Ukrainian hacktivists fight back against Russia as cyber conflict deepens

Not long after Russia launched its full-scale invasion of Ukraine last February, Sergii Laba, an IT expert, was on Telegram.

The messaging platform, despite its Russian origins, had gradually become a popular online watering hole capable of displacing Twitter, now called X, in Ukraine. Young Ukrainians flooded there to find the latest news, and Russian disinformation often quickly followed.

But in those first days, Laba, who studied computer science, logged into his local community channel where students were advertising the possibility of using their skills in cyber "to give some impact or to help the country, to help the military, to help the government," he recalled during a Zoom interview with NPR. "And that's how it all began."

Laba is one of the co-founders, along with Mykhailo Kunynets, of Cyber Regiment, one of perhaps dozens of Ukrainian volunteer cyber "hacktivist" organizations that have sprung up and evolved since Russia invaded.

At first these groups appeared disorganized and were outwardly dismissed. They largely ran unsophisticated denial of service operations, flooding Russian targets with traffic to temporarily take them offline.

However, they appear to have stepped up their operations in recent months, launching more sophisticated hack and leak campaigns, open source intelligence operations, and other disruptive campaigns. Additionally, they appear to have more coordination with the Ukrainian government. It's difficult to measure their true effectiveness. But now, their work might have more impact on the war — if not on the outcome — with helping to gather intelligence and to disrupt and disturb Russian targets, many of which Ukrainian officials direct them toward.

What does Cyber Regiment do?

Given the Russian government's advanced cyber capabilities and the army of Russian cybercriminals at the Kremlin's disposal, Ukraine, which has no formal cyber army of its own, needs to find ways to make use of its many volunteers.

Cyber Regiment, for one, describes itself as a "Ukrainian association of volunteers, which has been protecting the independence of our state in cyberspace since the first days of the war." It grew in part out of the Student Committee for the Cyber Defense of Ukraine, and the founders explain that they still work with some students, who have a unique combination of skill, drive and time on their hands.

While the cofounders declined to share many details about current operations, they told NPR about a contest they recently hosted focused on gathering open-source intelligence about Russian intelligence officers. The contest was called Undercover Chronicles, and it was cosponsored by partners in government and academia including the Cyber Intelligence Committee of Ukraine. They claim to have received "dozens" of submissions. Laba said they're sharing the results of the contest with their government partners, and that the submitter who won the contest donated the prize fund to medical organizations supporting wounded Ukrainian soldiers. Next, they plan on running a penetration testing contest to help find vulnerabilities in Russia's systems, another element of their ongoing operations.

In the early days of the war, Laba explained, things were more chaotic. Cyber Regiment and others were throwing ideas at the wall — launching "denial of service attacks" against any Russian targets they could find, openly sharing software tools so other people could launch attacks. Now, the group, which has over 30 active members, is running specific, targeted campaigns with clear objectives, primarily to gather intelligence.

"Now we have much more strategic and specific goals," Laba said. "We use our resources, skills, and knowledge to get certain data from certain sources of companies or whatever."

When asked whether they're coordinating with Ukrainian government agencies, Kunynets said there is "some type of communication."

They aren't the only hacktivist group out there

There's also, perhaps most famously, the IT Army —endorsed publicly by Ukraine's Ministry of Digital Transformation. And there's Hack Your Mom, born out of a collective of hacktivists in Kharkiv. There's Cyber.Unit Tech, a startup born in a parking garage the day of Russia's invasion that's also focused on training cyber defenders in Kyiv and raising money for various Ukrainian causes. Some groups' memberships have combined, like the Ukrainian Cyber Alliance. Other volunteers are organizing and publishing information and articles, like InformNapalm. And there are perhaps dozens of others, some open and others more secretive, who have organized around the goal of volunteering in cyberspace for Ukraine.

The lines between these groups are sometimes blurry. In fact, Kunynets says the IT Army actually had "a different owner" in the early days of war, and he now estimates there being over 30 separate groups.

Previously, at least in the West, these groups have often been dismissed as an unorganized horde, a nuisance that haven't had a major impact while potentially taking away from more professional government cyber operations.

But there's growing recognition that many of these volunteers are skillful, and that they're becoming better tools in the Ukrainian government's arsenal. For one, the Center for International and Strategic Studies' Aiden Render-Katolik describes the IT Army as an organization "that has quietly transformed from an ad-hoc group of volunteers into a tightly organized operation, with ongoing support from Ukrainian government officials, tens of thousands of international participants and industry-leading tools." The IT Army's development "presents vital lessons for the landscape of cyber conflict," wrote Render-Katolik in August.

Stefan Soesanto, a senior defense researcher at The Center for Security Studies in Zurich, has dedicated a significant amount of time to studying the IT Army, which he described in June 2022 as Kyiv's "creative" solution for the question of "how to combine its nascent military and intelligence cyber capabilities with a massive, willing, and global civilian IT community in defense of the nation." He concluded then that it was a "unique and smart construct," which poses new questions about existing legal frameworks and "the future stability of cyberspace," particularly once the war is over. Ukraine's government will have to figure out how to incorporate those skillful hackers back into society, and prevent them from launching criminal cyberattacks.

But for now, there's additional evidence for the impact of volunteers during the war.

A recent examples of how the cyberwar is being fought

The Ukrainian Cyber Alliance, a collective of Ukrainian cyber activists from across the country, recently took down a ransomware gang called Trigona, breaching their servers, stealing data and taking their public pages offline. Trigona is one of many criminal cyber gangs with connections to the Russian government, often acting as a cutout or hired mercenary in exchange for leniency for their criminal activity. Cyber experts interviewed by NPR confirmed Trigona's website was taken down and that the operation appeared successful.

Perhaps most notably, a pair of Ukrainian hacktivist organizations recently partnered with Ukrainian counterintelligence agency SBU to hack Alfabank, one of the most prominent financial institutions that caters to Russia's wealthy elite. Alfabank executives appeared to confirm the breach. A source confirmed to NPR that SBU participated, but did not elaborate on what role the agency played.

It's not surprising that Ukrainian government agencies, aware of these groups' existence and without a formal cyber army to draw upon, would make use of their skills — at minimum to gather information.

"In our personal opinion, the cyber operations carried out by our organization ... are a unique example in the world," Laba, the co-founder of Cyber Regiment, told NPR. He suggested that their example could help other countries who experience similar conflicts.

But it's after the war that the impacts of cyber hacktivism and volunteering might truly be felt.

Ukraine's national security and law enforcement officials are currently compiling a dossier of evidence against Russia's Sandworm hackers to present to the International Criminal Court in the Hague, drawing upon large volumes of data collected by government intelligence agencies and from outside organizations. If they are successful with that case, it could be the first time that cybercrimes have been elevated to the level of international war crimes.

While Laba and Kunynets said they weren't sure whether the intelligence Cyber Regiment is gathering is a part of ongoing cases against Russian hackers. But they are "sharing this data with government agencies," Laba said.

"Our goal is the same," he concluded.