How Ukraine built a volunteer hacker army from scratch
Volunteer Ukrainian hackers have inflicted over $1 billion in damage on Russia, outmaneuvering its cyber defenses through constantly adapting, coordinated attacks. The post How Ukraine built a volunteer hacker army from scratch appeared first on Euromaidan Press.
As Russian bombs began to fall across Ukraine in February 2022, many faced a daunting choice: stay and fight or flee for safety. Among them was Ted, a tech entrepreneur living in Kyiv (who is using a pseudonym for security concerns). Initially taking his family to safety in Lviv, Ted wanted to fight. Lacking military skills, Ted like many other Ukrainians who had a tech background wanted to contribute on other battle fronts.
His wife was a public servant who was well-connected with the Ukrainian government. Through conversations with the Ministry of Digital Transformation, an idea arose to leverage people with tech backgrounds to defend the country on the cyber battlefield. What followed was the historic formation of a volunteer hacker army fighting on Ukraine’s behalf – the world’s first such group in cyber warfare.
The IT Army of Ukraine emerged just two days after Russia’s full-scale invasion of Ukraine in February 2022 as Ukraine’s Minister of Digital Transformation Mykhailo Fedorov issued a rallying cry to all volunteers willing to join the hacker ranks of the IT army to help defend Ukraine. He proclaimed, “We continue to fight on the cyber front.”
At its peak, the volunteer IT army’s Telegram channel reached around 300,000 members in March 2022.
Fedorov’s call to action resonates with the historical appeal of the Special Operations Executive (SOE) during World War II – Winston Churchill’s famous directive to the SOE was to “set Europe ablaze,” inspiring a similar spirit of resistance in the digital domain.
“We tried to activate every part of society to resist Russia’s war,” Ted said of the early days of the war. Ukrainian officials and volunteers wanted to see how they could leverage the highly talented population of our society, “keeping in mind our software developers and people in the IT sector,” said Ted.
In the early days, organizers focused on the basics, such as creating a Telegram channel and doing the groundwork to get operations going. Ted recalls the early days as challenging, marked by a sense of isolation and a steep learning curve, similar yet distinct from the challenges of building a company.
Nobody had a good idea of what was going on. Ted says, “In the beginning, it was hard. I felt alone as everything had to be built from scratch. When you are building a company, you know exactly what you are trying to build.”
For Ted, building a volunteer hacking army was a massive undertaking because there was no blueprint on how to do this.
The lead volunteers of the IT army who organized the Telegram channel were removing bad actors spamming the chat, and they tried to establish a good line of communication to keep people actively engaged. “In the first days, I couldn’t sleep. I had to sit there and keep manually eliminating people spamming the chat, most likely bad actors from Russia.”
As the initiative gained traction, more people joined, including those associated with the Ministry of Digital Transformation and friends of friends. This expansion allowed for the establishment of shifts, easing the burden on individual members and enhancing operational efficiency.
Building the structure
At its peak, the IT Army had around 300,000 subscribers on its Telegram channel. However, not all those who joined the Telegram channel had the interest, experience, and skills to contribute over the long term.
Now, at any given point, the IT Army has around 3,000 to 10,000 active volunteers working on operations, according to Ted. A core executive team of around 50 people managed the critical functions, ensuring strategic coherence despite high turnover and the part-time contributions of most volunteers. The core team only meets to drive strategic direction, Ted clarified. The different units work independently of each other.
Ted highlighted that compared to managing a business, the turnover rate is much higher. Typically, individuals can only dedicate part-time efforts, with few engaging in these activities on a full-time basis. Among these few, Ted himself is a full-time participant, recognizing that the demands placed on organizers are very high.
With thousands of volunteers waiting for direction, the coordinators of the IT Army understood that their instructions need to be simple enough and clear for people to follow. The result: “DDoS attacks, which are simple and the most effective. We made it our cookie-cutter mechanism.”
Distributed Denial-of-Service (DDoS) attacks are executed by amassing a substantial volume of internet traffic to overwhelm a targeted website. These attacks aim to incapacitate the website by inundating it with an excessive number of requests, overloading the system and thereby causing it to shut down.
Evolving tactics
The IT Army’s tactics evolved rapidly. Initially, the group publicized targets such as IP addresses and ports, but as Russian cyber defenses adapted, they shifted to more covert operations. The army’s focus was primarily on DDoS attacks, deemed simple yet effective.
They organized into distinct units, each with specific roles and responsibilities:
- communication
- reconnaissance
- software development.
While the exact count of attacks by the IT Army is still unclear, it is estimated that approximately 2,000 attacks had been conducted by June 2022. Ukraine’s IT army used a targeted DDoS attack to strike Russia’s sole product authentication system (Chestny Znak), causing extensive disruption as Russia was forced by the attack to abolish labeling and verification of certain products, causing Russian businesses to suffer economic losses.
“If you were a smart Russian cybersecurity worker, you would have subscribed to our channels to watch for notifications for where our attacks would be,” says Ted.
So once the IT Army stopped posting their attacks publicly, they began to see a drop in the number of subscribers on their Telegram channel.
“People occasionally send us emails with information about potential targets and profiles. However, our capacity to incorporate these contributions is limited,” says Ted. “We often struggle to integrate new ideas brought by people who approach us.”
The IT Army’s approach to reconnaissance has also evolved throughout the war. “Initially, our efforts were more haphazard, but now they have become more sophisticated,” said Ted. “We now actively search for vulnerabilities that are relevant and compatible with our software’s capabilities.”
The lead coordinators continue recruiting and training individuals to do reconnaissance work, enabling them to contribute effectively to the group’s mission of unleashing havoc against the Russian state.
In their latest DDoS attacks against Russia in December 2023, the IT Army took down Bitrix24 servers, which is one of the most popular CRM systems in Russia.
On the IT Army’s official Telegram channel, a statement was posted on December 20th claiming that “this could mean tens or even hundreds of millions of dollars in losses for the enemy’s economy, depending on how long we can hold them down. Who else has idle devices? It’s time to turn them on.”
Russian hackers: separate groups financed by the government
Ted noted, “The level of cyber defense on Russia’s side has increased significantly. We’ve observed a substantial investment by Russian companies in bolstering their defenses, making it more challenging to identify vulnerabilities. However, considering the country’s size and the multitude of companies, we continue to adapt and refine our approaches to targeting. There will still be vulnerabilities to find.”
Nonetheless, it has become more labor-intensive for the IT Army to find vulnerabilities.
He continued, “In the last few months, our focus has shifted to telecom and internet providers. These targets are inherently tricky and generally well-prepared. Despite this, our operations have been remarkably successful.”
A wave of cyber-attacks recently hit the largest telecom operators and internet providers in Russian-occupied Ukraine, temporarily driving the region offline as Russian Internet providers acknowledged that they experienced an “unprecedented level of DDoS attacks from Ukrainian hacker groups.”
Ted added, “If we’re able to further expand our reconnaissance unit and enhance our software services, we’ll be able to continually evolve our methods. This will keep us a step ahead of our targets.”
The IT Army deploys botnets—networks of interconnected computers—to launch cyber-attacks against Russian infrastructure and websites. The key is to figure out how to conduct the attacks so the target can’t filter the incoming traffic very well.
The IT Army experimented with altering geolocations and employing various devices. Ted emphasized that the effectiveness of the attack on the target is greatly improved if the traffic sources involved are diversified.
“We observed attempts by Russia to mobilize an IT army, yet their efforts failed to make a significant impact,” noted Ted.
The reason, he suggested, lies in the lack of a compelling motivation. “The Russians lacked a strong ‘why.’ Our country was under invasion; every Ukrainian understood the stakes involved if we didn’t resist.”
This sense of urgency and national duty has not been as prevalent on the Russian side, where motivation appears to be more fragmented. However, Russia is not without its resources in the cyber domain.
“Russia does have numerous hacking groups like Killnet, and many of these are likely financed by the government itself,” Ted added, highlighting a key difference in how the Russian side operates.
Instead of one central IT Army, Russia has a wider variety of hacktivist groups at its disposal, which are driven by financial incentives and ideologically aligned with Kremlin interests. One such group is Killnet, which has executed distributed denial-of-service (DDoS) and data exfiltration attacks targeting Western entities. Previously, their services were offered as a “DDoS-for-hire group.”
The disparity extends beyond strategy into the realm of funding and support. Ukrainian cyber efforts are characterized by grassroots, pro bono efforts.
“Here, people are working voluntarily. We receive no financing from anywhere,” Ted explained, emphasizing the organic nature of Ukraine’s cyber defense efforts.
Collaborating with the Ukrainian government
“Our collaboration with the government is on an informal basis,” Ted explained. “Whenever the government needs our help, they reach out to us, and we’re always ready to engage.” Ted elaborated on their approach to cooperation: “We prioritize missions where our contribution can be most impactful. It’s essential to have a focused mission to achieve the biggest impact.”
However, when it comes to the specifics of their operations, Ted maintained a discreet stance. “I’m not at liberty to disclose the details of the missions we’ve undertaken. However, I can confirm that we have worked alongside the military and intelligence services in executing certain missions to aid in their operations,” he stated.
“Regarding the integration of our efforts with the Ukrainian government or military, there hasn’t been a significant push for us to integrate more closely with their operations: the government prefers for the group to stay independent for now,” says Ted.
Alex Borniakov, the Deputy Minister of Digital Transformation of Ukraine on IT industry development, noted in an email response that “The IT Army operates independently of the Ukrainian government, specifically in terms of decision-making and management. The Ministry of Digital Transformation, which I represent, offers only informational support to the IT Army. We do not influence their operational decisions or appoint their management. The IT Army is a quintessential volunteer organization, functioning independently while contributing significantly to our national efforts.”
The Security Service of Ukraine (SBU) did not respond to email inquiries regarding the nature of their collaboration with the IT Army of Ukraine.
The legal ramifications
The IT Army operates in a legally ambiguous space, exacerbated by the unique nature of cyber warfare. The creation of the IT army has sparked important discussions around the role of cyberwarfare in real-life military operations.
Historically, cyber conflicts have often involved anonymous groups declaring war against governments. However, this is the first instance of a government openly recruiting individuals to engage in cyber warfare, said Vasileios Karagiannopoulos, an Associate Professor in Cybercrime and Cybersecurity at the University of Portsmouth. “These recruits are not officially part of the army, and their actions closely resemble those of vigilantes.”
Under current international law, members of the IT army do not fit the traditional definition of combatants. They are not an official branch of any military and the primary concern is whether these individuals, as civilians, are participating directly in hostilities.
Engaging in direct participation in hostilities, such as cyber-attacks against military targets, can lead to civilians being considered as temporary combatants, according to Vasileios. This shift in status entails a significant risk; they lose the protections afforded to civilians and can become legitimate targets in the eyes of enemy states.
In response to these risks, the Ukrainian government is considering legislation to incorporate the IT army into its Cyber Reserve Force.
This move would afford them legal protection as combatants and potentially shield them from prosecution for their actions during the war, according to Vasileios.
“International members of the IT Army could avoid persecution for crimes in their country if Ukraine establishes the cyber reserves,” says Vasileios. “This is because could be considered part of the Ukrainian cyber force and taking part in a conflict on their behalf.”
Such a status also raises questions about what happens after the war – how these individuals will be reintegrated and whether their actions during the war will have lasting legal or diplomatic consequences down the line.
Continuing to adopt legislation and frameworks in the space will be important to increase the participation of international volunteers who want to join Ukraine’s hacker ranks.
Bryce Case Jr., a former black hat hacker, also known as YTCracker, said that many prominent hackers are interested in aiding Ukraine’s cyber fight. However, Bryce mentioned that Ukraine should establish “a French Foreign Legion of sorts so that we could hack under Ukraine’s flag without fear of prosecution.”
In response to potential legal criticism about the IT Army, Ted pointed out that “We can’t understand what kind of protections people in Bucha were given when they were massacred by the Russians.”
The IT Army does believe that continuing to draft legislation on their work is important to bring wider acceptance to the form of digital resistance that the group provides.
Both the IT Army of Ukraine and Killnet have pledged to adhere to new rules of engagement nicknamed the “Geneva Code of cyber-war.“
“We recently introduced cyber rules akin to the Red Cross, but there’s a catch,” Ted stated. “These rules are essentially adapted from conventional war rules and are not comprehensive when it comes to cyber warfare.”
Ted highlighted that the rules are not thoughtful enough. “If you’re conducting cyber-attacks, there’s a sense of protection if the attacks are launched from a country other than Ukraine. It’s a legal grey area, especially during these times.”
He further commented that “This is a time of war, and essentially, it’s a period of outlaws. In Ukraine, these attacks are still beyond the law. However, there’s a general understanding that we are in a state of war, and this is a time for outlaws.”
Lawmakers have yet to keep pace with the work of the IT Army and update outdated legislation. Nonetheless, Ted says that the IT Army follows the rules as much as possible. He pointed out that even if there are consequences for their actions later on, the Ukrainian hackers followed the guidelines as best as they could in wartime.
However, following the rules puts Ukraine at a disadvantage, Ted believes. On the battlefield, if Ukraine follows the rules of law and international framework for conducting warfare, it will be rewarded by gaining additional political support from abroad and receiving weaponry to balance the disadvantage the opposing side gets by cheating. But, it’s a different case in cyberwarfare, Ted pointed out.
“In cyberspace, if the IT Army follows the rules, our enemy won’t follow them,” says Ted. If Ukraine did follow the rules, they won’t be rewarded or compensated to offset the upper hand that Russia gets. Ted highlighted that only one side will actually follow the rules and this will make the good side weaker. Good actors need to be compensated in cyberwar.
“What do we do if the Russians don’t respect the rule of law?” asked Ted.
A model for others to follow?
“As we look towards the future of warfare, it’s becoming increasingly clear that cyber capabilities are not just supplementary, but critical to winning,” says Ted.
It is important for countries like Taiwan to establish structured frameworks for their own IT armies to prepare for war in the future on the cyber front, according to Ted’s reflections. The creation of a comprehensive playbook for rapidly mobilizing a cyber force is no longer a theoretical exercise but a practical necessity.
Warfare is also no longer confined to the battlefield; it extends to economic, logistical, and infrastructural arenas. Cyber warfare offers an opportunity to undermine an adversary’s capabilities in these areas, opening a new front in the war. However, its effectiveness is contingent on the target’s digital infrastructure, which is becoming increasingly common in most countries around the world.
“Our analysis estimates that the economic damage inflicted on Russia by our cyber-attacks amounts to approximately $1-2 billion dollars,” according to Ted.
What this means is that cyber warfare can operate as a form of economic sanction, a tool to strategically weaken an adversary’s economy: the faster these digital capabilities are deployed, the more immediate the impact on the enemy’s fighting capabilities.
Ted goes on to say that democracies around the world should unite and pool resources, knowledge, and expertise so that, democracies can develop a shared playbook for cyber warfare, leveraging the collective motivation and resolve of nations under threat. In doing so, they can effectively harness the power of decentralized warfare.
As we progress further into a digitized era, the role of the average individual in warfare will continue to rapidly grow, Ted remarked. With economies and essential services becoming more intertwined with the digital world, vulnerabilities will only grow in numbers, offering new attack vectors.
What the IT Army of Ukraine has shown is that cyber warfare is not just an expansion of the battlefield. Ted believes, it has transformed the very nature of war, where any individual can have a role to play. Ukraine has successfully demonstrated the effectiveness of a decentralized, volunteer hacking army, serving as a pioneering blueprint for future democracies to emulate in the looming cyber wars of the future.
Related:
- Media: Ukrainian hackers leave part of Moscow without internet access
- Ukrainian hackers’ cyber attack on biggest enterprise management system results in million-dollar losses for Russia
- Ukrainian hackers target Russia’s water supply company
- Ukrainian hackers get access to Russian top-ranking intel officer’s email
The post How Ukraine built a volunteer hacker army from scratch appeared first on Euromaidan Press.