Cybersecurity & Tech

The Dynamics of the Ukrainian IT Army’s Campaign in Russia

Kyle Fendorf
Thursday, June 15, 2023, 4:00 AM

The Ukrainian IT Army offers a unique perspective into the choices of an offensive actor in a war. 


Ukrainian Vice Prime Minister and Minister of Digital Transformation Mykhailo Fedorov speaks at the World Economic Forum in Davos, 19 January, 2023. (Foundations WEF, https://tinyurl.com/3fmuw49s; CC BY 2.0, https://tinyurl.com/48nz4pbw)

Published by The Lawfare Institute
in Cooperation With
Brookings

Our understanding of cyber operations is almost entirely driven by defenders. Reports from cybersecurity companies, non-profit organizations, and government agencies offer a view into what and whom cyber operations target, but this perspective is partial, only catching bits and pieces of the overarching campaign. Leaked documents, most notably Edward Snowden’s leak of  Presidential Policy Directive 20 and other documents from the National Security Agency, and the occasional statement from U.S. Cyber Command offer some visibility into how and where offensive operations are conducted, but still leave many gaps in understanding the landscape. However, the Ukrainian IT Army, a hacktivist group organized in response to the ongoing Russian invasion and likely affiliated with the Ukrainian government, offers a unique viewpoint into the decisions and actions of the offensive side and how cyberspace can be leveraged during a war.

The IT Army of Ukraine was born in the opening days of the Russian invasion of Ukraine. It started with a simple tweet on Feb. 26, 2022 from Mykhailo Fedorov, vice prime minister and minister of digital transformation, who wrote, “We are creating an IT army. We need digital talents” and included a link to a Telegram channel where visitors could find a list of targets to attack. The concept behind the group is simple: The operators of the channel provide tools to conduct distributed denial of service (DDoS) attacks against Russian websites and put out a list of targets two or three times per week for volunteers to attack. These volunteers then use the tools from the channel and, in some cases, their own hacking skills, to take down services on the Russian internet, including banking websites, tax processors, and military hardware stores. The group has attacked prominent Russian websites and even managed to delay Vladimir Putin’s speech at the St. Petersburg Economic Forum for over an hour. 

The IT Army offers a one-stop hacktivist experience; The Telegram channel identifies a wide range of targets and provides users with the tools to attack those targets, frequently ending messages with, “We remind you that we have a bot for automating attacks! You can grant access to your cloud resources to our bot that will launch a coordinated attack from all the available servers.” This tool, which adds a user’s computer to a botnet run by the Ukrainian government, makes participating in hacktivist activity in support of Ukraine as easy as downloading a single program. Users no longer need to hone their own computer skills and seek out small forums or insular hacking communities to participate in patriotic hacking campaigns. Ukrainian authorities have lowered the barrier to entry for patriotic hacking and done so on a vast scale, as the Telegram channel had over 300,000 subscribers at peak and individual messages have been viewed almost one million times.  

Hacktivism is not a new concept, and hacktivist groups have appeared frequently on both sides of the Russia-Ukraine conflict, including groups like KillNet, Xaknet, and Anonymous. These groups and others have launched DDoS attacks, stolen and leaked reams of data, and engaged in information warfare campaigns aimed at denigrating the other side. Hacktivism has appeared in other contexts as well; Russia and China have both made use of patriotic hackers in the past, from the 2007 Bronze Soldier incident, where Russian patriotic hackers and, likely, some state-sponsored groups, attacked the Estonian internet in the aftermath of the government’s decision to remove a monument to Soviet soldiers killed in World War II, to a DDoS campaign by Chinese hackers against the website of South Korean conglomerate Lotte Group over the company’s assistance with U.S. tests of the Terminal High Altitude Air Defense (THAAD) system in South Korea. In these and other cases, governments could maintain plausible deniability where hacktivists operated; They may have attacked a targeted entity in public statements or joked that their assistants were the ones doing the hacking, but they have never directed attacks in a public forum.

By contrast, the Ukraine IT Army is transparent, offering a public and thorough record of the offensive side of a cyber conflict. The Telegram group serves as a channel to share propaganda, stolen documents, and the personal information of Russians, and as an agent attempting to sow chaos in different portions of Russian society. Information on cyber campaigns, especially state-sponsored ones, is often shrouded in secrecy, with most information gleaned from reports by cybersecurity companies and government agencies with a defensive mission. The IT Army, while it may not operate at the same level of technical sophistication as other state-backed cyber groups, offers a unique window into how states use cyberattacks in wartime. 

It is important to note here that the Ukrainian government has said that only civilian officials are involved in the IT Army and has denied that military or intelligence officers are involved.  However, outside researchers have said that Ukrainian intelligence teams likely work closely with the group, at least partly due to the potential for IT Army attacks to cause “strategic confusion and tactical interference with the defense and intelligence services’ own operations.” The IT Army channel has also acknowledged its collaboration with the Ukrainian Special Operations Forces (SSO), in October 2022, when the operators leaked data on Russian taxpayers “obtained by the joint efforts of specialists of the IT Army and the SSO.”

Methodology

The IT Army’s targeting is contained in the Telegram channel which Fedorov tweeted about in the opening days of the war. The channel contains a mix of propaganda announcements, calls to attack certain targets, and data leaks from operations by a smaller, non-public team within the IT Army who conduct more advanced operations. Breaking these calls for attacks and reports of past attacks down into categories, based on the sector of the economy the firms or organizations targeted are involved in, provides a useful proxy measure for where the IT Army has directed its attention.

It is important to note a shift in the IT Army’s targeting methods took place in October 2022 that affects any analysis of the IT Army’s actions. Before this date, the Telegram channel was used to distribute the IP addresses and websites that the IT Army wanted to target. On Oct. 2, 2022, however, the IT Army operators shared that they would use their DDoS tool, which masks targeted web and IP addresses, to coordinate their campaign in order to avoid the Russians using the information contained in the channel to quickly shore up their defenses on affected sites. The Army said it would shift to “shar[ing] a report to reveal the outcomes when the attack is over.” This change, combined with the attacks carried out by the in-house team the IT Army maintains, adds uncertainty to the picture of the overall campaign and necessitates the use of sectors rather than individual organizations in a breakdown of the IT Army’s actions.

The analysis of these messages divides each call for an attack, or report of an attack that has already taken place, into categories based on two criteria: the method of attack and the sector of the economy in which the targeted organization operates. The method of attack was evaluated using the standard of the Council on Foreign Relations (CFR) Cyber Operations Tracker, which divides operations into seven categories, four of which have been used by the IT Army: sabotage, denial of service, doxing, and defacement. The sector of the economy targeted was evaluated based on the North American Industry Classification System (NAICS) maintained by the U.S. Census Bureau, which breaks businesses down into 20 sectors, of which the IT Army attacked 10: finance and insurance; information technology; wholesale and retail trade; transportation; oil and gas drilling, mining, and other extraction; utilities; education manufacturing; government; and arts, entertainment, and recreation businesses, which includes news media organizations. State-owned corporations were counted as part of their respective industry, rather than as part of the government. In cases where it can be determined that one message targeted multiple sectors, for example in this March 3, 2022 message which targeted an FSB internal communication channel, Aeroflot communication system, and a Moscow lighting system, the message will be counted toward the categories in which the different targeted organizations operated. Analyzing by economic sector and counting each message calling for an attack, rather than each organization targeted, provides a means of analyzing the IT Army’s actions beyond Oct. 2 by accounting for the change from the specific targeting instructions on record before that date, to the much more general guidance and reports issued after.

The IT Army’s Targets

The IT Army has targeted a number of different areas of the Russian economy, especially those which are heavily digitized. The group has launched the highest number of attacks on the financial industry, targeting them in 93 messages, almost always with DDoS attacks but, in a few cases, by leaking data stolen from financial institutions. Information technology firms were targeted over 57 times. The attacks were largely focused on software that was used as a service provider. Among these firms, electronic document preparation and verification companies were targeted 12 times as a means to slow supply chains, stymie tax payments, and prevent Russians from receiving state benefits. The group also targeted government websites and networks 55 times. These targets were often the websites of government bodies such as those of the FSB, the ruling United Russia party, and the Ministries of Defense and Foreign Affairs. These were usually DDoS attacks which brought the websites down for a short amount of time. In a few cases, the IT Army launched a longer DDoS campaign designed to bring down permitting systems, such as a June 2022 attack on the Unified State Automated Information System (EGAIS) used to certify animal products for sale.

The IT Army has also attacked the arts, entertainment, and recreation sector 42 times, mostly through attacks on Russian news and social media platforms. The attacks against this sector were almost all DDoS, except for two cases where the IT Army defaced news websites in Crimea and a design website run by a Russian oligarch. Trade firms have been targeted 42 times since the start of the conflict, largely online shopping and delivery firms and technology importers. As part of the attacks on the trade sector, the IT Army has frequently targeted third party equipment suppliers with DDoS attacks to prevent Russian troops, who are often under equipped due to corruption, from purchasing additional gear, food, or supplies.

The group launched 14 attacks against the transportation sector, including several DDoS attacks against airline ticketing systems at the beginning of the war and several DDoS attacks against shipping companies. In the only non-DDoS attack against the sector, the IT Army leaked files from the payment system associated with the Moscow Metro in February 2023. Within the transportation sector, the IT Army has avoided attacking rail networks, except for one case where it leaked data on the transportation company Russian Railways. This may be due to the Russian military’s dependence on its rail network to move troops, equipment, and supplies to the front lines, which makes the sector valuable for cyberespionage.

The IT Army has also attacked the extraction sector, comprising oil and gas companies and mining firms, a total of nine times. These attacks have primarily been directed against the websites of Russian oil and gas giants like Gazprom. The group has twice leaked files from Gazprom, detailing its operations in the Irkutsk region and a trove of financial and employee records. Lastly, the group has attacked the manufacturing sector five times, primarily targeting firms making goods supporting the Russian war effort, including Kalashnikov Concern, a large arms maker, and companies supplying boots to the Russian army.

Where the IT Army is Absent

The group has notably avoided targeting several sectors of the Russian internet. These omissions may be the result of several factors, including a lack of advanced hacking skills, an unwillingness on the part of the Ukrainians to reveal what they know about more sensitive targets, or, as stated previously, attempts to avoid compromising other cyber operations undertaken by more advanced actors. As the documents leaked on Discord earlier this year show, U.S. intelligence agencies frequently use signals intelligence gathered from Russian networks to inform finished intelligence products. Ukrainian cyberespionage efforts are less clear and rarely reported on, but the IT Army’s collaboration with the SSO in October 2022 provides evidence that parts of the Ukrainian military are trying to maintain a presence on Russian networks.

Areas that are not classified under the NAICS system but have largely escaped targeting include military and intelligence networks. The IT Army has almost entirely passed over these areas, almost certainly due to the intelligence contained on these networks. There are two instances of the IT Army targeting classified networks, both of which occurred on March 3, 2022 and targeted internal communication channels for the FSB and Rosgvardia, the Russian National Guard. It is unclear what those channels were used for and whether they were actually disrupted.

Russian utilities, including power systems and water companies, have also been spared from the brunt of the IT Army’s assaults, and have only been the target of three attacks. The IT Army has only launched one DDoS attack against power companies: an attack on the website of Belenergo, a Belarusian energy conglomerate, in February 2022. The IT Army also leaked data from a Russian water company in February 2023, which included personal data on 38,000 customers. A more consequential attack was announced on Oct. 15, 2022, when the IT Army released a propaganda video claiming that its in-house team had paralyzed the power grid in Leningrad Oblast, where St. Petersburg is located. Power grids are a difficult target, and experts have said that attacks against them require “months of planning, significant resources, and a team with a broad range of expertise.” While the actual effects of this attack (or even whether it occurred) are difficult to evaluate given the lack of public Russian cybersecurity reporting and the IT Army’s tendency to propagandize, the incident suggests that the IT Army is likely attempting to target Russian energy infrastructure, but that attacks are limited due to the high degree of skill and preparation needed to carry out attacks on these networks.

The IT Army has also avoided targeting the educational services sector, except for one case. On June 20, 2022, the IT Army launched a DDoS attack against the application system used by Russian universities right as Russian students were beginning to apply to schools. Experts have raised concerns about the effects the IT Army may have on international norms and that it may stray too far in attacking institutions or networks with no military function, with this attack being one of the clearest cases of the IT Army targeting a sector which is almost entirely separated from the Russian war effort. It has been nearly a year since the IT Army launched the attack on the application system, however, and it has yet to return its attention to the education sector.

The IT Army has also largely avoided the accommodations and food services, except for one case in May when the group attacked a Russian hotel booking site. Given the IT Army’s previous attacks against airline booking websites, it is somewhat surprising that it took over a year for it to attack other parts of the Russian tourism sector.

The IT Army has also avoided the construction, real estate, management and consulting, and waste disposal sectors. The reasons for this lack of targeting are unclear, although one possibility is that the Ukrainian operators feel that their resources are better directed at other sectors of the Russian economy more directly tied to the war effort.

The professional, scientific, and technical services sector has also escaped targeting. The reason for this omission is again unclear, since Russian universities and research institutes have been a popular target for state-sponsored hackers seeking to steal information in the past.

The IT Army has largely avoided the agriculture, forestry, fishing and hunting sector in general. However, it has launched DDoS attacks against government systems used to certify agricultural products, including the June 2022 attack against EGAIS, and it is unclear why those disruptions have been confined to government systems, rather than attacking the sector as a whole.

Finally, the IT Army has not attacked the healthcare and social assistance sector. International law has long carved out medical systems as noncombatants and, at least thus far, the IT Army appears to respect that distinction.

Conclusion

The IT Army’s messages demonstrate how offensive actors can operate in cyberspace during a war, and show both the bounds of its technical capabilities, but also its willingness to stray beyond the international norms on cyber operations and attack civilian targets. DDoS attacks, which make up more than 90 percent of the attacks mentioned in the IT Army’s messages, are generally simple to launch in comparison to other cyberattacks, and are still disruptive. The IT Army’s sabotage attacks demonstrate a deeper capability. According to the CFR Cyber Operations Tracker, the number of successful sabotage attacks per year has never surpassed seven. While this number is almost certainly an undercount, it gives a sense of the difficulty of some of the operations the IT Army has allegedly perpetrated.

Despite its reliance on relatively simple techniques, the IT Army has pushed the envelope in other areas, namely international norms, through its target choices. Its willingness to attack areas outside of government control, most of which have a civilian function, such as the 93 attacks against the financial sector and weekly attacks against Russian news outlets, demonstrates a disregard for some of the norms around the use of cyberattacks against military targets that have been circulated by the United States and like-minded states. The IT Army does not appear to operate entirely without limit, however. The fact that the group pulled back on attacking the education sector after its one attack last year, combined with its unwillingness to attack the healthcare sector, are evidence that, despite the IT Army’s readiness to take cyber operations further than most other western nations, a few sectors, at least, are still out of bounds.


Kyle Fendorf is a research associate for the Council on Foreign Relations’ Digital and Cyberspace Program.

Subscribe to Lawfare