As Russia has subjected Ukraine to ground attacks and missile bombardments, an invisible group of hundreds of thousands of volunteers has been fighting back — from their bedrooms.
Earlier this week Ukraine’s vice-prime minister Mykhailo Fedorov announced the launch of an “IT army”, urging underground hackers globally to start disruptive cyber attacks on Moscow and to bolster the cyberdefence of Ukraine’s critical infrastructure. Within just a few days, it has grown to more than 400,000 members, Ukrainian officials estimate.
Directing volunteers via a channel on the messaging app Telegram, the collective has claimed it is responsible for numerous mini-victories, including taking down, at least temporarily, the websites of the Moscow stock exchange, Russia’s federal security agency and the country’s largest bank Sberbank. On Thursday, it announced fresh targets: Russia’s satellite navigation system and the Belarusian railway network, which is being used for the transportation of Russian troops and supplies.
While their claims are difficult to verify, this new front marks a revival of so-called “hacktivism” — cyber attacks conducted for ideological and activism purposes rather than financially motivated or part of official state activity. The practice was first popularised in the late 90s but had become less common in recent years following crackdowns by law enforcement.
“We are so grateful to every cyber warrior,” the IT Army’s administrators exclaim in the channel, prompting thousands of users to respond with emojis of hearts, fire flashes or a thumbs-up.
“[Russia] use transportation to deliver soldiers and arms to attack Ukraine. This should be stopped,” Victor Zhora, deputy chair of Ukraine’s security and intelligence service said on Friday, adding that the “cyber warriors” were not targeting civilians, but Russian payments services, transportation, the media and government systems.
The loosely organised cyber militia is just one of dozens of hacking groups, including both new and pre-existing ones, that have been galvanised by Russia’s invasion of Ukraine to publicly declare allegiance to one or the other side, resulting in an explosion of vigilante cyber activity.
Among those now joining the fray are the previously prolific hacktivist group Anonymous — which in the mid 2000s launched a spate of well-publicised attacks — and last week announced it would be targeting the Russian government.
“This is definitely a throwback,” said Stan Golubchik, chief executive of cyber security group ContraForce. “In the past, it was more ad hoc initiatives. We haven’t seen collaboration to this level before.”
Researchers at threat intelligence group Flashpoint said they have tracked close to 50 hacking groups that had now joined the latest cyber efforts, with the majority supporting Ukraine and several financially motivated criminal groups, such as the Conti ransomware group, declaring allegiance to Russia.
But these cyber guerrilla warfare efforts could escalate into uncharted territory, experts warn, and pro-Ukrainian attacks risk sparking more heavy-handed retaliation from Russia.
“If one of these activists, one of these volunteers knocks over something and someone dies, that is firing the first shot,” said Mike Hamilton, former vice-chair for the US’s department of homeland services co-ordinating council and chief information security officer of cyber security firm Critical Insight.
It comes as experts have been watching for indicators that Russian president Vladimir Putin might unleash the full force of Russia’s state cyber capabilities against Ukraine, with fears growing about its critical infrastructure as well as the possibility of ‘spillover’ malicious attacks into the west. Regardless of any direct action taken by the Kremlin, many predict a sharp rise in cyber crime stemming from within Russia, including theft or extortion such as ransomware, as western sanctions inflict pain on the economy.
Historically, hacktivism has occupied a grey area between ideological protest designed to expose perceived wrongdoing or ineptitude, and illegal activity — with those involved being hailed as either mischievous freedom fighters or a criminal digital lynch mob. Targets have included large corporations, governments and even terror groups. Anonymous, which uses the Guy Fawkes mask as its emblem, has previously hit Isis, the terror group in Iraq, and the Ku Klux Klan, as well as payments companies, local governments and the record industry. Some attacks have led to arrests of members by US and UK authorities.
One hacker involved in Anonymous, who spoke with the Financial Times on condition of anonymity, said there were hundreds of hackers now mobilised within the network in support of Ukraine. The group is focused on targeting the vehicles of Russian disinformation campaigns, such as media agencies, as well as hacking funds from certain Russian financial institutions in order to donate them in cryptocurrency to the Ukrainian efforts, the person said.
The hacker said they believed Anonymous had the skill set to disrupt Putin’s agenda, adding that they personally were motivated by the fight for freedom of expression against his censorship regime.
Other notable groups coming out in support of Ukraine include NB65, which “declared a successful campaign against . . . [Moscow’s] Nuclear Safety Institute, and published sensitive documents”, according to report by cyber security firm CyberInt. A newer hacking group GhostSec, which has targeted Russian bank servers and TV channels, and Georgian group BlackHawk, are also siding with Ukraine.
Some efforts have been spearheaded by corporations: Hacken, a cyber security company formerly based in Kyiv, claims to have signed up 10,000 hackers globally to a bug bounty programme for global hackers to uncover and fix vulnerabilities in Ukraine’s systems and exploit them in Russia’s.
Tactics by the pro-Ukrainian groups have typically included launching “distributed denial of service attacks” — where hackers use bots to bring down websites by flooding them with requests for information. Many also deface websites, adding pro-Ukraine messages or embarrassing anti-Russia messaging.
For example, on Monday Russian energy company Rosseti suspended electric vehicle charging stations along the motorway that stretches from Moscow to St Petersburg after they were hacked. Video footage posted on Facebook showed the error messages of the chargers had been changed to read: “Putin is a dickhead”.
Some analysts are sceptical of the impact of the various efforts, dismissing them as low-key monkeywrenching. “It’s a nuisance [but] it’s not going to have any significant effect on the Russians,” said Dmitri Alperovich, co-founder of security group CrowdStrike who now runs the Silverado Policy Accelerator think-tank.
But others note an escalation in tactics and targets towards more disruption, including to critical infrastructure. In the early days of hacktivism, “it was a lot about doxxing and stealing embarrassing documents and making things public,” said Hamilton. “Now we are getting kinetic with this . . . We’re talking about getting into the communication stream of your adversaries.”
Tony Adams, senior security researcher with Secureworks’ threat intelligence unit, warned that Russia might also be able to seize on the confusion in order to deploy state-backed attacks under the guise of a hacktivist group. “It’s a playbook that’s been used in the past,” he said.
Ukraine’s Zhora said that while he did not “welcome any illegal activity in cyber space” he “understands” and “appreciates” what Anonymous and other hacktivists are doing. “The world order has changed . . . and I don’t think sticking to moral principles works since our enemy doesn’t have any principles. We appreciate every kind of help.”
Additional reporting by Madhumita Murgia in London
