The orders are issued like clockwork. Every day, often at around 5 am local time, the Telegram channel housing Ukraine’s unprecedented “IT Army” of hackers buzzes with a new list of targets. The volunteer group has been knocking Russian websites offline using wave after wave of distributed denial-of-service (DDoS) attacks, which flood websites with traffic requests and make them inaccessible, since the war started.
Russian online payment services, government departments, aviation companies, and food delivery firms have all been targeted by the IT Army as it aims to disrupt everyday life in Russia. “Russians have noticed regular hitches in the work of TV streaming services today,” the government-backed operators of the Telegram channel posted following one claimed operation in mid-April.
The IT Army’s actions were just the start. Since Russia invaded Ukraine at the end of February, the country has faced an unprecedented barrage of hacking activity. Hacktivists, Ukrainian forces, and outsiders from all around the world who are taking part in the IT Army have targeted Russia and its business. DDoS attacks make up the bulk of the action, but researchers have spotted ransomware that’s designed to target Russia and have been hunting for bugs in Russian systems, which could lead to more sophisticated attacks.
The attacks against Russia stand in sharp contrast to recent history. Many cybercriminals and ransomware groups have links to Russia and don’t target the nation. Now, it’s being opened up. “Russia is typically considered one of those countries where cyberattacks come from and not go to,” says Stefano De Blasi, a cyber-threat intelligence analyst at security firm Digital Shadows.
At the start of the war, DDoS was unrelenting. Record levels of DDoS attacks were recorded during the first three months of 2022, according to analysis from Russian cybersecurity company Kaspersky. Both Russia and Ukraine used DDoS to try to disrupt each other, but the efforts against Russia have been more innovative and prolonged.
Ukrainian tech companies transformed the puzzle game 2048 into a simple way to launch DDoS attacks and have developed tools to allow anyone to join the action, irrespective of their technical knowledge. “The more we use attack automation tools, the stronger our attacks,” reads a message sent to the IT Army Telegram channel on March 24. The channel’s operators urge people to use VPNs to disguise their location and help avoid their targets’ DDoS protections. Toward the end of April, the IT Army launched its own website that lists whether its targets are online or have been taken down and includes technical guides. (The IT Army did not respond to a request for comment.)
“We have made good strong hits, and a lot of websites don’t work,” says Dmytro Budorin, the CEO of Ukrainian cybersecurity startup Hacken. When the war started, Budorin and colleagues altered one of the firm’s anti-DDoS tools, called disBalancer, so it could be used to launch DDoS attacks.
While Kaspersky’s analysis says the number of DDoS around the world has returned to normal levels as the war has progressed, the attacks are lasting for longer—hours rather than minutes. The longest lasted for more than 177 hours, over a week, its researchers found. “Attacks continue regardless of their effectiveness,” Kaspersky’s analysis says. (On March 25, the US government added Kaspersky to its list of national security threats; the company said it was “disappointed” with the decision. Germany’s cybersecurity agency also warned against using Kaspersky’s software on March 15, although it didn’t go as far as banning it. The company said it believed the decision was not made on a technical basis.)
Budorin says DDoS has been useful for helping Ukrainians contribute to the war effort in other ways than fighting and says that both sides have improved their attacks and defense. He admits DDoS may not have a huge impact on the war, though. “It doesn’t have a lot of effects with respect to the end goal, and the end goal is to stop the war,” Budorin says.
Since Russia began its full-scale invasion, the country’s hackers have been caught trying to disrupt power systems in Ukraine, deploying wiper malware, and launching predictable disruption attacks against the Ukrainian government. However, Ukrainian officials now say they have seen a drop in activity. “The quality decreased recently as the enemy cannot prepare as much as they were able to prepare,” Yurii Shchyhol, the head of Ukraine’s cybersecurity agency, the State Service for Special Communication and Information Protection, said in a statement on April 20. “The enemy now mostly spends time on protecting themselves, because it turns out their systems are also vulnerable,” Shchyhol said.