Ukraine’s Online Volunteers Go After Russian Targets

“Today we’ll attack fiscal data operators,” proclaimed the official Telegram channel of Ukraine’s IT Army on April 20. Attached was a list of websites of Russian and Belarusian financial services companies, complete with critical information about their website configurations.

Within 24 hours, a raft of those websites were knocked offline. “You did a great job,” the Telegram channel reported. Attached was a new list of targets. Within hours they, too, were offline.

Ukraine’s massive cyberarmy, which includes both workers from the country’s burgeoning technology sector and volunteers from around the world, has turned the tables on Russia in a way that experts never expected.

“Before the full-scale Russian aggression, even though we were exposed to numerous cyberattacks, what we did was clearly defensive in nature,” said Mykhailo Fedorov, Ukraine’s deputy prime minister and minister of digital transformation. “That drastically changed since the Russian tanks started rolling.”

Just as many analysts expected an easy military victory for Russia when it began its invasion of Ukraine in late February, so too were there many predictions that Moscow would destroy Ukraine’s technology infrastructure with its much-fabled offensive cyber-capabilities.

That didn’t happen.

Instead, Ukraine has actively fought off a deluge of attempted cyberattacks on its critical infrastructure, while bringing the fight to Russia.

“We started actually counterattacking,” Fedorov said.

While government officials express their appreciation for the work, the IT Army is not part of Kyiv’s command structure.

“Of course, all offensive activity against Russian military government infrastructures is helpful to Ukraine,” said Victor Zhora, deputy head of Ukraine’s State Service of Special Communications and Information Protection. “So we can’t endorse it officially. But we are thankful to those volunteers who can do this.”

Ukraine’s plausible deniability is in stark contrast to Russia’s dizzying network of state-based hackers, who are largely housed inside the GRU spy service and who are believed to be responsible for the NotPetya and Sandworm attacks; arms-length hacking groups such as the Fancy Bear team, which has targeted the U.S. state; and a number of criminal hacker groups that operate with tacit permission from Moscow, which likely takes a cut of the revenue.

Ukraine’s volunteer hacking army, however, operates with considerably more discipline: Targets are not random, the hackers insist, and are chosen deliberately and carefully. “If we all start attacking random targets we [lose] our striking power,” a Q&A from the IT Army reads.

In recent weeks, the Distributed Denial of Secrets portal—which leaks hacked information that, the hackers believe, is in the public interest—has uploaded more than 2 terabytes of hacked material from Russian financial services companies, property managers, travel agencies, railway corporations, and even the Russian government itself. The hackers dumped huge troves of emails from state-owned Gazprom, the Russian Central Bank, the Ministry of Education, and even the Russian Orthodox Church.

The IT Army’s website keeps track of their targets: Of 64 websites and servers in their crosshairs during one round of attacks, some 43 were assessed as “dead”—knocked offline—and another 11 were “not healthy.”

Before the war, Ukraine had a strong tech sector, growing as high as 40-50 percent a year and well positioned thanks to relatively cheap labor, a well-educated population, and a strong school emphasis on technical subjects. Many tech workers have fled, and while some are working remotely, others have lost their jobs and instead dedicated themselves to the fight against Russia.

Yet not all the hackers are Ukrainian: The hacker collective Anonymous has pledged its support to Kyiv and has corralled a global effort to disrupt life in Russia—most notably, interrupting the deluge of propaganda on Russian state television with real images from the war.

Whoever is carrying out the attacks, the Ukrainian government has to walk a careful line. One issue is whether going after Russian data blurs the lines between military and civilian targets. “In Ukraine, we highly value personal data of each and every citizen,” Fedorov said. As the minister responsible for setting up Ukraine’s digital services, he insists that the government collects only what data is strictly necessary. “I believe that in Russia, the situation is basically the other way around. They believe that the state owns the data of its citizens,” he said. “And then, ergo, the state is vulnerable.”

Leaking that data, he said, can enable more targeted interventions—“manipulations and possible attacks using fraud and social engineering.”

The investigative group Bellingcat reported that a hack of a popular Russian food delivery service revealed the identities of employees of state security services. That sort of data can give more professional state cyberactors a leg up in terms of targeting specific security and military officials.

In March, hackers leaked a massive trove of data from Roskomnadzor, Russia’s communication and media ministry. Last month, Forbes reported that the ministry is now feverishly working to build a national program to defend against distributed denial-of-service attacks, mass assaults that look to render websites inaccessible.

“This has been an unprecedented attack against their information systems,” Fedorov said. Internally, he said, “The organization and the expertise of our IT Army has been growing. And I think that it’s going to be effective for some time to come.”

According to Russian news agency Interfax, Moscow is even limiting foreign internet traffic to try and mitigate against the attacks. It hasn’t done much good to date.

“I can gauge the effectiveness of the IT Army based on what the Russians are saying themselves,” Fedorov said. “And what they’re saying is that they’re experiencing data leaks, they’re experiencing downtime of some of their vital information systems.”

Some tactics are less confrontational. The IT Army also dispatches volunteers to bombard TripAdvisor and other crowdsourced review sites with information about the war—one suggested message reads, in Russian, “The food was good! Unfortunately, Putin spoiled our appetite by vilely unleashing a war with Ukraine.” The hacktivists have also set up websites to allow users to send a pro-Ukrainian message to a random Russian cellphone.

While those actions might be a public relations coup in the West, their impact in Russia is likely much more muted. Polling data has shown that support for Russian President Vladimir Putin and his war has actually risen since the war began.

“Russians are expert in the art of navigating propaganda and can easily access alternative sources of information if they are so inclined,” Peter Dickinson, the editor of the Atlantic Council’s UkraineAlert, argued recently. “The chilling truth is that tens of millions of Russians readily accept the Orwellian lies promoted by Kremlin TV and share the sentiments expressed by the country’s pro-war cheerleaders.”

While Russia may be utilizing a wide swath of cyberactors—both state, nonstate, and those somewhere in between—Ukraine has no plans to begin official offensive cyberactions against Moscow.

“We can use only defense to limit their abilities to organize the cyberattacks on Ukraine,” said Zhora, of the State Service of Special Communications and Information Protection. If Kyiv wanted to begin launching attacks on Russian infrastructure, it would need to adopt a domestic legal framework.

“[NATO] is observing very intently what is happening in cyberspace right now,” Zhora added. “And probably there will be some changes in understanding how offensive operations can be provided—and what are the limits?”

To date, NATO has been skittish about deploying cyber-power. NATO Secretary-General Jens Stoltenberg has said a large-scale, sophisticated cyberattack could trigger Article 5 of the alliance’s founding treaty and lead to a collective response—but it’s unclear what that threshold looks like and what sort of collective response that would be. With that lack of clarity, NATO member countries have avoided cyberoperations against Russia or, at least, have kept them quiet.

In a recent op-ed in Politico, cybersecurity experts Erica Lonergan and Sara Moller advocated for “treating cyberattacks that do not rise to the level of a major attack as a national matter—not one for the alliance.” Doing so would help clarify when Article 5 should be invoked, they argue, and would allow states to adopt “nationally-tailored responses” for those cyberattacks.

In the meantime, Zhora said his government’s requests have been fairly straightforward: “First, weapons. Second, sanctions,” he said. When it comes to cybersecurity, he said the West needs to continue severing digital ties with Russia. He called it a “technological lockdown.”

The efficacy of Ukraine’s cyberattacks on Russia may incentivize Moscow to step up shelling against IT infrastructure in the country. To date, Kyiv has managed to keep the vast majority of the country online, thanks to Starlink terminals provided by the tech billionaire Elon Musk, the United States, and Europe. Some of those terminals have already been hit by shelling. In recent days, Russian forces have successfully cut off internet access in the Kherson region.

The bombing, Kyiv said in a statement, is “another enemy attempt to leave Ukrainians without access to the true information on developments in the war waged by [Russia] against Ukraine; and to make their false propaganda an uncontested source of information, just like it is done in Russia.”