The Republic of Agora

The IT Army Of Ukraine


Structure, Tasking, and Ecosystem

Stefan Soesanto | 2022.06.22

For several years prior to the Russian invasion on 24 February 2022, the principal idea of creating a cyber volunteer army had been bouncing around in Ukrainian government circles. In part, those discussions were informed by the success of the Estonian Defence League’s Cyber Unit and other efforts around the globe to organize, incorporate, and surge civilian IT volunteers into existing military structures in times of need.

In contrast to these well-established and purely defensive cyber volunteering efforts, the IT Army of Ukraine was stood up in an ad-hoc manner without a clearly structured and proven plan. Similarly, the absence of a Ukrainian military cyber command likely also pushed Kyiv to think creatively about how to combine its nascent military and intelligence cyber capabilities with a massive, willing, and global civilian IT community in the defense of the nation. Born out of necessity, the IT Army subsequently evolved into a hybrid construct that is neither civilian nor military, neither public nor private, neither local nor international, and neither lawful nor unlawful.

As of this writing, the IT Army consists of two parts: (1) a continuous global call to action that mobilizes anyone willing to participate in coordinated DDoS attacks against designated – primarily civilian – Russian infrastructure targets; and (2) an in-house team likely consisting of Ukrainian defense and intelligence personnel that have been experimenting with and conducting evermore complex cyber operations against specific Russian targets. Both parts of the IT Army are purely offensive in nature and serve to bring willing amateurs (civilians) and dedicated professionals (civilian, military, intel) into one – most likely – hierarchically organizational structure. In addition, the IT Army has also given rise to an ecosystem that includes Ukrainian-owned IT companies and individuals located outside of Ukraine, as well as Ukrainians living in Ukraine working for Western companies. This ecosystem has been continuously creating new tools, generating knowhow, identifying new targets, and fulfilling other intelligence support functions to underpin Ukraine’s offensive efforts in cyberspace.

Who needs a military cyber command when you have the IT Army?

The IT Army’s structure and gravitational pull has created a myriad of new problem sets for the international community in areas such as the application of international law in cyberspace, the normative behavior of states, the targeting of civilian infrastructure, and the ethical conduct of IT companies headquartered outside Ukraine, to name a few. Many – if not all – of these problem sets have been largely ignored by the academic and information security community, as well as policymakers in both EU and NATO member states. It is unclear why this is the case, but it seems that the political and ideological support for the defense of Ukraine on the one hand, and growing anti-Russian sentiments on the other, have created an environment in which Ukrainian conduct in cyberspace is either willfully ignored, superficially analyzed, or significantly downplayed in terms of its impact and relevance.

On the DDoS side, the IT Army’s conduct shares a wide array of strategic overlaps with the DDoS campaign against Estonia in May 2007. The 2007 campaign was organized by Russian nationalistic hacktivists via Russian language fora / websites and lasted 22 days. To this day, no clear evidence of Russian government involvement has emerged, and as such the campaign was never officially attributed to the Russian state. As a result, Estonian and Western criticism pivoted to point out that Moscow had taken no meaningful measures to mitigate the DDoS campaign (a violation of its due diligence obligation), and the lack of cooperation with the Estonian investigation was highlighted as proof that the Russian government is shielding – and thereby implicitly supporting – those responsible for the DDoS campaign. Amidst this environment of helplessness, the speaker of the Estonian Parliament Ene Ergma even famously stated that, “when I look at a nuclear explosion, and the explosion that happened in our country in May, I see the same thing”.

Yet, in contrast to 2007, the IT Army’s DDoS conduct is pretty clear-cut when it comes to attribution, government authority, instructions, direction, and control. It is similarly clear-cut that the IT Army is persistently and indiscriminately targeting Russian civilian infrastructure, including online pharmacies, banks, food delivery services, and retailers. But while Russia has been rightfully vilified for the DDoS attacks in 2007, the IT Army and its Minister of Digital Transformation Mykhailo Federov received two awards at the CYBERSEC European Cybersecurity Forum 2022 in Katowice, Poland, for their “heroic resistance to Russian aggression and protection of the digital borders of the democratic world”. As Federov put it, “this award is first and foremost for the entire cyber community and the volunteers who are now waging the world’s first cyberwar with us”. While there is certainly a difference between DDoS campaigns conducted in peacetime and during times of war, it seems that the West is now throwing overboard the legal and normative interpretations it has championed in cyberspace over the past decade for the sake of politically supporting Ukraine.

On the in-house side, the IT Army’s conduct has rapidly evolved from mere defacements of Russian websites during the first days of the invasion, to sophisticated espionage campaigns, to the first destructive offensive cyber operation – targeting a civilian video platform – in early May 2022. Currently, it is unclear what kind of cyber operations the in-house team side is going to focus on in the future. But, if the evolutionary trajectory over the past 4 months is any metric to go by, Russian defenders will highly likely face a variety of experimental cyber ops that will try to produce more and more severe impacts and longer lasting effects. Considering this trajectory, it is particularly curious to witness that a group of human rights lawyers recently decided to push the International Criminal Court in The Hague to open the first ever cyberwar crime case against Sandworm – a Russian military intelligence unit that successfully targeted electric utilities in Ukraine and caused short regional blackouts back in 2015-16.

Research Methodology

The overarching aim of this report is to provide a comprehensive study that will serve as a baseline to understand, assess, and analyze the conduct of the IT Army and the ecosystem that feeds it.

As such, this report was compiled by using only publicly accessible data. This includes public websites, Twitter posts, media articles, interviews, podcasts, Youtube videos, GoogleDoc forms, as well as hundreds of Telegram channels and chats. At no point during this research endeavor did the author participate in any of the malicious or illegal cyber activities mentioned in this report.

Joining and reading hundreds of Telegram channels and chats was of particular importance for accessing and contextualizing the detailed information included in this report. For example, Telegram’s search function allows researchers to crawl through every channel they subscribe to and every chat they are a member of. This function was particularly helpful for tracking specific terms, targets, URLs, IPs, and port numbers across multiple Telegram channels and chat: The more channels and chats one has joined, the more visibility one has on the platform. The search function also chronologically displays the search hits which makes tracking information back to their likely origin a lot easier.

Please note that joining a Telegram channel or chat does not constitute any formal membership, nor did it impose any obligations – financial, political, or otherwise – on the author.

Joining a Telegram channel makes one a subscriber, thus, for example, enabling the option to set up new post alerts. One can also join a Telegram chat – which makes one a member of that chat – and enables the option to write in the chat. While most channels and chats can be viewed without joining, some channels and chats do prevent non-subscribers and non-members from seeing their content. A small number of subscriptions also require the confirmation of a channel administrator. Usually, these are granted within minutes and are only imposed to exercise a limited form of user admission control. In particular, Russian hacking groups are using this process to root out pro-Ukraine users.

During this research, the author did not post in any of the Telegram channels and chats. Nor did he engage in any private conversations with any Telegram users across the multitudes of channels and chats. The author did talk to several hacking groups on Twitter that have claimed to cooperate with the IT Army. Yet, none of these claims could be confirmed – and subsequently do not appear in this report – due to the IT Army’s unresponsiveness to the author’s email inquiries.

In terms of the report’s limitations, two items ought to be highlighted. First, the author did not have perfect visibility into all the relevant hacking communities on Telegram, as he was likely not a member of every pertinent Telegram channel and chat. It is thus unclear whether there were any other information flows occurring on Telegram that this report was unable to capture. Second, specific posts in Telegram chats are unlinkable by their very nature, and access to a good number of chats is usually granted through time-limited public invitations. As a result, this report is unable to provide functioning URLs to most of the chats and is unable to provide specific URLs to reference distinct Telegram chat posts. Wherever possible Telegram links are archived using “archive.ph” and non-Telegram links are archived via the Wayback Machine.

Genesis

The creation of the IT Army of Ukraine (IT-армія україни) begins with Yegor Aushev. Aushev is a well-known Ukrainian IT entrepreneur and the co-founder of three companies that have become increasingly relevant amidst the eight year-long war with Russia – Cyber Unit Tech, Cyber School, and Hacken.io. Sometime between 24 February (the day of the Russian invasion) and 26 February, Aushev pitched the idea of a cyber volunteer army to Mykhailo Federov, Ukraine’s 31-year-young Minister of Digital Transformation.

Around the same time, Aushev also embarked on assembling a 1,000-men strong Ukrainian cybersecurity volunteer group at the request of a senior Ukrainian Defense Ministry official. Aushev facilitated the latter on Twitter and in various hacking fora by posting a Google Docs application form to gauge an applicant’s skill level and area of expertise. According to Aushev, this group of around 1,000 Ukrainian cybersecurity volunteers would be divided into an offensive and a defensive group. Talking to Reuters on 24 February, Aushev elaborated that the defensive group will be “employed to defend infrastructure such as power plants and water systems,” and the offensive group would help “Ukraine’s military conduct digital espionage operations against invading Russian forces”. As Aushev put it, “we have an army inside our country. … We need to know what they are doing”. As of this writing, the ratio between these two groups is still unknown.

Inspired by Aushev’s idea of an army of cyber-volunteers, Federov took to Facebook on 26 February at 9.00 a.m. CET and posted the following message in Ukrainian: “We have a lot of talented Ukrainians in the digital sphere: developers, cyberspecialists, designers, copywriters, marketers, targetologists, etc. We are creating an IT army. All operational tasks will be presented in the telegram channel: t.me/itarmyofurraine. There will be tasks for everyone”. Federov posted the same message in Ukrainian on his verified 170,000 subscriber strong Telegram channel. And at 7.38 p.m. CET his verified Twitter account tweeted in English that: “We are creating an IT army. We need digital talents. All operational tasks will be given here: t.me/itarmyofurraine”.

Western media coverage on the birth of the IT Army has almost exclusively focused on Federov’s Twitter post – because it was written in English – and ignored his Facebook and Telegram ones. But there are curious differences between these three posts. First, Federov’s target audience on Twitter was clearly international, while on Facebook and Telegram it was primarily aimed at Ukrainians. Second, in his Facebook and Telegram posts Federov was very precise about the exact talent the IT Army sought. And third, in all three messages Federov misspelled “ukraine” – but only his Telegram post was later corrected. Funnily enough, because of this mishap, there is only one post in the “itarmyofurraine” channel which redirects users to the official and correct “itarmyukraine2022” channel. Curiously, someone also decided to open up a Telegram channel on the same day, named “itarmyofuraine” (one “r,” missing “k”), which currently has around 11,500 subscribers and reposts some of the content from the official channel. Probably most crucial, western media outlets missed a post by the official Telegram channel of the Ministry of Digital Transformation on 26 February at 6.48 p.m. CET. Its content was almost identical to Federov’s recruitment message, except the Ministry added one crucial sentence: “we urge you to use any vector of cyber and DDoS attacks on Russian resources”. This call to arms echoed the first ever post in the official IT Army Telegram channel, which proclaimed two hours earlier: “Task # 1 We encourage you to use any vectors of cyber and DDoS attacks on these resources”. The post then listed 31 Russian banks, businesses, and government websites.

As of this writing it is unknown what exactly sparked the internal shift away from assembling developers, designers, and copywriters toward the IT Army’s almost sole focus on DDoS attacks. One likely explanation is that the specific Ukrainian talent that Federov outlined in his post was in the end funneled into a group called “StandForUkraine”. StandForUkraine was stood up by Roman Zakharov, a 37-year-old Ukrainian IT executive. The group currently consists of around 1,300 “software engineers, marketing managers, graphic designers and online ad buyers” that are fighting on Ukraine’s information warfare front. The group is trying to mobilize non-Ukrainians and the international community against the Russian invasion and is spreading Ukrainian war propaganda across Western media outlets and social media platforms. The group has also successfully pushed Western companies out of Russia. StandForUkraine has its own website, but in contrast to the IT Army, it is only using invite-only private chats on the messaging app Signal to communicate and organize. Future CSS research mights take a deep dive into the StandForUkraine ecosystem.

For the IT Army, it is important to stress that Federov is very active on Telegram but has only posted on Twitter 500 times or so since November 2020. Yet, even on Telegram, Federov rarely talks about the IT Army. Between 26 February and 20 April, he only forwarded 18 messages from the official IT Army channel. For a minister who created this digital army of volunteers, Federov seems rather disinterested in it. Instead, most of his Telegram posts gravitate toward his efforts to push Western companies out of Russia, fundraise for humanitarian projects and the Ukrainian armed forces, and inform citizens about the latest work of his Ministry.

One might assume the website of the Ministry of Digital Transformation would prominently display its connection to the IT Army and cover its ongoing activities in some way, shape, or form.18 And one would be wrong. As of this writing, there is not a single news item on the Ministry’s website that talks about the IT Army. Similarly, the Ministry’s official Telegram channel has mentioned the IT Army a mere ten times and forwarded just four posts from the official IT Army channel between 26 February and 20 April. Possibly spurred by the lack of consistent coverage, the Ministry’s Telegram channel announced on 18 April that moving forward, on every Monday it will talk about the victories of the IT Army. Notably, on 23 May, the Ministry summarized that “since the Russian invasion of Ukraine, the IT army has attacked about 2,000 Russian resources”.

Curiously, the Ministry did mention the IT Army and its Telegram channel in two news items on kmu.gov.ua – the official web portal of the Ukrainian government – more than two weeks after Federov’s recruitment call. A news item on 10 March briefly acknowledged the existence of the IT Army, while the 12 March post prominently headlined, “the Ministry of Digital Transformation has created 3 services to fight the occupiers on the digital front”: The IT Army, the Internet Forces of Ukraine, and the e-Enemy app “еВорог”.

The uneven and rather bumpy IT Army coverage by the Ministry of Digital Transformation in the first two months after the invastion might be an outcome of the diffuse and still evolving organizational structure of the IT Army itself.

How many members does the IT Army have?

Public reporting has put the number of IT Army members at around 300,000, which is derived from the number of subscribers to the official IT Army Telegram channel. According to TGStat, a platform that provides analytics for Telegram channels and chats, the IT Army’s Telegram channel reached its highest subscriber count on 26 March with 307,165.24 From thereon out, the numbers have continuously trended downward, leading to a cumulative loss of 47,940 subscribers over the following eight weeks (15.6%). On 10 June, the IT Army subscriber count stood at 259,225.

While it is unknown why exactly the channel has been losing so many followers so quickly, the likeliest explanation is probably a combination of (1) the loss of novelty over time, (2) boredom due to repetitive tasking, and (3) the ongoing kinetic war itself, which remains largely unaffected by the IT Army’s DDoS activities due to the focus on targeting Russian civilian infrastructure.

To contextualize the IT Army’s subscriber number it is useful to know that Telegram offers two platform types: (a) channels in which only the channel administrator’s messages appear, and users can comment if that function is enbled. And (b) chats where users can actually have somewhat of a dialogue with multiple members.

In the IT Army’s Telegram channel – which is literally open to anyone – there is little to no in-depth operational discussion taking place. The IT Army also has an official Telegram chat, yet its number stands at a mere 3,200 members. Discussion in the chat primarily gravitates toward helping other members solve their technical problems, and occasionally highlighting new potential Russian targets that are worth DDoSing.

So, how many members does the IT Army really have? Nobody actually knows, not even the IT Army itself. What the IT Army does know – or more precisely put – what the IT Army’s coordination team and Telegram channel administrators know, is the exact number of people that have directly approached them to offer their skills and time via the IT Army’s Gmail account and Google Docs contact forms. As of this writing, that number has not been publicly disclosed.

Targeting Flow and Coordination

What we do know is that the IT Army’s Telegram channel is just one component within the IT Army’s organizational structure – essentially serving as a sort of megaphone to circulate DDoS targeting information. In an interview with Ukrainian outlet Media Sapiens in late March, Mstislav Banik, the Head of the Electronic Services Development at the Ministry of Digital Transformation explained that “all tasks are formed by channel curators, who distribute them in the channel for volunteers. Anyone can subscribe to the project’s telegram channel and receive assignments”. With the aid of a few practical examples the following paragraphs will explain how the visible part of this targeting flow works in practice.

Simple Tasking

The first example is on “simple tasking”. Here, the exact same targeting information the IT Army channel publishes is circulated in numerous other channels and chats. On 18 March at 3.50 p.m. CET, the IT Army channel posted the URL of vesti95.ru, one of vesti95’s IPs, and four ports. Vesti95 is the official newspaper published by the Ministry of the Chechen Republic for National Policy, External Relations, Press and Information. A mere three minutes later the same information appeared in a chat named “DDoS Joint Group” (around 1,900 members). 20 minutes after that, it was published in the “Hacker Forces” channel (around 1,100 subscribers), which is the official channel of Hacken.io’s volunteer cyber army. Hacker Forces kindly credited the source of the information by explaining that, “here is a new task from itarmyofukraine2022. Are you in?” At 5.39 p.m., a channel called “Studentcyberarmy” (around 900 subscribers) posted the exact same information with no credit to the IT Army, and literally within the same minute that information was forwarded in the “CyberFire” chat (around 5,500 members). At 7.00 p.m., a channel belonging to “Cyber Palyanitsa” (around 700 subscribers) posted the same targeting details with no credit given. And at 7.59 p.m. CET, the information popped up on the “disBalancer Ukraine” channel (around 5,500 members), which is the Ukrainian channel of Hacken.io’s disBalancer DDoS tool. On 20 March at 4.16 p.m. CET, the “disBalancer English” channel (around 13,500 members) posted the url of vesti.ru under the header of “Websites [that] were under attack on 18 March 2022”. One hour later that post was forwarded in the Hacker Forces channel. As this example shows, Hacken.io is deeply entrenched in the information flow coming out of the IT Army channel. This should not come as a surprise, given that Aushev was the co-founder of Hacken.io. But the relationship between the IT Army and Hacken.io runs much deeper than that – more on this later.

Target Enrichment

The second example is on what is best described as “target enrichment.” Here, the targeting information posted by the IT Army channel is only circulated when it is further enriched with more IPs and ports. On 14 March at 9.11 a.m. CET, the IT Army channel posted the url of asna.ru and one of its IPs. Asna represents a network of more than 10,000 pharmacies in Russia and its website functions as a nationwide online pharmacy. The IT Army’s targeting information was only re-published in the DDoS Joint Group chat and a channel called “KiberBull” (around 7,800 subscribers), but no other channel or chat visible to me. That calculus changed eight days later when on 22 March at 10.38 a.m. CET, the Studentcyberarmy announced, “Good morning, today we start our day on the cyber front with a store in the pharmaceutical industry, namely ASNA! We are attacking until 13:00!” Included in the post was the IP mentioned by the IT Army, two additional target IPs, and six ports – two for each of the three IPs. One minute later that post was forwarded to the CyberFire chat and the “DDoS Attack Cyber Cossacks” chat (around 25,800 members). At 10.51 a.m. CET the “Cyber Cerber” chat (around 600 members) posted the exact same targeting information with no credit given, and at 11.35 a.m. the “DDoS Attack Cyber Cossacks” channel (around 69,800 subscribers) tasked its DDoS teams one and four to hit the three Asna IPs. Each Cyber Cossacks DDoS team has about 1,000 dedicated members who are highly active and coordinate their activities in their own separate chats. On the next day at 12.08 p.m. CET, Cyber Palyanitsa posted the same targeting information again. Nine minutes later it appeared in the Cyber Cerber chat, and eight minutes after that it was reposted in a channel called “Anonymous-Ukraine” (around 1,900 subscribers). At exactly 12.29 p.m. CET, the Studentcyberarmy made a new post with the same Asna targeting information, which was immediately forwarded in the CyberFire chat. Seven minutes later, the DDoS Attack Cyber Cossacks channel posted the commands to pull the latest docker image to update the target information for asna.ru. Notably absent in the entire information exchange was Hacken.io.

External Clustering

The third example is “external clustering”, which is when the targeting information fails to circulate widely and only survives in a small cluster of channels and chats. On 28 February and 3 March, the URL of mvideo.ru was mentioned in the disBalancer Ukraine chat and the CyberFire chat. Mvideo is one the largest consumer electronics chains in Russia. The call to target mvideo was not picked up by anyone until two weeks later when Cyber Palyanitsa posted 3 of mvideo’s IPs and 18 different ports at 9.19 p.m. CET. Eleven minutes later the Studentcyberarmy posted the exact same targeting information, and literally within the same minute the post was forwarded in the CyberFire chat. At 10.21 p.m., Cyber Cerber picked up the information as well. On 7 May, the IT Army finally picked up mvideo as a DDoS target with one IP overlapping from the previously shared target information. A group known as Ukrainian Reaper posted the commands to update Multiddos via docker and MHDDoS via Python.

Note: Multiddos is a DDoS script that is exclusively being used by Ukrainian Reaper. It combines three tools: auto_mhddos developed by Ukrainian Reaper, db1000n, and UA Cyber Shield. The latter two will be discussed in the next section.

Ad Hoc Prioritization

The fourth example is on what might be adequately termed “ad hoc prioritization”. Here, bits and pieces of targeting information pop up now and then in various channels and chats but are only consolidated at a much later point in time when the target is designated high priority by the IT Army. Between February 28 and March 4, the targeting of qiwi.com was widely discussed in the IT Army chat, the CyberFire chat, and the two disBalancer chats. QIWI is a popular Russia payment service provider that also serves the other members of the Commonwealth of Independent States (CIS). Multiple users on Telegram asked why QIWI was not being announced as a DDoS target. One user for example quipped that QIWI should not be targeted because there needs to be at least one path to send money from Russia to Ukraine. Others were simply stating that they were now DDoSing QIWI individually.

The dynamics changed on 4 March, when QIWI released a press statement noting that “U.S. and EU sanctions targeting Russia have had no immediate material impact on QIWI’s operations. Neither QIWI nor any of its subsidiaries is specifically targeted by the new sanctions enacted as a result of the Russian military operations in Ukraine”. On the same day, the “DDoS Attack Cyber Cossacks” channel (around 69,800 subscribers) announced the targeting of QIWI and published one IP and two ports. A few hours later the target was changed to a different QIWI IP in a post explaining, “let’s try with more people, start 9:23, attack to the point until I give a new goal”. The discussion on targeting QIWI kept on going for the next 25 days, with different channels and chats publishing other QIWI IPs and running their own DDOS attacks. Then on 29 March, the IT Army channel surprisingly announced that “we have a need to attack QIWI now”. The post covered 15 QIWI IPs and ports, including all those that were previously circulated in different channels and chats. For whatever reason, on that very day, the IT Army decided to designate QIWI a high priority DDoS target that needed to be taken down immediately.

Notably, ad hoc prioritization was also at play when EGAIS was targeted by the IT Army in early May 2022. EGAIS is the Russian government’s unified state automated alcohol accounting information system, which is the centralized systems that certifies and taxes every bottle of alcohol, vodka, and wine produced in Russia. Back in early April 2022, one user in the IT Army’s chat brought up EGAIS three times as being a good DDoS target. As the user himself explained on 4 April, “believe me, this goal is quite serious because it causes reputational damage. This portal belongs to the state and shops and distributors must confirm exactly according to the law of the Russian Federation to wait for documents in this portal”. On 2 May at 8.00 a.m., EGAIS was picked up as a target by the DDoS Attack Cyber Cossacks. And at 8.55 a.m. the IT Army channel announced that “today’s target was received from one of our subscribers. EGAIS is a Russian federal state-owned automatic system for tracking the production and distribution of alcoholic beverages in the country. If this system is down, the official turnover of liquor and spirits in Russia will be blocked!”

According to Russian media outlet Vedomosti, “producers and distributors of alcohol for the first May holidays could not ship products to their customers due to a large-scale failure in the operation of [EGAIS].” Between 2 May and 12 May, the IT Army designated EGAIS a high priority target. On 7 May for example, the IT Army channel noted that “today, online shopping Russia will be cancelled ;) And don’t forget to keep ‘EGAIS’”. Similarly on 8 May, the channel explained, “we have a tradition to combat Russian propaganda on Sunday. Let’s stick to it. Additionally, we’d like to keep a firm grip on ‘EGAIS’ because due to your help, there is an ongoing flow of complaints about this service”.

According to the Russian Foreign Ministry, “as of May 2022, over 65,000 ‘sofa hackers’ from the USA, Turkey, Georgia, and EU countries regularly took part in coordinated DDoS attacks on [Russia’s] critical information infrastructure”.

IT Army Coordination Document

Now that we have a sense of how the visible sharing of DDoS targeting information works on Telegram, let us take a look at the publicly accessible IT Army coordination document which is hosted on Google Docs and shared by the official IT Army Telegram bot. For this write-up the most recent version was accessed on 30 March.

The coordination document is sporadically being updated by the IT Army and includes information on the priorities of DDoS targets. It also roughly tracks which websites are down or need to be re-engaged, and it serves as a resource to several DDoS tooling instructions as a guide for newcomers. On the DDoS target prioritization part, the document shows that the IT Army only had two priority designations at the time. Russian online banking services like Sberbank and payment processors such as Mirconnect were designated priority tier one. Online tellers like cse.ru were deemed priority tier two. Notably, as of this writing, QIWI was still absent from the priority list, yet it did appear under a separate tab called “find_ip_port”, with no IP and ports yet scribbled in, illustrating the ad hoc nature of the IT Army targeting QIWI. Interestingly, the document also had a tab called “IP&Port”, which on 30 March only included the URLs, IPs, and ports of six Russian Ministries. Those targets were published by the IT Army channel on 30 March at 1.48 p.m. CET. Apart from these six targets there are no other IPs and ports listed in the entire coordination document.

Overall, the IT Army has been primarily utilizing the coordination document as an introductory guide to newcomers which is why it included two DDoS attack level categories: “attack: simple level” and “attack: advanced level”.

The simple level lists four DDoS sites. Users load these websites in their browser, then a script on the website continuously sends requests to a pre-set list of designated targets. Some DDoS websites display which sites they are targeting while others do not. Probably the most popular DDoS attack website listed in the IT Army’s coordination document is playforukraine.org. The website was developed by members of the Lviv IT cluster and gamifies DDoS attacks by engaging users with the popular numerical puzzle game 2048. Playforukraine stands apart from other DDoS websites for four reasons: (a) it was launched on 28 February, only four days after the Russian invasion started;(b) it claims to be verified by the Ukrainian Cyberpolice; (c) it was promoted on the official Lviv Regional Administration website; and (d) it has been officially endorsed by the Ukrainian Ministry of Digital Transformation and even the Ukrainian Parliament.

Speaking to FastCompany, the developers explained that “one user can send 20,000 server requests in one hour of gameplay”. On 3 March, playforukraine tweeted that “123k players performed 153 bln attacks”. Playforukraine does not reveal which sites it is targeting, but the occasional screenshot posted on their Twitter account shows web check results for dominopizza.ru, alfabank.ru, and gazprom.ru. As with all other attack vectors, playforukraine notes on its website that “before starting the game, turn on the [Virtual Private Network] if you play from the territory of Ukraine”. This essentially means that users using VPNs route their traffic through a server located outside Ukraine – most notably EU and NATO member states – to DDoS Russian sites. The reasons for doing this are manifold, with the primary one being that Russia companies have blacklisted Ukrainian IPs.

When it comes to the advanced level DDoS attacks, the IT Army’s coordination document is rather outdated, as it includes step-by-step manuals that were drawn up back in late February. These include instructions such as utilizing free trial periods for virtual servers in the cloud – offered by AWS, Google, and Microsoft – to install DDoS attack tools. Other instructions cover a handful of GitHub repositories to set up dockers and “stress testers/DDoS testing tools”, including GoldenEye and Slowloris which are pretty old school. GoldenEye’s initial releases was back in 2012 and Slowloris three years before that.

A site called ddosukraine.com.ua has communicated a clearer understanding of what the IT Army means by advanced level attacks. Initially it was unknown who set-up the site, but in March the official IT Army channel bot started to recommend the site every 15 minutes in the IT Army Telegram chat. The website also linked exclusively to the IT Army channel and refresheed every 15 minutes to show the latest targeting information published by the IT Army.

Under the section on “powerful tools”, one set of instructions details how to set up a virtual machine to run “Death by 1000 needles” (db1000n). Db1000n is a GitHub repository authored by Arriven aka. Bohdan Ivashko, a senior software engineer working out of Kyiv for Palo Alto-headquartered US-headquartered computer network security company Cyberhaven. Db1000n is special to the degree that (a) it was uploaded onto GitHub on 26 February in direct response to the Russian invasion, (b) its official manual notes that “this is an instruction manual for those who want to provide their computers to the centralized management of the Ukrainian IT Army”, (c) it is mentioned more than 680 times in the IT Army chat, and (d) it serves as a foundation for several git clones that are IT Army inspired.

For example, the instructions for db1000n on the ddosukraine.com site linked to a Google Drive folder with a docx file that read: “My name is Igor, I’m an IT specialist from Lviv. At first, I came across a channel in the Telegram ‘IT Army of Ukraine’. There I learned that there is a ready-made program ‘Death by 1000 needles’, created to bring down the sites of Mordor, as well as that it needs to run via VPN. Working for a week, I assembled a virtual shell machine for Death by 1000 needles. My shell turned out to be quite successful, so I decided to share it with others”.

In early April, the ddosukraine.com.ua site moved to the new domain itarmy.com.ua. The official IT Army bot has been promoting the site ever since, and the IT Army channel has endorsed it as the official IT Army of Ukraine website. Probably the most intriguing change that was introduced on the new site was an announcement on 5 April that stated “very important! For an effective attack, we must all strike at the same targets and keep them in that position for as long as necessary. Therefore, we ask you not to join in the chats and not to launch independent attacks on other targets”.

GitHub Repositories

As of this writing, the number one GitHub repository discussed in the IT Army chat – with around 1070 mentions – is called MHDDoS. MHDDoS is not in any way affiliated with the IT Army and its author explicitly notes in the repository’s readme, “Please Don’t Attack websites without the owner’s consent”. The most shared MHDDoS clone in the IT Army chat is called MHDDoS_proxy authored by a user named porthole-ascend-cinnamon. In the GitHub repository readme file, porthole-ascend-cinnamon links to an unofficially guide called “DDoS-for-all”, authored by a user named SlavaUkraineSince1991. It did not come as a surprise that the examples SlavaUkraineSince1991 used in his guide were ria.ru and tass.ru. What did come as a surprise was that the guide linked to three different Telegram channels with none of them being the IT Army: “DDOS Tutorial for all” (around 5,800 subscribers), “KiberBull” (around 7,700 subscribers), and “Ukrainian Reaper” (around 4,800 subscribers).

Looking at the three channels in question, a few things stick out. All three occasionally pick up targets that are announced by the IT Army channel. KiberBull for example, was the only channel visible to me that re-posted the target information for asna.ru on 14 March. By contrast, Ukrainian Reaper officially stated on 1 March that they are sourcing their targets from the IT Army channel and a Telegram channel called “ddoskotyky” (around 20,100 subscribers). In some instances, DDOS Tutorial for all and Kiberbull decided to help the IT Army finish off their targets, as was the case on 19 March when the IT Army announced the targeting of tutu.ru, Russia’s largest rail and flight ticket booking service. DDOS Tutorial for all explained that “we help IT Army of Ukraine to finish tutu.ru”, and KiberBull equally posted that “we will help IT-Army to put [out] one of the largest ticket booking services [tuttu.ru]”. Overall, however, these three channels do not seem to act as one coherent group, except for one oddity: DDOS Tutorial for all does occasionally support KiberBull and Ukrainian Reaper in their individual DDoS campaigns that are not IT Army designated targets.

Should these three groups be considered part of the IT Army? Yes and no. On the one hand, they do occasionally participate in the IT Army’s DDoS campaigns. On the other hand, the IT Army itself explained in a Telegram post on 4 April: “there are quite a few channels that conduct DDoS attacks on hostile services with us. Each community has a database of tutorials, as well as a sufficient number of involved participants. It is important to understand that each community is independent and chooses priority goals for itself. But we all communicate with each other and quite often they support us in attacks on our targets. We want to thank our subscribers and the following communities for their active position and help in the fight against the enemy in cyberspace”. Among the communities listed are Ukrainian Reaper and KiberBull, but also Cyber Palyanitsa, Studentcybergroup, DDoS Attack Cyber Cossacks, Anonymous-Ukraine, DDoS joint group, and UA Cyber Shield – which we are going to look at next.

Sidenote: Cyber Palyanitsa echoes the IT Army’s sentiment. On its website it lists several coordinating groups stating “Choose your legion. Each of our groups has both common and individual tasks, join and help Ukraine with us!”

The third GitHub repository that has been popping-up in various Telegram channels is called UA Cyber Shield or uashield for short. Uashield is a DDoS tool that was uploaded onto GitHub on 28 February. It is a project by a group that calls itself the “Volunteer cyber defense of Ukraine”. Uashield stands out because of four oddities: (a) on the group’s website – help-ukraine-win.super.site – they display an official Ukrainian government logo with the note, “supported by the Cabinet of Ministers of Ukraine”; (b) in its GitHub readme they explain that “ALERT!!! We are not supporting unlawful active attacks or malware campaigns that are causing technical harms. Use only for educational purposes. You can only try this platform on your own website!”; (c) they are the only DDoS tool I am aware of whose instructions have been translated into 11 different languages, including Korean and Portuguese; and (d) on 31 March, the official uashield Telegram channel stated that “starting from the current version UA Cyber SHIELD supports all attack types used by the IT Army of Ukraine: HTTP / HTTPS / UDP”. Four days later, uashield officially announced that “we are working together with the IT ARMY of Ukraine”.

Notably, with uashield running on almost all operating systems – including mobile OS – combined with its prominent attack counter user interface, it has almost naturally attracted the attention of many young non-technical users who in turn have posted several videos of their own uashield use on TikTok.

The fourth GitHub repo is called disBalancer. DisBalancer was designed by a team of cybersecurity and cryptocurrency enthusiasts and was launched under the umbrella of the Hacken Foundation on 2 March 2021. It markets itself as a web3 decentralized DDoS protection network. Essentially, users anywhere can install disBalancer and become members (or farmers as they are called) in a de-centralized network by renting out unused bandwidth and storage space. In return they are rewarded with DDoS tokens that can be bought and sold on most cryptocurrency exchange platforms. As disBalancer explains it: “It works similarly to a blockchain mining pool by setting up a computer node to perform the required operations and receive traffic”. Businesses that are interested in implementing disBalancer as a DDoS protection solution simply have to add their network nodes to the DNS records and “all traffic starts circulating behind the nearest ones available. Each node can then redirect traffic to others nearby to increase capacity as required”. At its core, disBalancer was inherently conceptualized as a defensive tool to offload incoming DDoS traffic. As the team itself explains, “we strive to defend companies with servers and services on the Internet against DDoS attacks. Our network will act as a warrantor, sharing unused computer power and bandwidth with companies that need these resources. Thereby we will make the world a safer place and change the meaning of DDoS to the good side”. So far so good.

Hacken, Liberator, and Hackenproof

The problem for Estonia-headquartered Hacken.io started on 4 March when the disBalancer team launched a DDoS attack tool called the Liberator. Liberator was developed in reaction to the Russian invasion with the overarching goal of “helping liberate Ukraine” by DDoSing “Russian propaganda websites and sources that contribute to the Russian invasion of Ukraine”. The disbalancer team essentially switched from DDoS defense to DDoS offense by explaining, “don’t ask us how legal DDoS attacks on Russian propaganda sites are. Our cities are bombarded where children and civilians die. We are acting in coordination with the Ministry of Digital Transformation that initiated the Ukrainian Cyber Army invention [IT Army] to help the Armed Forces of Ukraine”. By tapping into the community disBalancer had built over the past year, users across the globe who previously ran the disBalancer DDoS protection tool now heeded the call and installed Liberator for offensive purposes. For good measure, disBalancer also reminded their followers that, “if you think that this does not concern you or disagree with our participation in fighting against Russian aggression, just leave us forever. Indifference is no less a crime when it comes to other people’s lives”. As of this writing, disBalancer claims that Liberator was downloaded 100,000+ times, and between 3,000-6,000 users are running the application at any given point in time. If this were not enough to convince people to participate, the disBalancer website notes that (a) “we guarantee [the] safety of your computer and data. It’s legal and white methods” and that (b) “by buying DDOS tokens, anybody can help us to scale the app infrastructure and purchase more servers”. This means that the DDoS tokens that users could farm by being part of disBalancer’s de-centralized DDoS protection network are now being used as a financial resource to build out Liberator’s DDoS attack infrastructure. If by this point users were still unsure whether installing Liberator was a good idea, the disBalancer website reassured them under the Ukrainian coat of arms that “we’re acting in coordination with the Ministry of Digital Transformation of Ukraine”.

So how tightly is disBalancer interwoven with Hacken and the Ministry of Digital Transformation? Well, the disBalancer team leaders are prominently displayed on their website. They include Serhii Dovhopolyi, who works as tech lead and is also on Hacken’s Kyiv-based R&D team.

Oleksandr Horlan is operations lead, and he also works for Hacken in Kyiv as a penetration tester and security analyst. Dyma Budorin serves as advisor and is also the Cofounder and CEO of Hacken. Finally, Denis Ivanov is an advisor and also the Head of the Expert Group at the Ministry of Digital Transformation. The disBalancer website’s privacy notice similarly explains that “we are Hacken OÜ, located at Kai tn 1-5M, Tallinn city, Harju county, 10111, Estonia”. This is the physical address of Hacken’s headquarter in Estonia, a NATO and EU member state.

Interestingly, on 10 March, Politico reported that some 50 employees of Hacken’s Kyiv office were relocated to Spain, another NATO/EU member state, for security reasons. Eighteen days later, the IT Army channel officially promoted disBalancer’s Liberator to its then-306,000 subscribers for the first time.

On 20 April, disBalancer went on to publish its first recruitment video on Youtube. The video’s message stated: “instruction is clear even for a little baby. The most effective DDoS-App against Russian Aggressor. … Run attacks 24/7 wherever you are. We are the Cyber Army. Join Ukrainian Cyber Army in the first cyber world war. You can become a legend”. Eight days later, a US-based Youtube cryptocurrency influencer by the name of Boxmining published an 8-minute-long video urging his 268,000 subscribers to install Liberator to DDoS Russian sites. Boxmining is not just a random Youtube influencer. He visited Hacken’s Kyiv office in 2020, and in 2021 he interviewed Hacken’s CEO Dyma Burodin on his Youtube channel. Naturally, the video was warmly embraced by disBalancer and the Hacken Forces Telegram channel, as well as on Hacken’s Twitter account, which tweeted “how to defend Ukraine with ONE app? Run @thedisbalancer’s Liberator! @boxmining, a famous crypto influencer and Hacken’s friend, dropped a new video on his Youtube channel with an easy explanation”.

Neither Hacken nor Boxmining informed their (mostly young) userbase about the potential legal consequences and blowback from running DDoS and interfering in an international armed conflict. In the US, DDoS attacks may be considered a federal crime under the Computer Fraud and Abuse Act. And in Estonia – where Hacken’s headquarter is physically located – DDoS attacks may fulfill the category of computer sabotage, which is punishable by up to 3 years in prison. Notably, back in early April 2022, Russia’s FSB detained a system administrator working for a local company in Yalta, Crimea, who installed a DDoS tool on his work computer to run attacks against Russian websites between 24 February and 10 March. He is currently facing five years in prison. It is unknown which exact DDoS tool he used. What we do know is that in mid-May, The Wall Street Journal reported that disBalancer/Hacken’s Kyiv team moved from Barcelona, Spain, to Lisbon, Portugal, another NATO and EU member state.

Underlining this nonchalance, disBalancer decided to publish three Liberator user interviews on 27 May 2022. It is unknown whether these interviews were conducted with real users or are fictional creations the disBalancer team invented to advertise the use of Liberator. Jase Mo from the US explained that “I started off on the hackenproof.com page and went from there. I found Liberator to be, ‘EASY AF’ to use. … Not only has Liberator made it easy AF to join the fight, but has allowed the average person to be a part of the Team that is pulling off the largest most effective DDoS champagne the world has ever seen. I love this shit”. Meanwhile, Casimir from Germany stressed the financial side of things: “what would motivate me even more? Maybe a special kind of disBalancer NFT for the verified users of Liberator. ;) I saw that there might be DDOS NFTs for those who hold more than 1000 DDOS [tokens] until the war is over (which is easy for me because I’m buying more as soon as I can)… But maybe you could make special edition NFTs for the cyber warriors?” And Daniil from Ukraine stressed what else can be done: “Besides being involved in disBalancer, I actively support Ukraine in other ways. For instance, by donating to the Armed Forces of Ukraine and assisting the cyber fight on the side of Ukrainians with other DDoS tools designed to shoot russians down. I use a few other applications like UA Cyber SHIELD, dn1000n, dripper, MHDDos, and 5 sites for DDoS attacks. Besides, I report on russian propaganda telegram groups in order to hinder the lies that spread among the people, including in the occupied territories”.

On 8 June 2022, disBalancer announced that Roskomnadzor – Russia’s Federal Service for the Supervision of Communications, Information Technology and Mass Media – blocked access to disbalancer.com. According to the disBalancer blog the “access restrictions to our site to Russian providers and Internet users from russia will not stop our DDoS attacks on russian propaganda websites, government, and infrastructure systems that provide the basis for everyday life and enable the flow of goods, information, and services. Until russia withdraws the last soldier from Ukraine and the ongoing shelling by Russian forces stops, we are going to further enhance our activities”.

The cooperation between Hacken and the Ukrainian government does not stop there. HackenProof, which is Hacken’s bug bounty platform, has been running two vulnerability reporting programs in response to the ongoing war in Ukraine: a defensive and an offensive one. The defensive program was established around 1 March and runs under the name “Call for Ukrainian cyber defense. Stop the war”. It is geared toward finding “critical vulnerabilities” in Ukrainian government and infrastructure websites, which HackenProof then reports to the corresponding authorities. As the site explains, “we’re looking for vulnerabilities such as RCE, SQLI, RFI/LFI, or data leaks. Please don’t waste time on low-/medium-severity vulnerabilities. Save our time for what matters”. As of 25 May the program received 291 submissions by 27 authors. According to the Wayback Machine, on 8 March the number stood at 271 submissions by 23 authors. Thus, over the past 2.5 months the program added a mere 20 new submissions.

While the program does not pay any bounties, it is important to understand that for a long-time ethical hackers “could face fines of up to $42,000 USD or even three years in prison for trying to detect bugs in the computer systems of the Ukrainian parliament, ministries, or state companies”. Only on 21 April, roughly seven weeks after HackenProof initiated its defensive bug bounty program, did the Ukrainian Parliament adopt the law on “Amendments to the Criminal Code of Ukraine to Increase the Effectiveness of the Fight against Cybercrime in the Conditions of Martial Law”, which tweaked the criminal code to enable bug bounty programs for the public sector. As of this writing it is still unclear whether HackenProof’s bug bounty program ever ran afoul of Ukrainian law or whether Hacken’s physical location in Estonia shielded it from prosecution. It is also unknown whether the program was supported by members in the Ukrainian government, or how exactly HackenProof streamlined its information flow to contact the multitude of Ukrainian authorities and companies affected.

HackenProof’s offensive program was started on 27 February and runs under the name “Call for exploits. Stop the war”. Similar to the defensive one, HackenProof is only looking for submissions of critical vulnerabilities, including data leaks, which are then “put in the good hands of Ukrainian cyber forces”. The focus areas are Russian hosting providers, ISPs, aerospace/air control, SCADA systems, banks, public services, energy/oil/gas, transportation/logistics, ports/elevators, and even retail. It is unclear whether submissions pertaining to the Russian healthcare sector, humanitarian NGOs, schools and universities are also being accepted by HackenProof. Notably, the program site directly links to the IT Army’s Telegram channel explaining, “for reference, you can use Resources shared by Ukrainian cyber volunteers”. As of 25 May, the program had 422 submissions by 32 authors. According to the Wayback Machine that number has stayed the same since 14 March. Thus, over the past eleven weeks the offensive program received no new submissions. Like the defensive program, there are no bounty pay-outs.

Surprisingly, the existence of the offensive bug bounty program combined with the fact that it is organized by a company headquartered in Estonia has to date not spurred any legal, ethical, nor political conversations on co-belligerency in cyberspace, the role of Ukrainian-owned companies operating from NATO/EU member states, and their targeting of Russian civilian infrastructure in cooperation with the Ukrainian government. There is also no conversation in the information security community on the role of bug bounty programs targeting a belligerent party embroiled in an international conflict. The current silence on these issues amidst the ongoing war in Ukraine is certainly understandable – and so is the activism of Ukrainians abroad – yet NATO/EU member states might be setting unintended legal and ethical precedents that may create significant political blowback in the future. For example, what if a Russian-owned company located in Germany were to organize an offensive bug bounty program that targets Ukrainian critical infrastructure and shares the discovered vulnerabilities with the Russian intelligence community? Would Berlin, Brussels, and Washington deem this acceptable private sector behavior?

Apart from HackenProof’s two bug bounty programs, Yegor Aushev also started his own bug bounty program called “Hack/Fuck Russia” that ran its first phase from 1 March to 10 March. It was financially supported by Aushev’s Kyiv-based Cyber Unit Tech company with a donation of 100,000 USD. Curiously, the bug bounty announcement also included a Tether wallet address for donations. To date that wallet has received a combined 70 Tether, which is a mere 70 USD (Tether is pegged 1:1 to USD). Yet, in an interview with The Record, a Cyber Unit Tech representative explained that “our company has contributed the initial $100,000, but we see participation and contribution from all over the world. The amounts are very, very significant and might be one of the biggest bounties ever, maybe the biggest ‘unofficial’ bounty”.

So, how do we square these two different assessments? If there is a huge donation flow that underpins Aushev’s bug bounty program, then it is certainly not going into the Tether wallet. We also know that neither Aushev nor Cyber Unit Tech have posted any other wallet addresses on their official Twitter, LinkedIn, and Facebook accounts. So, how do people from across the world know to which wallets to donate in support of the cause? One feasible explanation could be that the wallet addresses are spread within invite-only groups on WhatsApp and Signal to facilitate donations from the Ukrainian IT community living abroad. Another possibility might be that the international cryptocurrency donations flowing into the Ukrainian government’s official Bitcoin, Thether, and Etherium wallets are partially underpinning Aushev’s bug bounty program. As of 21 April, neither Aushev nor Cyber Unit Tech has announced the start of phase two of their bug bounty program. It is unknown whether the program actually paid out any bounties or to whom any of the reported vulnerabilities were forwarded. Given Aushev’s closeness to the Ukrainian government and Cyber Unit Tech’s strategic partners – which includes the National Security and Defense Council of Ukraine – we can infer with some level of confidence that the vulnerabilities might have ended up in the hands of the Ukrainian Ministry of Defense, the intelligence services, or the IT Army.

Non-public Structure and Tasks

Apart from the publicly visible IT Army structures and tasking flows, there also exists an in-house section to the IT Army.

Hints of the in-house section first popped up in early March when the IT Army defaced miranda-media.ru, which is a Russian ISP serving the Crimean Peninsula. Several other defacements followed of which almost none gained widespread media attention. The exception occurred on 2 April and 6 April, when the websites of Sukhoi.ru and Gazprom.ru were defaced with fake statements by Yuri Slyusar (General Director of Sukhoi) and Alexie Miller (CEO of Gazprom) criticizing the Kremlin for the war in Ukraine. At the time, public speculations veered between the websites being hacked by an unknown group and the statements being legitimate. The fog of war was lifted three weeks later on 23 April, when the IT Army’s channel posted a three-minute video in which it took credit for the fake statements. As the video explains, “we published the statement, but all [the content was] taken from Mr. Slyusar’s correspondence with colleagues and friends. … Within the Kremlin’s inner circle people know about [Alexie Miller’s] position for a long time. We just made it public, completely collecting his thoughts from the correspondence”. As of this writing, discussions pertaining to defacements are entirely absent from both the IT Army channel and chat.

On 4 April, the IT Army posted a two-minute video on the use of Clearview in Ukraine to identify Russian soldiers. Clearview is a controversial US-headquartered AI facial recognition company that has assembled a vast biometric database – by scraping facial pictures from social media and the wider Internet – to readily identify and locate any individual. The company is currently facing several lawsuits in the US and has been fined by various privacy watchdogs in the EU. On 23 May, the UK’s Information Commisioner’s Office fined Clearview more than 7.5 million GBP and ordered the company to delete all the data of UK residents from its systems. Kashmir Hill at The New York Times explained Clearview’s impact best by stating that, “searching someone by face could become as easy as Googling a name. Strangers would be able to listen in on sensitive conversations, take photos of the participants and know personal secrets. Someone walking down the street would be immediately identifiable – and his or her home address would be only a few clicks away. It would herald the end of public anonymity”.

On 13 March, Reuters reported that the Ukrainian Defense Ministry started to use Clearview to identify dead Russian soldiers. Ten days later, Ukraine’s Minister of Digital Transformation, Mykhailo Federov, explained on Telegram that “today, we use artificial intelligence to search the social media accounts of dead Russian soldiers for photos of corpses, to report their deaths to friends and relatives, to dispel the myth of a ‘special operation’ in which ‘no conscripts’ and ‘no one dies.’” Exact figures on Clearview’s use in Ukraine were hard to come by until the IT Army posted its video on 4 April. In it, the IT Army explained that it uses Clearview to directly contact dead soldiers’ families and loved ones via social media and messaging apps, by informing them about the death of their relative and attaching a picture of the mutilated corpse and passport. While many Western outlets went on to described Ukraine’s actions as morally acceptable and almost humanitarian, one has to seriously question whether the same positive perception would apply if the Islamic State were to directly contact US families by sending them pictures of their relative’s mutilated corpse via social media. To argue that this is just a form of humanitarian outreach clearly ignores the overarching information warfare campaign that Ukraine is waging against Russian society at-large.

According to the IT Army, as of 4 April the Ukrainian government successfully identified 582 corpses with the help of Clearview. The exact figure was likely supplied to the IT Army by the Ukrainian Defense Ministry, Ukraine’s intelligence services, or the Ministry of Digital Transformation. None of the Clearview aspects were ever mentioned in the IT Army channel or chat.

On 6 April, the IT Army posted a four-minute video which showed them calling the family of a Russian soldier who allegedly looted around 100 kilograms of goods in Ukraine. The loot was sent via mail from a post office in Moyzr, Belarus, to the town of Chita in the far east of Russia. The IT Army’s video identifies the precise weight of the six packages the soldier paid for (totalling around 100 kg), as well as the phone number and address of the recipient (the soldier’s brother). The video also shows the CCTV feed of several Russian soldiers with their packages in the same post office. At the beginning of the phone call, the IT Army makes legal threats by pretending to be the FSB. The call ends with the IT Army saying, “we know where you live, where your brother lives, we know everything about your family. You will be responsible for every action that you have done on the territory of Ukraine”.

The IT Army subsequently published two similar videos on 8 April and 9 April. In the first one, a Russian soldier sends 16 kg from the Mozyr post office to his wife in Novosibirsk, Russia. And in the second one, a different Russian soldier sends 63 kg to his wife in Khabarovsk, Russia. The CCTV video is the same in all three videos which suggests that all three Russian soldiers visited the Mozyr post office together.

It is still unclear how the IT Army gained access to all the information necessary to run this operation. How did they know the exact Belarus post office these Russian soldiers would use? Did they breach the CCTV camera in the post office or was the footage given to them by another agency? As of this writing there are no answers to these questions, and none of the operational details of the calls were discussed in the IT Army channel or chat.

What we do know is that on 2 June 2022, two months after the IT Army released the three videos, the Ukrainian Cyberpolice, in conjunction with the Security Service of Ukraine (SBU), utilized the exact CCTV footage to announce the identification of 10 Russian Rosgard soldiers from military unit 6720 that looted the homes of residents in Bucha, Ukraine.

While we do not know who got their hands on the CCTV footage first or who oversaw this intelligence gathering operation, we can conclude that either the IT Army supplied the footage to the Cyberpolice and the SBU, or the SBU was overseeing the entire operation and utilized both the IT Army and the Cyberpolice as vehicles for their outreach components, publishing the three calls in April and announcing the soldier idenfications in June. On 16 June, the National Police of Ukraine posted a video on Youtube which showed the usage of Clearview by the Ukrainian Cyberpolice to identify the Russian soldiers in the post office.

On 7 April, the IT Army revealed its most sophisticated campaign to date which targeted a Russian Instagram clone called Rossgram. Prior to the official release of the Rossgram app at the end of March, the IT Army claimed to have (1) breached Rossgram’s beta sign-up database, (2) created a fake Rossgram app, (3) sent invites to all the beta sign-ups, (4) pushed out notifications to all those who installed the fake app that Rossgram was hacked, and then (5) leaked the beta sign-up database to the public. To date, this is the only hack-and-leak operation for which the IT Army has taken direct credit. None of this was discussed in the IT Army’s Telegram channel and chat.

On 14 May, the IT Army took credit for the destructive campaign against RuTube. RuTube is a Russian Youtube competitor that was created back in 2006. In mid-March, RuTube’s viewership began to skyrocket as Youtube – in reaction to the war in Ukraine – effectively pushed Russian content creators and users off its platform by suspending Google’s advertising system in Russia. Given the rapid growth of RuTube and the significant decline of independent media reporting in Russia, the IT Army identified RuTube as the “main information center for Russian false propaganda”. Timed to coincide with Russia’s Victory Day celebrations on 9 May 2022, the IT Army – with the help of “two specialists” – subsequently ran a destructive campaign against RuTube starting the night of 8 May. According to the IT Army’s video, the campaign successfully (a) changed all administrator passwords, (b) blocked all the access cards that were needed to enter and exit RuTube’s server rooms, (c) deleted “dozens of petabytes of information”, (d) “demolished all systems – virtualization, databases, content, converter, content search systems, advertising module, load distribution systems and management of the entire infrastructure”, and (e) exfiltrated internal information from the computers of the RuTube administrators and employees. The attack against RuTube is the first ever destructive campaign for which the IT Army has taken credit.

RuTube remained offline for almost three days with partial access being restored on 11 May: Recovery commenced in stages. According to RuTube’s official Telegram channel, Russian cybersecurity company Positive Technologies helped to investigate and remediate the attack. RuTube also explained that “there have been many attacks on RUTUBE that have been successfully localized. However, the 9 May incident was of a different level of complexity. The readiness of the infrastructure for such a targeted attack can only be established by encountering it”. On 14 May, the site seemed to have been fully restored from its backups.

As of this writing, it is still unknown how large the IT Army’s in-house team is, or who exactly is tasking and feeding them information. The in-house team likely consists of members located in Ukraine and Ukrainians living abroad. As of this writing, the IT Army has open vacancies for pentesters, desktop developers, hackers, system administrators, graphic designers, and, most importantly, connoisseurs of English. The vacancy site describes the in-house team’s tasks as “hacking enemy resources, spreading viruses, creating phishing sites, and inflicting maximum damage on the [Russian] economy and other public spheres”.

Curiously, on 18 May, the IT Army channel put out a crowdsourcing call for information, stating that “we need your help in finding databases with phone numbers of private individuals and legal entities from the occupied Crimea as well as Russian regions next to the Ukrainian border (Briansk, Kursk, Belgorod). You can send this information to itarmyua@gmail.com”. Four days later, the IT Army thanked everyone that sent in information, and put out a second request for help, stating, “we need your help in finding databases with the phone numbers of Russians who fall under one of the following categories: (a) “young people who have radical views and are into working out (e.g. bouncers, members of martial arts groups)”, (b) “draftee (people who might be conscripted for military service)”, (c) “students”, and (d) “military service offices employees and their relatives”.

As of this writing it is still unknown for what purpose the IT Army has been collecting this information. It might end up being used by the in-house team for one of their upcoming campaigns, it could be forwarded to the Internet Forces of Ukraine for an information warfare operation, or it could even be utilized to organize Russians in Russia to act against the Russian state apparatus. Time will tell.

Where are Ukraine’s intel services?

The IT Army is the main hub for Ukraine’s “offensive” response in cyberspace in reaction to the Russian invasion. Parallel to this cyber effort, the Internet Forces of Ukraine were stood up on 28 February to wage the nation’s “offensive” campaign in the information warfare domain. The focus of the Internet Forces is on organizing political pressure campaigns abroad and disseminating Ukrainian war propaganda via social media, including Telegram, VKontakte, Discord, and Reddit. The Ministry of Digital Transformation has taken public credit for establishing both the IT Army and the Internet Forces of Ukraine on 10 March.

As it currently stands, the IT Army and the Internet Forces are publicly portrayed as two civilian-led government projects that function entirely separately from Ukraine’s military command structure and maintain no links whatsoever to the nation’s intelligence services. From a purely institutional point of view, however, it is highly questionable whether the Ministry of Digital Transformation has the legal authority to independently setup the IT Army and the Internet Forces without any coordination or control exercised by Ukraine’s defense and intelligence services. For Ukraine’s defense and intelligence services to roll their thumbs and let the IT Army and Internet Forces conduct operations freely and independently – particularly during war time – seems to be not only an analytical stretch but would highly likely also lead to strategic confusion and tactical interference with the defense and intelligence services’ own operations in cyberspace.

It is also questionable whether the Ministry of Digital Transformation has the necessary in-house skills and knowledge that underpins the cyber and information warfare operations the IT Army and Internet Forces have been conducting. Talking to Wired, Anton Melnyk, who is an advisor to the Ministry of Digital Transformation, explained that “we have restructured the Ministry of Digital Transformation into a clear military organization”. Similarly, speaking to Politico on 8 March, Deputy Minister of Digital Transformation Oleksandr Bornyakov noted that “we are the first in the world to introduce this new warfare. And it’s powerful, yet simple at the same time. … It’s impossible to disrupt it or break it down”.

Back in March 2022, Dina Temple-Raston interviewed one of the eight administrators of the IT Army channel for The Record. Probably the most interesting exchange occurred right at the beginning when Dina asked: “Do you have a military background?” The administrator answered, “Um, sort of … It’s not the questions I can answer you fully because it may lead to a better understanding of what kind of person I am”. While we cannot be certain, we can somewhat infer that any statement on having served in the three main service branches would not have provided peculiar insights – i.e., the statement “I was in the Navy” could mean anything from being a cook to a naval demolition specialist. But the outright refusal to say anything may hint at an intelligence background. Similarly, it is highly unlikely that an unvetted random person on the internet is being entrusted with the role of administrating the IT Army channel and overseeing a community of close to 300,000 subscribers to organize Bornyakov’s “new warfare”. At a minimum one would expect some level of social media campaigning or government coordination experience, and at a maximum an intelligence/military background in cyber or information warfare.

Interestingly, from the Russian perspective, the IT Army and Internet Forces likely maintain close relations – or might even be extensions – of Ukraine’s 72nd Center for Informational and Psychological Operations in Brovary/Kyiv. The 72nd Center was stood up back in 2003 in Sevastopol as part of Ukraine’s Special Operations Forces and was one of the last military units that resisted the Russian occupation of Crimea in 2014. Until recently, the 72nd was Ukraine’s main center that specialized in information and psychological operations. Very little is publicly known about the internal structure and operations the 72nd has conducted in the past, and given the current war context, it is rather difficult to distinguish between reliable new information and Russian war propaganda. For example, according to the Russian International Affairs Council, the 72nd is not only involved in intelligence, subversion, and counterintelligence activities, but also conducts “propaganda information campaigns in telecommunications networks and the Internet, and, together with the [Security Service of Ukraine], coordinate the activities of Ukrainian patriotic hacker groups, volunteer information communities and Internet resources”.

What we definitely do know is that on 1 March the Russian Defense Ministry proclaimed that “information attacks on Russia are carried out by the 72nd Main Center for Information and Psychological Operations of the Armed Forces of Ukraine, together with the cyber operations units of the SBU, using hardware and software systems and communication facilities in Kyiv”. The Ministry went on to explain that “in order to thwart informational attacks against Russia, [Russian forces] will strike technological objects of the [Security Service of Ukraine] and the 72nd Main [Psychological Operations] Center in Kiev”. On 2 March, Russian air strikes took out the SBU’s headquarter, the 72nd Center, as well as a building that housed the control room of Kyiv’s TV tower. Notably, as of this writing, no Russian airstrike has been directed at the building of the Ministry of Digital Transformation.

Another somewhat related piece to the puzzle appeared on 7 March, when cybersecurity consultant Jeffrey Carr published an article on his substack Inside Cyber Warfare, which claimed that the Beloyarsk Nuclear Power Plant in Zarechny, Russia, was breached by cyber operators from the Main Intelligence Department of the Ukrainian Ministry of Defense (GURMO). According to Carr, GURMO exfiltrated “a large amount of data including contracts, architectural diagrams, alarm system configurations, set-up instructions for control system parts”. It is highly questionable whether Carr ought to be considered a reliable source. As he himself explains, “the problem was that journalists wanted to speak to GURMO and that was off the table. … They could speak with me because I was the only person who the GURMO team would directly speak to”. Given the unverifiability of Carr’s claims, journalists were rightfully not willing to put their reputation on the line for a single-sourced story. As of this writing, Carr has published 16 additional pieces claiming that GURMO breached Roscosmos, Gazprom, the communication servers of the Black Fleet, as well as the FSB’s Special Operations Unit 607. None of these claims have been verified. In early April, Carr even went as far as insinuating that GURMO gained access to Gazprom’s pressurization controls, supposedly leading to the physical rupture and fire at two Russian pipelines. There is zero evidence that supports Carr’s story. What is similarly problematic is that Carr claims to be in possession of the complete data leaks that GURMO allegedly exfiltrated, but only paying subscribers to his substack are allowed access. Why does he not approach DDoSecrets like Anonymous has frequently done to publish its data leaks? Why is GURMO only using Carr as their public representative and no one else – not even the IT Army, Internet Forces, or any of the well-established professional journalists covering cyber? Given the absence of logical answers, Carr’s substack ought to be read with great caution. Having said that, Carr’s reporting does present an easy answer to the question as to what Ukraine’s intelligence services have been up to in cyberspace. If we treat Carr’s pieces at face value, then GURMO is primarily focusing on hack-and-leak operations that have even less immediate impact on the course of the war than those conducted by Anonymous and other hacking groups since the start of the invasion. Similarly, if viewed in relation to the strategic and public impact the IT Army and Internet Forces have had on Russian society, private companies, and foreign governments, then GURMO’s activities are close to irrelevant.

The absence of known activities by Cloud Atlas – the only advanced persistent threat (APT) actor that might be of Ukrainian origin – amidst the Russian invasion is another mystery that has not yet been solved. Overall, there are currently no good answers to the question of what Ukraine’s intelligence and defense agencies are doing offensively in cyberspace. The only logical answer with the current evidence at hand is that the Ukrainian intelligence services are likely deeply intertwined with the IT Army’s DDoS targeting and tasking flow, the Internet Forces’ information warfare activities, and the IT Army’s in-house operations. Assertions that Ukrainian intelligence and defense agencies are not involved at all in any of these activities are either naïve or – at this point – wilfully ignorant.

The IT Army and External Groups

Open-source intelligence researcher CyberKnow has assembled the most comprehensive overview of all the different hacking groups/individuals that have popped up since the Russian invasion. On 1 May, CyberKnow identified 74 active groups/individuals, 46 pro-Ukraine, 26 pro-Russia, and two whose allegiance is unknown.

Apart from the IT Army’s DDoS cooperation with a variety of groups on Telegram, there is very little known about how the IT Army views groups such as the Belarusian Cyber Partisans and the numerous sub-groups that are operating under the banner of Anonymous.

The Partisans were formed back in September 2020 in reaction to the protests and subsequent violent crackdown following the contested presidential election in Belarus. The group’s first known public hack was the defacement of the website of the Belarusian Presidency on 2 September 2020. Only nine days later, the Partisans conducted one of their most impactful hack-and-leak operation to date by sharing a vast database of Belarusian law enforcement officers with NEXTA, which has become the biggest Russian-speaking Telegram channel/media outlet covering the protests in Belarus. In August 2021, the Partisans became one of the three founding organizations of the Belarusian resistance alliance Suprativ. The other two are the Flying Storks, who are conducting resistant activities outside of cyberspace, and the People’s Self-Defense Squads, who are publishing training videos and self-defense instructions. In the context of the war in Ukraine, the Partisans rose to international fame when they ran a ransomware campaign against the IT systems of Belarusian Railways on 24 January 2022 to disrupt the movement of Russian tanks and equipment.

Anonymous

By contrast, Anonymous is an umbrella term for a decentralized collection of activities that feed into the global Anonymous movement and its diffuse ideology. Following the Russian invasion of Ukraine, several prominent Anonymous information hubs on social media accounts announced the beginning of Operation Russia or #OpRussia. Generally speaking, each Anonymous group/personality conducts their own operations. Occasionally, Anonymous groups/personalities loosely run operations together, and sometimes they might even breach the same target during similar time frames by pure coincidence. As of this writing, OpRussia has primarily consisted of DDoS attacks and hack-and-leak operations against Russian private companies and government digital infrastructure. What is important to stress is that each Anonymous group/personality has its own political motive and ethical reasoning. Sometimes these motives can generate initial approval and subsequent severe backlash from other Anonymous groups, as was the case when an Anonymous personality known as I_am_Mr_Grey (about 8,000 Twitter followers) announced Operation Falling Star in early April 2022. Grey essentially threatened that Anonymous would hack satellites in orbit and make them fall out of the sky. In a now deleted tweet with a video, Grey declared, “Dear NATO / UN / Putin – a message for you. We give you the rise of operation Falling Star. Should Putin attempt a second invasion and you NATO / UN does nothing, this SHALL be your fate”. Grey was subsequently ridiculed and ostracized to the point that he grovelingly apologized for his behavior.

The first item to note is that both the Belarusian Cyber Partisans and almost all groups operating under the banner of Anonymous are primarily active on Twitter. The IT Army by contrast exclusively operates on Telegram. That being said, the closest to an official IT Army representative on Twitter is an account called sudo rm -RF (@sudormRF6), who says that he represents the “Ukrainian Cyber Front”. The connection between sudo rm -RF and the IT Army consists of at least three data points. First, sudo rm -RF posted the Rossgram beta-sign up database on 29 March 2022, – one week prior to the IT Army releasing its video on Rossgram – using the file sharing service Mega.nz. Second, sudo rm -RF posted several screenshots of RuTube’s internal folders, documents, and source code on 10 May – four days prior to the IT Army posting its video about RuTube. And third, the sudo rm -RF account appears for eight seconds in the IT Army’s RuTube video, during which the narrator discusses “gradually publishing [RuTube internal documents] on the Mega.nz file sharing service”.

Except for sudo rm -RF, all other accounts that claim to represent the IT Army of Ukraine on Twitter are neither affiliated nor officially endorsed by the IT Army. This includes the 45,600 or so follower strong ITarmyUA account which many individuals in the Anonymous movement portrayed as being the official IT Army Twitter account. In fact, almost every time Anonymous claims to have cooperated with the IT Army they tag the ITarmyUA account in their tweets. Thus, when Twitter suspended ITarmyUA on 29 April, thousands of Twitter users viewed this as an act against Ukraine and fundamentally as political censorship.

For anyone that bothered to take a closer look, it was immediately evident that ITArmyUA was a rebranded account created back in August 2018 that changed its user handle and scrubbed all its tweets prior to March 2022. No one in the IT Army’s Telegram channel ever mentioned or cared about the ITArmyUA account being suspended on Twitter. The official IT Army website does not link to the ITarmyUA account, and neither Mykhailo Federov nor the Ministry of Digital Transformation follows the ITarmyUA account on Twitter.

So how does Anonymous’ outrage fit into the bigger picture? Looking at the dynamics and possible motives, it is highly likely that someone identifying with the Anonymous movement rebranded their account to pretend to be the IT Army on Twitter. The ITarmyUA account was then subsequently hyped by numerous Anonymous accounts to gain a massive Twitter following out of nowhere. The account was then utilized to provide legitimacy to the claims that Anonymous was actively cooperating with the IT Army, and by extension created the illusion that the Ukrainian government endorsed Anonymous’ actions.

Anonymous’ desperate hunt for legitimacy and official government recognition has even led some groups to insert the Anonymous logo into copies of the IT Army’s official videos, and others went so far as to proclaim themselves to be the official international chapter of the IT Army of Ukraine. None of these claims has ever been acknowledged by the IT Army. In fact, the IT Army’s Telegram channel has only ever once used the word “anonymous” when they thanked the Telegram group Anonymous-Ukraine on 4 April for their DDoS cooperation.

Overall, the IT Army has shown little interest in officially displaying any closeness to the Anonymous movement. This behaviour is likely due to (a) Anonymous’ decentralized nature and not knowing who is speaking on whose behalf, and (b) Anonymous’ reputation as a loose cannon in general, where every group and individual does what they want for the sake of social media clout and public attention. As of this writing it is unknown whether the IT Army’s in-house team has occasionally cooperated with groups that are close to Anonymous. Repeated email inquiries to the IT Army to verify claims made by a handful of groups (including BeeHiveCybersec) have gone unanswered.

Belarusian Cyber Partisans

Curiously, the Belarusian Cyber Partisans have also faced the same unresponsiveness from the IT Army. On 18 March, the Partisans wrote on Twitter that “we are willing to support [the IT Army] with intelligence, tools and ops. Sent them an email and then twitted about it. We did not get a reply from them as of yet”. When asked again on 29 April, the Partisans explained that we “haven’t managed to get a direct contact unfortunately”.180 As of this writing, the Partisans appear to have been unable to connect with the IT Army.

The IT Army did target Belarusian sites on 27 February, when the channel announced 43 different sites to DDoS, including websites of the Belarusian government, media, banks, and industrial companies. The only other two instances in which the IT Army did so, was on 20 March – against the Belarusian site of Bitrix24, which is a cloud customer relationship management company headquartered in Virgina, US. And on 5 April, the IT Army targeted cdek.by – which is the Belarusian site of the Russian international express delivery company CDEK. Since 5 April, no Belarusian sites have been targeted by the IT Army. It is unclear whether this change is a deliberate restriction based on internal decisions, or simply an evolutionary process by which the IT Army has come to focus solely on Russia.

The IT Army’s reluctance to talk to the Partisans might be following the same logic as it does vis-a-vis Anonymous. The IT Army does not have good answers to (a) who exactly the individuals are that make up the Partisans, (b) whether the IT Army can trust them, (c) what the Partisans underlying political motives are – given that they are part of the Belarusian resistance alliance Suprativ, (d) whether an IT Army-Partisan cooperation in cyberspace could be politically viewed as the Ukrainian government cooperating with the Belarusian opposition in exile, and (e) what the IT Army’s options are if the Partisans go off script with their activities.

Overall, the hybrid setup the IT Army has mastered requires a healthy sense of paranoia and the need to take operational security extremely seriously – to guard against Russian infiltrators and information breaches. Particularly in times of war, discerning between who is a friend, a foe, and everything else in between is an inherently complicated task.

IPStress

One curious external cooperation popped up in early May when the itarmy.com.ua website began to display its one and only partner on the bottom of its site: IPStress.in. According to IPStress itself, they are the best IP booter stresser that “can down any game server such as ovh, nfo, fivem servers etc. Bypassing every protection such as cloudflare with our blazingfast methods. Buy now and enjoy the strong power from our botnets as well”. That self-description got a bit weird, when in early 2022 the IPStress.in website started to use Cloudflare’s DDoS protection service.

On 31 May 2022, the FBI and the US Department of Justice announced the seizure of three internet domains: weleakinfo.to, ovhbooter.com, and ipstress.in. In the DoJ’s press release, US Attorney of the District of Columbia Matthew M. Graves explained that ipstress and ovhbooter “publicly offered to conduct ‘Distributed Denial of Service’ attacks, or ‘DDoS’ attacks for clients – specifically, a format called booter or stressor attacks. … The seizures of these domains were part of a coordinated law enforcement action with the National Police Corps of the Netherlands and the Federal Police of Belgium. The actions executed by our international partners included the arrest of a main subject, searches of several locations, and seizures of the webserver’s infrastructure”.

The simultaneous take down of all three domains and police raids in several locations suggests that this was the culmination of a months – if not year – long criminal investigation. Thus, the take down of IPStress.in did not occur in response to their partnership with the IT Army. Nonetheless it is rather disturbing that the IT Army – a Ukraine government-created entity – was willing to form and openly advertise its partnership with a cybercriminal DDoS enterprise. As of this writing, the IT Army website has changed its official partner to the hosting service ukraine.com.ua.

As of June 7, 2022, IPStress.in is still mentioned on the IT Army website under the official English translation for the section on “Friends and Partners of the IT Army of Ukraine”.

On June 10, the Russian Foreign Ministry declared that “according to experts, in order to carry out massive DDoS attacks involving ‘cyber volunteers’, attackers use malicious software based on the servers of Hetzner (Germany) and DigitalOcean (USA) supplier companies. Foreign specialized platforms (War.Apexi.Tech, Ban-Dera.com) are actively used, the online capacities of IPstress.in and Google servers are regularly used”.

Conclusion

The IT Army of Ukraine is a unique and smart construct whose organizational setup and operational impact will likely inform the art of cyber and information warfare in future conflicts. On the public side, the IT Army serves as a vessel that allows the Ukrainian government to utilize volunteers from around the world in its persistent DDoS activities against Russian government and company websites. As of 7 June 2022, this includes 662 targets. On the non-public side, the IT Army’s in-house team likely maintains deep links to – or largely consists of – the Ukrainian defense and intelligence services.

Overall, both Kyiv and the Ukrainian IT community at large have shown the world what digital diplomacy on steroids looks like. Their conduct has collapsed entire pillars of existing legal frameworks regarding norms and rules for state behaviour in cyberspace and has taken apart the illusion of separating the defense of Ukraine from Ukrainian companies and citizen living abroad. As of this writing, EU and NATO member states have equally failed to adapt to – or even grasp – what the IT Army really is. Western observers and governments still believe that it is just a collection of random volunteers conducting meaningless DDoS attacks against Russian websites. They have so far failed to see the underlying organizational structure, operational conduct, and wider ecosystem that underpins the IT Army and Ukraine’s fight in the cyber and information domain. For better or worse, continuing to ignore the essence of the IT Army will wreak havoc on the future stability of cyberspace and with it the national security landscape in Europe and beyond.

There are many questions this report leaves unanswered or can only answer in varying degrees of certainty. Time will tell how the IT Army evolves from here on out and whether history will judge this report as being both balanced and objective.

Some questions this report has not touched upon might be of interest to future research and policy discussions including:

(1) How is it possible that the official IT Army website (itarmy.com.ua) and Cyber Palyanits (cyberarmy.com.ua) are protected by Cloudflare’s anti-DDoS service? On both sites users can find an assortment of DDoS tools and instructions. It seems rather odd that an anti-DDoS service like Cloudflare is protecting the very sites that are organizing the most impactful DDoS activities amidst the Ukraine war.

(2) How is it possible that the IT Army’s official email account and application forms are hosted by Google, when the itarmy.com.ua site includes detailed instructions on how to misuse Google’s Cloud Servers for DDoS attacks? Does Google have a policy in place to deal with belligerents using its products in the context of an international armed conflict?

(3) Does GitHub – and by extension Microsoft – have a policy in place to take down repositories/tooling specifically designed for users worldwide to participate in an international armed conflict? As of this writing, senior Microsoft executives have been publicly preaching about preventing cyberwar – while actively helping Ukraine defending its networks – yet none of the GitHub repositories mentioned in this report seems to violate GitHub’s terms of service.

(4) What are the economics of the IT Army and the ecosystem around it? Are cryptocurrency donations, influencer support, and holders of Hacken’s various tokens a major source of revenue to improve the IT Army’s DDoS infrastructure both in and outside Ukraine?

(5) And what political prescedents are US software companies such as Clearview, Starlink, and maybe soon Palantir setting by offering their novel technologies and infrastructure to one belligerent in an international armed conflict? In the context of the Ukraine war, it might be easy for company executives to decide which belligerent to support. But what happens when that assessment runs counter to US foreign policy interests? Also, how should other governments – particularly those in Europe – view the conduct of these companies? Should they be seen as extensions of US foreign policy? Or are they independent actors? And if so, what strategic interests, foreign policies, and legal and ethical considerations underpins the conduct of those companies?


Stefan Soesanto is a Senior Researcher in the Cyberdefense Project with the Risk and Resilience Team at the Center for Security Studies (CSS) at ETH Zurich. Stefan works closely with the Swiss Defense Department. Among others, his writings have been published by the Cyber Defense Review, Air University, Lawfare, the Royal Institute Elcano, the Konrad-Adenauer Stiftung, Defense One, and the Council on Foreign Relations.

Made with by Agora