Keyboard warriors join Ukrainian resistance

Ukrainian cyber-security expert Dyma Budorin hasn’t slept much since he relocated his Kyiv-based company a fortnight before the Russian invasion. He saw the writing on the wall and hastily moved with most of his staff to Barcelona, where his wife anxiously checks on her parents in Mariupol. Bleary but resolute, he details plans hatched in a Spanish village to unleash mayhem upon Russian targets.

Aided by an underground band of volunteers – part of an ‘IT army’ galvanised by a direct appeal from the Ukrainian government – his cybersecurity company Hacken has managed to adapt a tool originally designed to stress-test company systems and protect against fraud. Volunteers rewrote code in record time to allow disBalancer to work across all platforms, beyond Windows.

“They did in three days what it would have taken six months to achieve,” says Budorin. “DisBalancer has become a powerful tool for Ukraine and it’s in operation now in Russia.”

It has been adopted with gusto by volunteers to bombard Russian websites with distributed denial of service (DDoS) attacks – which paralyse a site with an onslaught of spurious requests.

Russia has responded by beefing up its cyber defences, and reports – based on Russian government documents – are circulating that Moscow plans to remove reliance on any international internet services and effectively disconnect Russia from the global internet on Friday (11 March) – although information is already tightly controlled. While such geo-blocking can be circumvented by the more tech-savvy, it will limit the effectiveness of DDoS attacks.

Russian sites, including that of the Kremlin, have been under attack since the invasion. But while anyone with a little know-how can take down a website, more sophisticated strikes on critical infrastructure require vast resources and skill. These are complex operations that can take years to mount, say experts.

Budorin and colleagues say they have more fundamental Russian infrastructure and servers in their sights. His company is part of Ukraine’s established and expanding tech sector, now in shock, with some businesses moving to the west of the country or abroad when possible. Like Hacken, they’re supporting resistance, either physically or with cyber warfare. “Many of our employees are participating in the IT army,” says a spokesperson for a Swedish-Ukrainian software company that has relocated to the west of Ukraine.

As of 8 March, there were 41 known pro-Ukraine cyber groups in operation, coordinating mostly via social networks Twitter and Telegram, according to group tracker Cyber Know – with 13 having taken confirmed action, data breaches, hacks, and DDoS attacks, and most of them likely to have carried out some sort of strike. Fifteen pro-Russian groups are listed, with seven having carried out confirmed attacks.

Strikes to date have been steady but not catastrophic, say observers. Russian broadcasters have reportedly been bumped off air by Ukraine’s national anthem or footage of the war. Russian news websites have been replaced with messages of Ukrainian support, and bank and government websites were taken down temporarily, with hacker collective Anonymous taking credit for some disruptions. All attacks are difficult to verify for now. The open Telegram group IT Army of Ukraine – now with more than 300,000 members – is peppered with supportive messages and suspicion about Russian saboteurs. “There are spies, for sure,” says Budorin.

A Ukrainian newspaper published names and details claimed to be of 120,000 Russian soldiers fighting in the country, obtained by a Ukrainian think tank and as yet unverified. Security experts note it’s not uncommon for lists of previous leaks to be filtered to present as a fresh hack.

But the Ukrainian government cyber-security authority said recently that cyber activists have done more than take down websites, by targeting government and military systems.

For a government to urge tech professionals to band together worldwide to attack another country’s networks – as Ukraine’s had done – is unprecedented. Several times a day, the IT Army of Ukraine publishes new targets within Russia – internet banks, private investors, and so on. “Take it down folks,” urges one post, giving details of a Russian payment processor.

A ‘how-to’ guide in English for would-be hackers warns newbies that what they’re about to do is against the law. Experts are on hand to coach beginners, who are advised to stick to DDoS attacks. Anyone squeamish is advised to take more benign actions – lobbying firms still trading in Russia on social media for instance. Meanwhile, an inner circle of skilled cyber professionals plot secretly, and a call is out worldwide, says Budorin, to find vulnerabilities in vital Russian infrastructure – energy, transport, aerospace, and defence.

Ukraine’s creative and well established tech sector has responded to Russian bombs with new apps – the London-based ‘Where are you’ helps unite missing people with those searching for them. A delivery app has even synced with air raid systems, says Mike Sapiton, tech editor at Forbes Ukraine. “How digital is Ukraine?” he asks on Twitter. “When an alert is on, all orders are halted, and people automatically get their money back.” Tiktokers diligently document the devastation – an army of Davids pitting their skills against Goliath.

For people around the world helplessly watching as missiles rain down on civilians, cyber warfare is a way to act. And it’s unlikely authorities in the west will come knocking for those who’ve managed to deface a Russian website. But this kind of action, says Chester Wisniewski, security research scientist sat Sophos, won’t have lasting impact, though it does keep attention focused on Ukraine, “which is no bad thing – it’s so important we apply pressure to bring this to an end”.

But effective cyber strikes could damage the wrong side, warns Wisniewski. “There’s concern that some of this vigilante hacking is actually disrupting intelligence operations that are being conducted by the US, the UK and others.” He’s referring to an alleged hack that claimed to disable servers controlling Russian spy satellites – Russia has denied the attacks. “But if your average hacker with basic computer skills was able to break in, in all likelihood (US intelligence) was already there and probably using it to monitor Russian operations – and now they’ve lost a valuable intelligence asset.”

And could hackers unwittingly inflame international tensions, asks Rafe Pilling, a senior security researcher at Secureworks’ Threat Intelligence Unit, who points to a chilling threat. “For me the most serious response has been the warning from Dmitry Rogozin [head of Russian space agency Roscomos] that disrupting satellites would be considered a cause for war… there’s potential for hacktivists’ actions to have a dangerous escalatory effect, or simply provide a pretext for one.”

In the run up to the Russian invasion, ‘wiper’ malware was deployed against Ukraine, and government and financial sites were briefly defaced – attacks blamed on Moscow by the UK and US. In late February, some satellite connections in Europe failed, temporarily taking out nearly 6,000 wind turbines in Germany and affecting some 30,000 satellite terminals across Europe; the cause of disruption is yet to be confirmed.

But although Russia infamously hosts a large concentration of cyber criminals, experts are surprised at the lack of serious cyber attacks by Russia to date. Since 2014, the Kremlin has run a campaign of cyber harassment against Ukraine – including the globally devastating NotPetya attack in 2017 – blamed on Russia. Attacks on Ukraine’s power networks in 2015 and 2016 were also attributed to Moscow. Now Ukraine says cyber-security teams are busily defending the nation’s critical infrastructure.

And the West remains on high alert for cyber-attacks. Experts say there’s every chance Russia could yet mobilise its cyber-security strength against Ukraine, and the fallout may not be contained within national boundaries – as with the NotPetya attack, which spread to global businesses, and cost hundreds of millions of dollars to clean up. Such collateral damage could recur, says Wisniewski. “But Russia appears to be more careful not to take out tonnes of companies in Western Europe the way it did with NotPetya because it would obviously escalate the whole situation.”

But the lack of Russian offensives is, says Budorin, because “despite the predictions, they’re not that strong – analytics show there are far fewer attacks from Russia than on Russia.”

Another reason may be because Moscow was ill-prepared on the cyber front, says Wisniewski. “You might expect cyber operations to be pre-positioned, so that perhaps over six months you compromise organisations so you can generate confusion and chaos during an attack – which generally benefits that aggressor. But I was surprised to see how limited so far these events have been. We haven’t seen disruption of Ukrainian infrastructure.”

And quite simply, major infrastructure will be backed up in the event of a cyber-attack, but bombs are more devastating, writes Professor Ciaran Martin, former head of the National Cyber Security Centre and now professor of practice at the Blavatnik School of Government at the University of Oxford. “Cyber capabilities… can do everything from low-level harassment to serious disruption of everyday economic and social activity. But they can’t do what missiles, fighter jets and soldiers do.”

But experts still won’t rule out a serious cyber-attack by a desperate Russian leader. But they doubt the impact of low-level attacks online. “The impact of hacktivist activity pales in comparison to the sanctions that are being placed on the Russian economy,” says Pilling.

And as the global business continues to divest concerns in Russia, Budorin calls for sustained action for fear that Ukraine might slip down the world agenda. “We call on everyone to put pressure on Russian IT companies and counterparties in Russia to publicly state their position. And if they don’t, please stop working with them… This is the 21st century, and one country has attacked the civil infrastructure of another country.”