(Editor’s note: This piece comes to us from a Ukrainian source personally known to us and writing about a spontaneous effort by It professionals in Ukraine joined by others around the world in cyberattacks on Russia following its invasion of Ukraine. Much has been written in the past about Russia’s cyber-warfare capabilities being first-rate and enormous in scope and scale, but with the exception of an initial and limited attack on Ukraine’s infrastructure in the early days of the war, it has been largely absent.  Most of the attacks that did take place were simple Distributed Denial Of Service Attacks that can be easily repelled. SOFREP itself has seen these DDOS attacks coming from Russia on our own website since the invasion began and we didn’t have any trouble beating them back.  In the 5 weeks since the invasion began, there are few signs of any Russian sophistication regarding its use of cyberweapons with speculation that it may have all been posture rather than reality.  It seems less and less likely that Russia has any significant reserve capability in terms of cyber and its cyber capabilities have been the victim of the same kind of neglect and mismanagement we’ve seen in the rest of the Russian military. It is also possible that Russia’s cyber assets are being kept so busy trying to defend and fight off attacks on their own cyberinfrastructure that they are on the defensive.  The so-called “IT Army of Ukraine” you will read about below may be part of that effort to keep Russian cyber forces playing defense rather than offense.)

IT Army of Ukraine and DDoS attacks on Russian sites 

The war that Russia started and the assault on major Ukrainian cities came off as a surprise to many of us. When we saw missiles and artillery rounds hitting cities and streets where we grew up – the first idea that came to our mind was:

“How can we stop this?” and “What can we do to help people in Ukraine?” Thousands of IT professionals who grew up in Ukraine and live all over the world felt the same. A lot of people were just shocked and couldn’t get back to their day-to-day life. They needed something that would give them meaning in life in those challenging times. The IT Army of Ukraine had a message for them – “Stop being shocked and join the fight. Anyone can help.”

During the first days of the war Ministry of Digital Transformation of Ukraine started a telegram channel that was called “IT Army of Ukraine”. The channel quickly became a self-regulated community of Ukrainian IT professional who was against the war and wanted to support Ukraine in any way possible. It started with less than 10K participants. More freedom fighters from all over the world were joining the fight for democracy in Ukraine. Now the community is approaching 500K members and many of them are not Ukrainian and don’t live in Ukraine.

It all started with the telegram channel the Ministry of Digital Transformation started. Most of the topics were requests for help and suggestions on what can be done to help. Coordination was minimal.

People who were the most active would take specific initiatives and focus on those. More and more telegram channels were created – branched out from the main channel. Creators of those new channels started their own groups that were focused on the same goal – to help stop the war and save people in Ukraine. So leaders are basically the most active members who picked a direction and lead specific projects and efforts. Some of those leaders are top managers of well-known top tech corporations.

Many leaders and members are involved in activities that are illegal in certain parts of the world so would like to keep their anonymity. Technologies such as darknet, block-chains, and VPN are widely used by those willing to stay anonymous. Even some hackers joined the fight to lead the most technically challenging projects.

At this point, the community has 100 + people leading in different directions with separate channels and groups. Tens of thousands are active and are helping and hundreds of thousands are monitoring the communication and looking for ways to help.

The initial directions were:

  • Reach out to Russian citizens who are isolated by the propaganda shield and let them know what is going on; this goal evolved into helping to organize meetings and opposition in Russia; one of the activities was letting Russian citizens know when meetings are happening and where.
  • Protect Ukrainian web and digital resources from attacks by Russian hackers
  • Bringing down digital and web assets of Russia and getting access to confidential information

Ministry of Digital Transformation started with those broad directions and let the community figure out what to do with it.

A lot of people wanted to help and some members were just translating from Ukrainian and Russian to English. Creating separate channels in English.

As soon as the direction was clear, the first attacks started to happen from all over the world. People in US were actively involved.

Lists of websites that belong to the Russian government and pro-government Media were shared amongst community members. Members of the community would set up ways to monitor those websites and others would focus on attacking those sites. The goal was to make sure that most of the websites are down all the time. As a result, 80% of the websites in those lists are down all the time.

Many members of the community would spend time and money to pay for the resources needed for the attacks such as virtual servers and other cloud services. Community if looking for ways to make it possible to donate resources to the community because running a lot of servers and the infrastructure that is needed to run those activities get complex and expensive.

Intelligence was another direction that was actively explored. Russians started to use devices to guide their strikes but it didn’t work and they switched to Google Maps. Russians used google maps layers and labels to identify targets for the attacks. The intelligence community compared Google Maps labels with the attacks and found that it matches. They went even further to identify people who were creating those labels.

New mobile apps were created – to inform people about coming strikes near them and let them communicate with each other, stay informed about what is going on. Even watch Ukrainian TV on mobile.

Another intelligence initiative was to find people who are committing war crimes. Hacking Russian military databases and identifying people responsible for strikes and actions.

It is still not clear what actions Russia would take to disconnect itself from the Internet. It is possible that it will complicate the ability to attack Russian sites and provide support to the Russian opposition.

At this point, the community needs more people and more resources to operate. Not only cloud services are needed but also access to infrastructure such as SMS messaging in Russia. The community is using crypto to fund some initiatives and looking for ways how people can contribute bits and pieces of infrastructure without being exposed to additional risks. For example, some amazon AWS accounts could be used for activities that are technically illegal in the US – how to make it safe for those users who donated their amazon accounts?

Another problem is that in this atmosphere of full anonymity there are some actors who could be using those donations and accounts not to help Ukraine but to make money and hack something else.

A lot of information is currently uncovered and shared online. This information includes a lot of private information and lists of people. There is a risk that this information could be used for bad-doing after the war.