Hacktivists in Russo-Ukrainian war: an army of monkeys or NATO-trained combatants?

Updated on: 13 May 2022

Jurgita Lapienytė
Chief Editor

Offensive cyber operations in the Russo-Ukrainian war might sometimes seem sloppy or amateur. Yet, experts believe some of them might be a defining moment of the war.

Cyberweapons have been key components in the ongoing conflict in Ukraine despite abundant discussions about the lack of cyber operations at the beginning of the war.

Has Ukraine learned its lessons?

"There've been nearly 300 distinct cyberattacks over the whole war period, but if you distill that down to how many of them are tied to actual kinetic activities, I think it's less than 10," Marc Rogers, VP of Cybersecurity Strategy at Okta, said during the Institute for Security and Technology webinar.

Recently, Microsoft said that the Kremlin's use of cyber weapons is strongly correlated and sometimes directly timed with its kinetic military operations.

For example, with the Mariupol siege underway, Ukrainians were flooded with emails allegedly from a Mariupol resident, falsely accusing Ukraine's government of "abandoning" its citizens.

Stairwell's security researcher Silas Cutler believes that Russian kinetic actions and cyber operations haven't been cohesive.

"Even though there were like 300 cyber attacks, it doesn't differentiate which ones were larger strategic attacks that failed and which were just short-term opportunistic attacks [like DDoS]," he said.

Several factors might explain the absence of destructive Russian cyberattacks targeting Ukraine. First of all, the international community has been providing support in the cyber domain to Ukraine even before the invasion and ramped up its efforts to help the country after the war started.

In 2015, Russia hacked the Ukrainian power grid and caused the first-ever blackout triggered by hackers. Approximately 230,000 people were left without electricity. The incident likely prompted Ukraine to articulate its cyber strategy and improve the resilience of critical infrastructure.

"The unanswered question is, how much of the lack of decisiveness of cyber in this conflict is due to things that are inherent limitations of cyberspace in wartime, is it due to effective defensive cyber resilience by Ukraine in correlation with government and private sector partners, due to Russian incompetence not just in cyber but in kinetic domains?" Erica D. Borghard from Columbia University wondered.

Ukraine IT army — Image from Shutterstock

Russian opportunists

Rogers noted Ukrainians are familiar with Russian cyber tactics and vice versa.

"We sometimes forget just how close Ukraine is to Russia, so many of the activities have crossover. Much cybercriminal activity has been joint Russian and Ukrainian or whole region participation," he said.

Cybercriminal gangs indeed are or at least used to be a blend of Russian and Ukrainian crooks. Due to the ongoing conflict, those threat actors are experiencing tectonic changes. For example, after Conti announced its allegiance with Vladimir Putin, a pro-Ukrainian researcher with the means to access Conti's data exposed the ransomware gang by leaking thousands of documents.

Ukrainian officials affirm Rogers' claims. "Russian technological capacity seems to have reached the ceiling. No one says 'surprises' are impossible, but so far, the attack technique remains unchanged, and we know them all," The State Service of Special Communication and Information Protection (SSSCIP) said.

Rogers does not anticipate significant sophisticated surprises from Russia in the near future.

"The Russians are way more opportunistic than people think. Everyone thinks of them as a laser-focused, zero-day wielding giant who takes whatever they are after. They are much more 'we'll grab what we can over a period of time' and then build a cohesive operation around it. This means that a lot of their campaigns have to be way planned farther out. You will not see a lot of new clever stuff unless they are keeping it under their sleeves, which, honestly, given the way the war is going, I don't think they probably are," he said.

A lot at stake for cyber volunteers

Rogers believes that the summoning of the Ukrainian IT army was a genius move. It allowed Ukraine to perpetuate the narrative, get many people engaged in the war, and bolster support in many other areas.

However, the success of its operations is open for debate.

"Basically, it's an army of monkeys. Doesn't mean to say it's not good to have an army of monkeys on your side, but it's never going to be a massively decisive thing," Rogers said.

On the other hand, Belarusian Cyber-Partisans proved to be 'phenomenally effective.' So many hacktivist groups worldwide are now on a quest to hurt Russia one way or another, and the Kremlin promised to seek liability for hackers attacking the country's infrastructure.

"It is going to be fascinating to see what happens later. Rules have changed. Strictly speaking, it is acceptable to use kinetic responses to people engaging in cyber activities in regions of conflict. I don't think we are likely to see people being blown up in the US, but on the other hand, some folks participating in this stuff in bordering countries might want to be a little bit more careful about some of the stuff that they do," Rogers said.

Cutler noted that Russia classified the volunteers joining the Ukrainian IT army as mercenaries.

I am very curious to know what that means in terms of foreign policy because they are not given the same protection as lawful combatants. It changed the dynamic,
Cutler said.

The Kremlin believes that the people behind the Ukrainian IT army are trained by the US and NATO experts.

"In fact, this cyberwar is being waged by an army of cyber mercenaries who have been given concrete combat tasks that often border on terrorism," the Russian foreign ministry said in a statement.

Russia is shooting itself in the foot

Ukraine is actively making use of the fact that Russian troops keep taking selfies and calling home. The metadata that is pulled from these images provides Ukrainians with considerable intelligence.

"Russia even passed a law recently to say that troops aren't allowed to do this. But they still do. It will be seen as a major factor in this war that's targeting and intelligence gathering capability of poorly secured devices. When you combine that with a green force of low morale people calling home, it only worsens," Rogers said.

He also believes that initiatives like 200rf.com might become a defining element of this war. 200rf.com is a website set up by Kyiv to help Russian families track down killed or captured soldiers. It contains pictures of the bodies and documents of Russian soldiers.

"It's a really direct way of reaching out and touching people. 200rf comes from the Russian cargo plane code for the cargo planes used to carry corpses out of Afghanistan. It's a very on the nose kind of approach. This direct interaction will be a really interesting and defining element of this war," Rogers said.