Research questions potentially dangerous implications of Ukraine’s IT Army
The European Union and NATO are not fully grappling with the potential consequences of Ukraine’s IT Army, a volunteer group that executes cyberattacks on Russian targets, a Center for Security Studies researcher argued Wednesday.
Stefan Soesanto, a senior researcher with the Zurich-based think tank with previous positions at the European Council on Foreign Relations and RAND’s Brussels office, wrote in a 32-page paper that the public side of the IT Army serves as a “vessel” for volunteer distributed denial-of-service attacks on Russian government and private company websites. Such attacks flood a website with fake traffic to knock it offline.
A non-public “in-house team likely maintains deep links to — or largely consists of — the Ukrainian defense and intelligence services,” he said.
Taken together, the conduct of “both Kyiv and the Ukrainian IT community at large … has collapsed entire pillars of existing legal frameworks regarding norms and rules for state behaviour in cyberspace and has taken apart the illusion of separating the defense of Ukraine from Ukrainian companies and citizen[s] living abroad.”
Western governments treat the IT Army as a “collection of random volunteers conducting meaningless DDoS attacks against Russian websites,” he argued, and are failing to see the complications the activities raise. “For better or worse, continuing to ignore the essence of the IT Army will wreak havoc on the future stability of cyberspace and with it the national security landscape of Europe and beyond.”
A spokesperson for the U.S. National Security Council did not immediately answer questions about how or if the IT Army activities have been discussed.
“Participation from citizens of other countries may drag their respective countries into the war.”
Alex Holden, hold security
The government of Russia — which itself is responsible for not only the brutal military assault on Ukraine but also a plethora of cyberattacks, hacking campaigns and influence operations on targets in Ukraine and around the world in support of its war — has said the IT Army’s actions are part of a cyberwar waged by the U.S. and “other NATO experts” and “often border on terrorism.”
The IT Army emerged in the days after Russia launched its military assault on Ukraine, as the country’s government and private sector cybersecurity officials called on volunteers to help in any way they could. Mykhailo Fedorov, Ukraine’s minister of digital transformation, tweeted Feb. 26 that “We need digital talents,” and linked to a Telegram channel were “tasks” would be given out.
In the months since the effort has been active, its Telegram channel has listed at least 662 Russian targets for potential DDoS attacks, Soesanto wrote, while also carrying out non-public attacks that show at least some coordination or cooperation with intelligence services. He points to the early-March hack and defacement of Gazprom, a Russian state-owned energy company as one of several examples.
Over time, Soesanto notes, Fedorov and other parts of the Ukrainian government have, at least publicly, kept a distance from the IT Army. Earlier this month, after an inquiry from CyberScoop regarding the FBI takedown of a one-time IT Army partner accused of facilitating DDoS attacks, a spokesperson for Fedorov’s ministry said the “ministry doesn’t represent [IT Army]” but that “we are partners and have the one enemy.”
The spokesperson did not respond to a request for comment about Soesanto’s conclusions.
Victor Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine — the agency responsible for cyberdefense in Ukraine — told reporters in March he was “grateful” for IT Army volunteers’ cyber-activities. Zhora has consistently said that his agency has nothing to do with the IT Army activity or any offensive operations, and a spokesperson for his agency did not respond to a request for comment Wednesday.
Some observers note that Ukrainians are defending themselves however they can, and sometimes problems come from that.
“For Ukrainians, it is their war, and weapons in their arsenal may include cyber capabilities,” said Alex Holden, the founder of Hold Security. “However, like any army there may be corruption, atrocities and marauders. Plus, participation from citizens of other countries may drag their respective countries into the war.”
Holden added that “this not the first time cyberwarfare is a part of a war, but this is the most significant instance that may define future rules of engagement in cyber wars.”
Soesanto — who as part of the research process reviewed public websites, Twitter posts, media articles and reviewed hundreds of Telegram channels and chats where IT Army activities are planned — closed his paper with a series of open questions, particularly for private companies whose technology wittingly or unwittingly enables IT Army activity, such as Google, Cloudflare, Microsoft’s GitHub, Clearview, Starlink and others.
An unnamed person replying to questions sent via email to the IT Army for reaction to the analysis called it “insightful.” They added that the only response they wanted to offer was to Soesanto’s open question about how the IT Army is funded, and whether various streams of cryptocurrency donations are a major source of revenue to support DDoS infrastructure both in and outside of Ukraine.
“We do not attract any funding, so all operations are provided by the community members,” the person wrote. “We used to make crowdsourcing with companies too but stopped after the IPstress case came up,” they added, referring to the DDoS provider whose domain and servers were seize as part of an international law enforcement action.
Updated, 6/23/22: to include a response from the IT Army.
This story was featured in CyberScoop Special Report: War in Ukraine
