The international reaction to the Russian invasion of Ukraine has manifested in a few distinct ways, as outlined in our previous reporting. This includes humanitarian efforts, wide-ranging sanctions, and businesses halting operations in Russia. Another notable response is the resurgence of hacktivism. A variety of hacktivist attacks have been conducted, with a significant number, unsurprisingly, coming from within Ukraine. This blog will dive into hacktivist activity we’ve observed in the past few weeks, and discuss what hacktivists are doing differently this time around. 

Hacktivism in response to the Russian invasion

Hacktivism is highly influenced by geopolitical and political conditions; it is not often a proactive ideology. This is why we see it mostly ebbing and flowing, with hacktivism often thought to be a downtrending attack vector since 2017. Pertinent events that cause global attention, as seen with the Russian invasion of Ukraine, are likely to galvanize hacktivists en masse. Hacktivism has historically taken the forms of denial-of-service, defacement attacks, and data-leaks. We’ve definitely seen all of these types of attacks in the last few weeks.

However, what’s notable is that in some cases, it is being organized centrally. On 26 Feb 2022, Ukraine’s Vice Prime Minister and Minister for Digital Transformation announced that Ukraine had created an “IT Army”, to combat Russian cyber-action. The group, openly available on Telegram as the IT Army of Ukraine, reportedly contains over 400,000 members. The group administrators are dictating orders, with the members carrying them out. Fedorov even stated that there will be “tasks for everyone”, indicating a willingness to bring as many volunteers on board as possible.

Mykhailo Fedorov’s call to digital arms 

Notably, the IT Army of Ukraine has had some initial success; on 28 Feb 2022, the administrators proclaimed victory in taking down the Moscow Exchange’s website. The same occurred with the state-owned Sberbank, and several other targets, including the Russian powergrid. Before we move on to discuss the targets, it is important again to note that this was promoted by the Ukrainian government, in an unprecedented move of state-sanctioned hacktivism. 

The return of Anonymous

Crowdsourcing such operations is however not a novel technique, Anonymous has shown that for years, with the hacking collective having made a serious comeback in recent weeks. The advantage of a group such as Anonymous is its flexibility; because it does not have a serious centralized structure and chain of command, anyone can deface a Russian site and claim it in the name of Anonymous. Another novel technique we’ve seen has involved the use of mobile phones. A polish hacktivist collective named squad303 has developed a website that randomly selects from around 140 million Russian email addresses and 20 million phone numbers, and lets users circumvent Russian propaganda by sending information about the war in Ukraine directly to these phones and addresses. Although the impact of this is yet to be seen, it demonstrates ingenuity in getting around highly restrictive reporting laws in Russia.

squad303’s Twitter page

There are, however, risks that come attached to hacktivist activity. DDoS and site defacement is illegal, and there is a chance for unintended consequences. Hacktivism could potentially play into the hands of Kremlin propaganda, that western aligned actors are disrupting Russians day-to-day lives, that they’re lying about Ukraine, and so on. Another unintended consequence could be that hacktivism further encourages the Kremlin to enact its “Sovereign Internet” law, a measure designed to cut off Russian internet from the rest of the world. Amid this risk is also the possibility that someone goes too far, and causes a level of disruption that causes a threat-to life. Russian authorities would likely associate this with a nation-state, thereby increasing the chances of miscalculation or escalation. Despite these risks, hacktivists will highly likely continue to combat Russia in the cyberspace. If you want to read more, our latest edition of What We’re Reading This Month also provides some valuable insights into hacktivism.

In summary, we’ve seen a significant increase in hacktivist operations since Russian forces crossed into Ukraine. Volume of activity has spiked, but we’re also observing novel approaches to organizing and attempting to circumvent obstacles. This will likely continue in the coming weeks and months as the war develops. If you want a deeper dive into hacktivism and ongoing events related to Russia and Ukraine, get a customized demo of Search Light (now ReliaQuest GreyMatter Digital Risk Protection).