distribution of the hacktivists is unknown. The participants run the gamut, from amateurs launching DDoS attacks to skilled cyberdefense professionals coordinating more technically advanced attacks in smaller groups. Although varying skill level and lack of coordination will probably make it hard to sustain a 400,000 person IT army in the long term, the smaller groups may be able to achieve more disruptive operations over the course of the war, especially if they develop closer ties with the Ukrainian government.

A steady stream of inconveniences and disruptions will likely increase Russians’ discontent with the war.

Perhaps the most significant impact the hacktivists could have is damaging Russia’s reputation both domestically and internationally as well as undermining its misinformation narratives by leaking data from Russian organizations. Such leaks could, among other things, extend a core aspect of Western governments’ current strategy against Russian President Vladimir Putin: exposing his war plans through strategically timed intelligence disclosures.

Ukraine’s history of hacktivism demonstrates that pro-Ukraine hackers can be successful in this regard. Shortly after Russia’s 2014 invasion and annexation of Crimea, Ukrainian hacktivists mobilized under the so-called Ukrainian Cyber Alliance, taking down Russian websites and leaking sensitive data. For instance, they claimed to have leaked mobile phone and email contents affiliated with separatists and shared the information with InformNapalm, a Ukrainian civil society organization that sifted through and published articles about the leaks.

The hacktivists’ biggest achievement came in October 2016, when they hacked and leaked the email account of Vladislav Surkov, Putin’s close advisor on the conflict in eastern Ukraine. The leaks revealed Surkov’s efforts to destabilize Ukraine, undermine its government, and orchestrate the election of certain separatist politicians, providing concrete evidence of activities that Moscow had previously denied.

It is unclear whether the Ukrainian Cyber Alliance is still operational, but its members or others with comparable skills may succeed in similar attacks during this war. As Russia continues to spread misinformation about the purpose of its presence in Ukraine, leaks along these lines could be a powerful antidote, undermining domestic support for the war and providing a basis for other countries to hold Russia accountable for its diplomatic and military actions.

In addition, DDoS attacks may affect public opinion in Russia. A steady stream of inconveniences and disruptions will likely increase Russians’ discontent with the war. As of early March, only 58 percent of Russians supported the invasion, according to an independent telephone survey. As Fedorov, the Ukrainian vice prime minister, said in a recent interview, the goal of these website takedowns is “to make life so unpleasant and inconvenient for Russian citizens that they would question the war.”

Pro-Ukraine hackers also have the potential to seriously weaken Russian ransomware groups, which have a history of damaging attacks on U.S. and other countries’ infrastructure. After the Russian ransomware group Conti came out in support of the Russian government on Feb. 25, a Ukrainian cybersecurity researcher leaked the contents of its chat logs online. A week later, detailed information about members and source code from another Russian ransomware group, Trickbot, began appearing online. If this practice (which has been separate from groups like the IT army and Anonymous) becomes more widespread, it could hamper ransomware groups’ operations.

Since March, Russia has been increasingly vocal about the hacktivism, possibly as a way of justifying a future retaliatory cyberattack. On March 2, Russia’s cyberdefense agency put out an alert that 17,500 IP addresses and 174 internet domains were involved in DDoS attacks on Russian sites as well as provided private organizations with mitigation measures, such as changing passwords. The following week, a Russian cybersecurity company announced it had observed a large spike in DDoS attacks against Russia since Feb. 25, with more than 450 such attacks against banks in March alone and 1,100 against the commercial sector. The company found that government sites were most targeted. Soon after, Russia’s communications ministry issued a statement claiming it was “recording unprecedented attacks on the websites of government authorities.” The Ukrainian government also found that throughout this period, Russian state media increased coverage of cyberattacks on Russian infrastructure.

Then, on March 29, Moscow issued a statement accusing Ukraine and the West of a “cyberwar” against Russia. In the statement, Russia called the IT army Ukraine’s new “offensive cyber forces” and said the personnel behind the attacks were “trained by U.S. and other NATO experts.” The statement also claimed Ukrainian hackers were being reinforced by an anonymous “army of cyber mercenaries” who were “acting on orders from” the West. The most serious accusation was that these cyberoperations affected “the operation of our industrial sectors,” which suggests Moscow is blaming the hackers for potentially sophisticated attacks on Russian critical infrastructure.

Almost everything in the statement is at least a distortion of reality, if not fully untrue. For instance, Ukraine has said it does not formally employ IT army members. Although it is true that the United States, European Union, and NATO have provided technical assistance to Ukraine to help secure its computer networks against Russian intrusions, this support is not offensive, as Russia suggests. Finally, there is no evidence to date that the IT army or other hackers have successfully damaged or disrupted industrial sectors.

There are several reasons Russia might have published this statement. Russia could be trying to discredit or respond in kind to the United States after the White House rapidly attributed cyberattacks in Ukraine to Russia earlier this year. Russia may also be trying to dissuade Western governments from providing Ukraine with defensive cybersupport. The most concerning possibility, though, is that Russia is establishing a pretext for a cyberattack on U.S. infrastructure—especially since it threatened “grave consequences.” Indeed, the Biden administration warned in March that Moscow is exploring cyberattack options against the United States.

Going forward, Moscow may press Western governments to rein in pro-Ukraine cyberattacks by their citizens. Since some of the hacktivists are located in countries outside of Ukraine, Moscow may use this to hold those governments accountable for cyberattacks on Russia—especially if the governments are not prosecuting or condemning DDoS attacks and other activity originating within their borders. Participating in DDoS attacks is illegal in many countries, including the United States. Russian forces could also treat Ukrainians engaged in hacktivism as combatants and physically target them.

As pro-Ukraine hackers seek to target more sensitive infrastructure, the potential for escalation only grows. On the first day of the invasion, Ukraine’s defense ministry asked Yegor Aushev, a Ukrainian technical expert, to recruit hackers to assist the government in cyberoperations. He has claimed that he is now working with a group of approximately 1,000 volunteers to target Russian critical infrastructure. Even if they do not succeed, attempts or stated intent to target more sensitive infrastructure may be used by Russia as justification for retaliation.

In addition to more sensitive targets, pro-Ukraine hackers may pursue more damaging cybertools. In early March, a U.S. cybersecurity firm found new malware called RURansom targeting Russia. The malware, which has not yet been used in any attacks, is designed to delete data on infected systems and target only Russian computers. It leaves a message to Putin on any infected computer stating that, because of the war, “You bought this for yourself, Mr. President.” It is not known who created RURansom or how effective it would be in an attack, but a pro-Ukraine actor could have developed it in retaliation for the war.

How far pro-Ukraine hackers take their cybercampaign remains to be seen. It depends on the trajectory of the war writ large, Russia’s response to the hacktivism, and the relationship Kyiv forges with the volunteers over time. Although these factors are hard to determine, the role of technically skilled Ukrainians and their international supporters in the war should not be overlooked, especially as Russia may consider using the IT army as justification for its own actions targeting the West.

Jennifer Shore is a graduate student at Princeton University’s School of Public and International
Affairs. She was previously a fellow at the White House National Economic Council during the
Obama administration.