Armed Conflict Cybersecurity & Tech Foreign Relations & International Law

Kyber Sprotyv: Ukraine’s Spec Ops in Cyberspace?

Stefan Soesanto, Wiktoria Gajos
Tuesday, April 9, 2024, 9:45 AM

A group with ties to the Ukrainian government is breaching the email accounts of Russian military officers, politicians, and civilians.

Members of the Ukraine military monitor network access during Combined Endeavor 2011 (Defense Visual Information Distribution Service, https://nara.getarchive.net/media/members-of-the-ukraine-military-monitor-and-maintain-bcb83c; Public Domain)

Published by The Lawfare Institute
in Cooperation With
Brookings

The Russian invasion of Ukraine on Feb. 24, 2022, has led to an eruption of malicious activity in and through cyberspace. As of Feb. 27, 2024, the CyberTracker maintained by threat researcher CyberKnow lists a combined 128 threat groups that are active in the conflict: 83 pro-Russian and 45 pro-Ukrainian ones. While many of these groups are non-state actors with no known government affiliations, a handful of them are likely state-controlled or state-coordinated groups. The former can be defined as groups whose organizational structure and activities are directly (co-)managed by a government. And the latter can be viewed as groups whose independent operations are coordinated by a government in support of achieving specific national objectives.

One of these groups is called Кібер Спротив or, in English, Kyber Sprotyv, which means “cyber resistance.” It is likely a state-coordinated group with ties to the Ukrainian government. Kyber Sprotyv stands out among the other 45 pro-Ukrainian groups, as it (a) has specialized in breaching the private email accounts of Russian military officers, their spouses, politicians, and civilians of interest; (b) is extremely well integrated into the Ukrainian information ecosystem; and (c) maintains a unique relationship with the Ukrainian intelligence services in general and the Ukrainian Special Operations Forces in specific. So far, though, no comprehensive analysis has unpacked the group’s government linkages, its targeting behavior, and the ecosystem it functions within. 

This piece offers insights into the ecosystem Kyber Sprotyv is part of and outlines why the group’s conduct poses new unique challenges for the law of armed conflict applicable in cyberspace. In particular, it opens up the question of government agencies outsourcing hacking operations against civilian targets and objects in times of war. The fusion of cyber and information warfare operations is of particular relevance in this context as well. This piece also draws out the analytical uncertainties that researchers face when trying to ascertain whether a group cooperates with a government. Determining the various degrees of cooperation that exist in practice is of particular relevance for staking out the exact parameters of state responsibility in cyberspace and for minimizing misleading attribution statements. This article will hopefully spur further research to guide the rigorousness of analytical products that investigate the interplay between states and non-state groups in cyberspace.

Kyber Sprotyv’s existence was publicly revealed on Feb. 24, 2023, when the group’s public Telegram channel was created. The group describes itself as “a team of hacktivists who have been cooperating with various law enforcement agencies of Ukraine since 2014, as well as with volunteers from the international intelligence community InformNapalm, the Myrotvorets Center and the National Resistance Center.” The group’s claims of cooperation with Ukrainian law enforcement and intelligence agencies are difficult to verify, but evidence suggests a special relationship exists. The group’s active cooperation with Myrotvorets, InformNapalm, and the National Resistance Center is beyond any doubt. To showcase the ecosystem that Kyber Sprotyv operates within, this piece will explain each component and unpack some of the available evidence. 

The National Resistance Center 

The name and logo of Kyber Sprotyv resemble those of the National Resistance Center (Центр національного спротиву), which was created by the Special Operations Forces of Ukraine in March 2022 for the purpose of “training, coordinating and scaling movements against the occupation of Ukraine.” The center teaches nonviolent resistance, collects information about Russian operations, establishes communication with the underground, helps partisans, and informs the population of Ukraine about events in the temporarily occupied territories.

Kyber Sprotyv’s official logo depicts a skull with its right eye replaced by a symbol that combines a small less-than sign with a larger greater-than sign, similar to the emblem of the National Resistance Center, which has a small less-than sign—in Ukraine’s national colors—and a larger greater-than sign that likely reflects the Russian invaders.

On Feb. 25, 2023, Kyber Sprotyv made its first-ever Telegram post, which explained that the group only publishes information that is “no longer of operational value for the Ukrainian special services.” This can be read in two ways. The first is that Kyber Sprotyv directly supplies Ukraine’s intelligence services with data the group has exfiltrated and will release said data to the public only once it gets the all-clear from the intelligence services. The other interpretation is that Ukraine’s intelligence services provide Kyber Sprotyv with data that no longer has operational value to disseminate to the public.

Two facts support the latter interpretation. First, on March 2, 2023, the official Telegram account of the National Resistance Center posted (not forwarded) almost the exact same message that Kyber Sprotyv used in its first ever Telegram post. The National Resistance Center even used the same cover picture and exact same sentence, stating that Kyber Sprotyv will only publish materials that “are no longer of operational value for the Ukrainian special services.” Neither InformNapalm, Myrotvorets, nor any other Ukrainian news outlet or government agency has similarly endorsed Kyber Sprotyv.

Second, Kyber Sprotyv’s second-ever Telegram post—also on Feb. 25, 2023—shows the passport, driver’s license, and U.S. visa application of Belarusian musician and VoenTV military correspondent Nikolay Viktorovich Anisimov. In its post, Kyber Sprotyv claimed that it actively worked on these types of targets and received the documents from an external source. Curiously, the photos were watermarked with the National Resistance Center’s logo. Indeed, roughly two weeks prior, on Feb. 13, 2023, the National Resistance Center published the exact same documents on its own website, explaining that the documents “reached the Center of National Resistance from the Belarusian underground[.]” Anisimov’s case serves as an example of Kyber Sprotyv republishing information it received from the National Resistance Center. 

At the same time, however, Kyber Sprotyv has breached the private email accounts of more than 40 Russian and pro-Russian individuals as of March 2024. Of these email accounts, 27 belong to clear military targets. They include, for example, Col. Grigoriy Zana (chief of staff, 50th Separate Operational Brigade, Russian Guard), Col. Sergey Valerievich Atroshchenko (commander, 960th Assault Aviation Regiment), Lt. Col. Sergey Alexandrovich Morgachev (GRU, Unit 26165, also known as “Fancy Bear”), and Maj. Mikhail Shishkin (deputy commander, Military Unit 11754-51st Air Defense Division). The 15 remaining targets are quasi-civilian or civilian in nature. They include, among others, Aleksander Babakov (deputy chairman of the Duma), Maria Lvova-Belova (Russian presidential commissioner for children’s rights), Marina Starodubets (Ukrainian administrator of the Telegram channel “Waiting for Melitopol and the Region”), Anna Smirnova (Russian fencer), and Natalya Sumachankova (member of Russia’s highest judicial qualification board).

The data exfiltrated from these targets was either published on Kyber Sprotyv’s Telegram channel or given exclusively to InformNapalm or the National Resistance Center for public dissemination. As of this writing, InformNapalm has published 23 articles and the National Resistance Center released 17 articles covering Kyber Sprotyv’s successful hacking operations. The information gathered by Kyber Sprotyv is subsequently also shared with the Myrotvorets Center, which—based on the personally identifiable information found in the data troves—publishes individual personal profiles on its website and declares them to be enemies of Ukraine.

InformNapalm and the Ukrainian Cyber Alliance (UCA)

Within Kyber Sprotyv’s ecosystem, InformNapalm plays a similar role to that of the National Resistance Center when it comes to the public dissemination of exfiltrated documents. As a Ukrainian-led “international volunteer community,” InformNapalm consists of around 30 individuals hailing from more than 10 countries. They include “former military, journalists, analysts, translators and activists who work on a voluntary basis” as “soldiers of the information front.” Importantly, InformNapalm publishes its articles in numerous languages, including Russian, English, German, Spanish, Turkish, Danish, and others, to reach a global audience. Currently, headed by Ukrainian journalist Roman Burko and Georgian military expert Irakli Komakhidze, it has become one of the most reliable sources for information leaks since the Revolution of Dignity in 2013-2014. Nowadays, the group largely combines open-source intelligence research with information gained from human sources and data exfiltrated by hacking groups. 

Prior to InformNapalm’s special relationship with Kyber Sprotyv, the outlet had a flourishing relationship with the Ukrainian Cyber Alliance (UCA). Back in October 2016 for example, the Ukrainian hacking group CyberHunta (КиберХунта)—which is part of the UCA—publicly dumped emails belonging to Vladislav Surkov, then the top official overseeing Russia’s Ukraine policy and chief domestic adviser to President Vladimir Putin. When covering the story, InformNapalm noted that the group “submitted [some of the materials] for analysis to intelligence agencies, that are not subject to disclosure because of their operational value.” The UCA conducted numerous other hacking operations between 2016 and 2022. Similar to Kyber Sprotyv today, they also focused on breaching Russian email accounts and servers, shared the exfiltrated data with the Ukrainian intelligence services, and utilized InformNapalm to publicly disseminate said data.

That said, it is unclear how active UCA is nowadays. As of this writing, their last advertised operation was conducted on Oct. 18, 2023, when they breached, exfiltrated, and wiped the data of servers belonging to the Trigona ransomware group. The UCA’s special relationship with InformNapalm also ceased to exist. UCA’s pullback is highly likely tied to its fallout with the Ukrainian security agencies in early 2020. On Feb. 25, 2020, investigators from the Malinovsky District Department of Odesa, together with employees of the Odesa SBU, cyber police, and representatives of the Rapid Operational Response Unit (KORD) of the National Police, raided the homes of several UCA leaders in relation to an intrusion into the information technology systems of the Odesa airport. UCA denied any involvement in the breach and even held a public press conference explaining its side of the story. In response to the raid, UCA officially suspended its cooperation with the Ukrainian security agencies. Notably, on April 2, 2023, a UCA spokesperson explained on Telegram that UCA has nothing to do with the operations conducted by Kyber Sprotyv.

The last piece of the Kyber Sprotyv’s ecosystem we have to unpack is Myrotvorets.

Myrotvorets

Myrotvorets, which means “peacemaker” in English, is an often-overlooked player in Ukraine’s information ecosystem. In December 2014, the now-former head of the Luhansk military-civil administration, George Tuka, officially announced the project’s creation, describing it as an information database on “terrorists and traitors fighting against the people of Ukraine.” Tuka stressed that this resource would be of particular interest to the Ukrainian intelligence services, military units, and border guards. Myrotvorets itself was co-founded in 2014 by Anton Gerashchenko, then a member of the Ukrainian Parliament and now adviser to the Ministry of the Interior. The platform describes itself as “an independent non-governmental organization created by a group of scientists, journalists and specialists in the study of signs of crimes against the national security of Ukraine, peace, the security of mankind and the international legal order, engaged in creative scientific and journalistic activities.” Myrotvorets is currently led by a former employee of the Luhansk Security Service who goes by the alias of “Roman Zaitsev.” In 2015, Zaitsev gave an interview to Ukrainian news outlet Fakty claiming that Myrotvorets has direct ties to the Ukrainian state: “I repeat, we are not abstract: we work with the state, and the state cooperates with us.” When asked about the Myrotvorets team, Zaitsev explained that they are “a contingent from the laborer to the civil servant, including individual employees of the Ministry of Internal Affairs and the Security Service of Ukraine and citizens of other countries. All are top-class specialists, real professionals. They have a special sense of smell.” 

In September 2018, the Ukrainian human rights organization Uspishna Varta stated that the Myrotvorets website had been recognized by Ukrainian courts as credible evidence in almost 100 criminal cases. Uspishna Varta explicitly noted that “it is common practice [that] Ukrainian citizens are found guilty without trial only because of the fact that they were included in the list of the website ‘Myrotvorets’. All of this, in the government’s opinion, does not affect the protection of personal data expressed in the relevant Law.” Currently, parts, if not all, of the Myrotvorets website’s components are hosted by cloud service provider OVH in Quebec, Canada.

Kyber Sprotyv is part of an ecosystem that trades in exfiltrated data. Its link with the National Resistance Center likely feeds information relevant to the military directly to the Ukrainian Armed Forces. InformNapalm serves as the group’s megaphone to reach a global audience for its fight on the information front. And Myrotvorets feeds Kyber Sprotyv’s information into the machinery of the Ministry of the Interior by collecting, sorting, and identifying enemies of Ukraine. But how does Kyber Sprotyv decide whose email inbox it is targeting? To provide some tangible answer, we have to dive deeper into Kyber Sprotyv’s hacking operations. 

Kyber Sprotyv’s Targeting of Military Officers

As Lawfare readers will know, back in July 2018, a U.S. federal grand jury indicted 12 Russian military intelligence officers for interfering in the 2016 U.S. presidential election. The FBI subsequently published a wanted poster with the headshots of 11 defendants. But one picture was missing: The headshot of Viktor Borisovich Netyksho, commander of Russian military intelligence service (GRU) Unit 26165—also known as Fancy Bear. Almost five years later, on May 20, 2023, Kyber Sprotyv made international headlines by posting the first-ever picture of Netyksho, his wife, Oksana, and his son, Danil, on the group’s Telegram channel. In the accompanying post, Kyber Sprotyv bragged that “today we will take you where the FBI has never set foot.” Less than two hours after Kyber Sprotyv posted Viktor Netyksho’s picture, InformNapalm forwarded said post on Telegram. In the following hours, InformNapalm expressed its gratitude to Kyber Sprotyv for revealing Netyksho’s picture, and the outlet published Oksana Netyksho’s passport and vehicle insurance scan.

The targeting of Viktor Netyksho was the second time that Kyber Sprotyv successfully went after one of the GRU officers who interfered in the 2016 U.S. presidential election. On April 10, 2023, Kyber Sprotyv had exclusively provided InformNapalm with the contents of Lt. Col. Sergey Alexandrovich Morgachev’s private mail.ru account. From August 1999 to August 2022, Morgachev served as department head of Unit 26165. Among others, the group published Morgachev’s passport, pictures with his wife, Yekaterina, his medical certificates, salary information, driver’s license, the model and number plate of his car, the address and purchasing contract of the apartment he lives in, and more. Kyber Sprotyv also obtained access to Morgachev’s private AliExpress account, Twitter account, and Gosuslugi (Госуслуги) account—Russia’s unified portal for state and municipal services.

On March 27, 2023, InformNapalm revealed that Kyber Sprotyv breached two private mail.ru accounts belonging to Col. Sergey Atroshchenko—commander of Russia’s 960th Assault Aviation Regiment. According to InformNapalm, the group monitored Atroshchenko’s email accounts for several months and eventually decided to publish the email dumps after “Atroshchenko’s refusal to cooperate with [Ukraine’s] intelligence agencies.” Atroshchenko was likely targeted because his aviation regiment is stationed at the Primorsko-Akhtarsk airfield from which Russian planes took off to bomb the city of Mariupol. According to Petro Andryushchenko, adviser to the mayor of Mariupol, Atroshchenko was responsible for ordering and supervising the bombing of Mariupol’s drama theater and Maternity Hospital No. 3—which includes the city’s children’s hospital and maternity ward.

Kyber Sprotyv also revealed that it exfiltrated personally identifiable information on the members of Atroshchenko’s regiment and their wives. The group essentially contacted Atroshchenko’s wife, Lilia, pretending to be an officer in her husband’s regiment. Kyber Sprotyv then successfully convinced Lilia to arrange a fun “patriotic photo shoot” with the wives wearing their husband’s uniforms. On March 16, 2023, Lilia shared the video and pictures of the photo shoot with the fake officer. As InformNapalm explained, “Lilia did very well—there were close-ups of women posing in the jackets of their pilot husbands, who are normally very careful with their own photos and try to keep a low profile on social media. But thanks to their wives, their connections and personal data were easily established.” On March 27, InformNapalm posted Lilia’s video on its Telegram feed. The video included pictures of Lilia’s children. During the social engineering campaign, Kyber Sprotyv breached Lilia’s private mail.ru email account, extracting documents and intimate photos, which InformNapalm subsequently published as well.

On April 19, 2023, InformNapalm published a video on Telegram showing Kyber Sprotyv accessing the private mail.ru account of Svyatoslav Filatov—the medical service commander of Atroshchenko’s 960th Assault Aviation Regiment. According to InformNapalm, Kyber Sprotyv found Filatov’s email address in Atroshchenko’s files and shared the contents with InformNapalm and Myrotvorets. Among other items, Filatov’s email account included hundreds of medical certificates of the regiment’s members. As InformNapalm explains, “[T]he commander of the medical service of the 960th AAR himself was not of much interest to us, unlike the documents that he kept in his work mailbox. These documents made it possible to collect additional data and establish the identities of a number of officers from the military unit 75387.” All in all, Filatov’s inbox content enabled InformNapalm and Myrotvorets to identify and list 150 service members and several civilian contractors who are working for the 960th Regiment.

Kyber Sprotyv’s Targeting of Civilians 

Kyber Sprotyv’s targeting of civilians has not been restricted to breaching the private email accounts of the wives of Russian military officers such as Lilia Atroshchenko and Oksana Netyksho. The email accounts of Russian politicians, military bloggers, and Russian judges in the occupied territories are equally of interest to the group. Two cases stand out from this crowd: Ukrainian citizen Anastasiya Pavlovna Nikolaenko and Russian fencer Anna Smirnova.

On Feb. 2, 2023, a Telegram channel popped up with the name “Zhduny Zaporozhye region RU” (Ждуны Запорожской области 🇷🇺). The channel’s description explained that its purpose was to “inform citizens of the Russian Federation living on the territory of Melitopol and the district about those who are trying to return the fascist regime of pro-Bandera Ukraine on the territory of the Russian Federation.” Essentially, it posted pictures and social media handles of former and current Melitopol citizens and accused them of Russophobic and other traitorous activities. It also asked its followers to send in information on any other Melitopol citizens who have exercised anti-Russian or pro-Ukrainian behavior.

On June 22, 2023, Kyber Sprotyv announced that the group gained access to the channel’s mail.ru account. The account’s registration information included the name Maryna Starodubets. The email contents furthermore revealed the involvement of two other accomplices: Anastasiya Pavlovna Nikolaenko and Alexandr Gennadevich Zakutnij. Myrotvorets listed the personally identifiable information of all three “traitors” on its website. In the case of Nikolaenko, Myrotvorets also included the names, birthdays, and passport numbers of her three children, the youngest of whom was 9 years old.

Kyber Sprotyv’s targeting of Russian fencer Anna Smirnova is probably the clearest example of targeting a civilian. Smirnova made international headlines on July 27, 2023, after her match against Ukrainian fencer—and leader of the Ukrainian national team—Olga Kharlan at the World Fencing Championship in Milan, Italy. At the end of the match, Kharlan refused the compulsory handshake and Smirnova held a 45-minute sit-in protest on the piste. Kharlan was subsequently disqualified. The massive public outrage and global media coverage of the incident eventually forced the International Fencing Federation to reverse Kharlan’s disqualification on July 28. Following these events, Kyber Sprotyv posted a link on Telegram with the message, “Do you know whose mailbox fell into our hands? Anna Smirnova. This is exactly the loser who dragged our fencer Olga Kharlan. We know what’s inside, so we suggest everyone to look for it. Help this Russian receive a proper disqualification.”

Various Ukrainian news outlets went on to publish documents found in Smirnova’s private email account, including personal photos and a scan of her passport. Myrotvorets subsequently accused Smirnova of “openly supporting the Russian-Belarusian military aggression against Ukraine” and “probably cooperating with the Russian intelligence agency.” Curiously, though, neither InformNapalm nor the National Resistance Center published an article on this operation. Similarly, Smirnova’s brother—who actually serves in the Russian armed forces—was never targeted by Kyber Sprotyv, nor is he listed on the Myrotvorets website.

Apart from the operation against Anna Smirnova, Kyber Sprotyv seems to be extremely selective in who they target. Their operations also do not appear to be random, but seem to be directed—if not actively supported—by someone who feeds them relevant targeting information. Similarly, most of the data exfiltrated holds some military or intelligence value. Kyber Sprotyv’s own admission, that it only publishes information that is no longer of operational value for the Ukrainian special services, might provide a precise clue about who is guiding and supporting the group. 

Open Questions: Attribution and Targeting Rules? 

In February 2012, Jason Healey published a paper in which he outlined “a spectrum of state responsibility” to more directly tie the goals of attribution to the needs of policymakers and to “help analysts with imperfect knowledge assign responsibility for a particular attack, or campaign of attacks, with more precision and transparency.” The spectrum is a theoretical framework that describes 10 categories, each encapsulating different degrees of state responsibility, ranging from state-prohibited (“The national government will help stop the third-party attack”) to state-integrated (“The national government attacks using integrated third-party proxies and government cyber forces”). In between, Healey outlines categories such as state-encouraged (“Third parties control and conduct the attack, but the national government encourages them as a matter of policy”) and state-coordinated (“The national government coordinates third-party attackers such as by “suggesting” operational details”). As a theoretical framework, the spectrum was not meant to clearly outline the practical evidence necessary to determine whether and how a state, for example, directs third-party proxies to conduct an attack on its behalf.

When it comes to advanced persistent threats and state actors, the degree of state responsibility is usually expressed with an attribution assessment. Depending on who makes the attribution call, this can be based on an intermix of technical evidence, open- and closed-source materials, human and signals intelligence, and so on. When it comes to non-state actors, the attribution part is usually straightforward as groups tend to publicly self-attribute and declare which campaigns they are responsible for. In peacetime, state responsibility is then either relegated to the principle of due diligence—meaning a state’s “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States”—or based on trying to find any connection between the group and the state to showcase potential state involvement. This can be anything from a group’s loose alignments with a state’s geopolitical priorities, to chat logs between the group and potential state representatives, to the state literally creating a group, as was the case with the IT Army of Ukraine. 

The Kyber Sprotyv case is particularly interesting in this regard as it is occurring in the context of an international armed conflict. Despite the evidence and relationships this piece has outlined, it is still unclear to the authors as to how exactly Kyber Sprotyv cooperates with the Ukrainian government. Instead of a clear red thread that connects both entities, there are multiple reddish strings that could be viewed as government linkages. Kyber Sprotyv’s special relationship with the National Resistance Center—and in turn the Ukrainian Special Operations Forces—is one. Kyber Sprotyv’s interactions with Myrotvorets—and Myrotvorets’s relationship with the Ukrainian Ministry of the Interior—is another. 

In the absence of any minimum evidence standards, it is unclear when an analyst ought to designate a group as state-encouraged, state-coordinated, or state-ordered. Each of these designations relies on miniscule degrees of separation in terms of how a government might interact with a non-state group at any given point in time—meaning, the higher and more consistent the government’s interaction with said group, the clearer its responsibilities, liabilities, and potential violations under international law. Yet in many cases—as in the case of Kyber Sprotyv—detailed evidence and specific information about state cooperation with non-state actors either is unavailable or has not yet been uncovered. 

As a result of this uncertainty and absence of tangible evidence, it is unclear what direct responsibility the Ukrainian government has when it comes to Kyber Sprotyv’s targeting behavior. If we assume that Kyber Sprotyv is a state-encouraged group, then the group’s targeting behavior could be viewed as being on the outer bounds of Kyiv’s responsibility. If, however, we assume that Kyber Sprotyv is a state-ordered group—which Healey defines as “the national government directs third-party proxies to conduct the attack on its behalf”—then Kyiv would be directly responsible for the group’s targeting decisions.

Making things even more complicated is the question of whether Kyber Sprotyv’s activities are hacktivism, traditional espionage, or part of Ukraine’s military operations on the ground. If we assume that international law applies in cyberspace—and with it also the laws of armed conflict—is breaching the private email account of a combat medic a violation of the special protections medical personnel enjoy under the Geneva Conventions? Is the targeting of the private email accounts of a military officer’s wife, daughter, or girlfriend a violation of the principle of distinction? And if not, is breaching the private email accounts of any civilian a violation of anything during an international armed conflict? Is there a line? Should there be a line? And where exactly do we want that line to be?


Stefan Soesanto is a senior researcher at the Center for Security Studies (CSS) at ETH Zurich. He leads the Cyberdefense Project and is the co-Team head of the Risk and Resilience Team.
Wiktoria Gajos interned with the Risk and Resilience Team at the Center for Security Studies (CSS) at ETH Zurich and now works as a research assistant at the CSS.

Subscribe to Lawfare