Press "Enter" to skip to content

Ukraine’s IT army is doing well, hitting Russia with ‘cost and chaos’

By Kyle Alspach — — Whatever you might think about the risks involved with Ukraine’s IT army — and there are some big ones — available data shows that the initiative is, in fact, making an impact against Russia. The Ukraine IT army is also starting to expand beyond basic attacks, known as distributed denial-of-service (DDoS), and into cyberattacks that may prove more difficult for targeted Russian sites to defend against. My source on this is security professional Chris Partridge, who has been tracking the status of Russian internet properties targeted by Ukraine’s IT army. On GitHub, Partridge has been posting data every day since Sunday — the day after the initiative was announced — about what percentage of targeted Russian sites were still online. The bottom line for the findings: More than half of the Ukraine IT army’s targeted sites have faced partial or total outages in Russia, based on the samples collected.

In other words, Ukraine’s IT army is so far a success — at least as far as what it’s aiming to do. “IT Army’s stated goal is simply that people should use whatever force they can to disrupt these sites,” Partridge said in a message to VentureBeat. “In that sense, they’ve galvanized a massive number of people to action, and I believe the data shows the galvanized mob can clearly impose cost and chaos on many targets.” Outside of Russia, the percentage of targeted sites that have gone offline is “much higher,” he noted. While the potential impact of doing that is smaller, it’s still no doubt disruptive.

Building an army

Ukraine is setting out to repel an unprovoked and deadly assault from an attacker with far-superior resources, both when it comes to traditional military means and cyber capabilities. As part of that effort, Mykhailo Fedorov, Ukraine’s vice prime minister, announced the Ukraine IT army initiative last Saturday on Twitter. “There will be tasks for everyone,” Fedorov tweeted. “We continue to fight on the cyber front.” At last count, Ukraine’s IT army had amassed 288,696 subscribers to its public Telegram channel — presumably including a considerable number of people who are not from Ukraine.

Adding targets

The IT army adds new targets on a daily basis, and sometimes multiple times a day. As the target list has grown, the percentage of targeted sites going offline has decreased, but not by much, according to Partridge’s data. As of his last sample on Thursday, about 44% of targeted sites were offline — compared to 56% of sites that were offline during his first sample on Sunday, when far fewer sites were being targeted. Partridge disclosed one caveat, as any good researcher would, that the project isn’t necessarily telling the full story, since he hasn’t made a point of checking targets right after the IT army announced them. “It’s possible that more sites have been KO’d, but recovered quickly due to good anti-DDoS practices,” he said. But even if that’s the case, that only reinforces the idea that the Ukraine IT army is doing well, rather than contradicting it.

Partridge acknowledged that he does question some elements of the initiative — such as whether some target choices were really that tactical (several weren’t, he says). There’s also the question about whether some attacks could be made more powerful. “The tools some people have written to make contributing to this DDoS ‘easy’ are not maximizing the potential of the systems they’re running on,” Partridge said. However, those complaints “are completely dwarfed by how little effort Ukraine itself has to put into this for the results it’s attained,” he said. “To have an audience of 250,000 overnight — and allegedly DDoSing in the terabit-per-second range with no up-front cost to Ukraine in building out these offensive cyber capabilities — the efficiency on this is staggering.”

New tactics

And Ukraine’s IT army is starting to up its game, too, according to Partridge. The group has traditionally been targeting the “front door” – public web applications for companies and government agencies, he said. However, the efficacy of DDoS against sites generally decreases over time on a per-site basis — as the operators of targeted sites deploy anti-DDoS protection or enhance their current protections, Partridge noted. Crucially, on Thursday, the Ukraine IT army singled out SIP servers, which are used for internet-based voice calls, he said. “Defenders may have a harder time protecting [those servers] and will need to keep them online for business functionality,” Partridge said. Partridge, who works for Amazon, but is doing this project in his spare time, said on his GitHub page for the project that he’s taken this on because it’s an important issue for the security community to be following. And having some independent data is critical to being able to accurately assess what Ukraine’s IT army is doing. “All cybersecurity professionals should be paying attention to this,” he wrote on the GitHub page.

‘This is the blueprint’

In his messages to VentureBeat, Partridge elaborated, saying that “this is the first time we’re seeing two countries which heavily rely on technology duking out a direct conflict.” “This is the blueprint for future cyberwar, and hacktivism has led to so much international engagement alone that it seems inevitable that future conflicts would try to replicate the passion from this,” he said. “A lot of people went into this — myself included — expecting that Russia would be fiercely competitive in cyberspace. They’re still a force to be cautious of, but I think there’s some reeling from how quickly Ukraine struck back without having comparably mature and well-resourced operations.” It’s worth recognizing, though, that “this is also setting a somewhat dangerous precedent — where I think a lot of people are going to do hacktivism, feel empowered from doing hacktivism, and then continue doing hacktivism in the future without really internalizing that CFAA (or other regional laws) hit hard and have been used against hacktivists before,” Partridge said. “This is potentially something that security professionals will need to shore up even without preparing for a conflict,” he said.