Ukraine’s IT Army keeps up attacks on Russia despite waning media hype

Ukraine's IT Army, a group of self-described hacktivists who drew significant media attention for targeting Russian entities in the war’s early days, remains active despite the fading public buzz. 

According to a new report by Russian cybersecurity firm F6, the number of cyberattacks launched by the IT Army against Russia has risen sharply over the past year. The group became active in February 2022 and “has maintained its momentum” ever since, expanding the range of its targets.

Russian researchers noted the group’s growing focus on regional telecom operators, particularly in border regions such as Kursk and Belgorod. These areas have been among the hardest hit by the IT Army’s distributed denial-of-service (DDoS) attacks, which aim to overwhelm networks and disrupt services.

Regional companies are relatively easy targets, as many lack proper cybersecurity measures, said F6 researcher Elena Shamshina. Such attacks also generate publicity.

“Incidents where a lot of residents lose internet access get more attention, and attackers brag about how powerful their attacks were,” Shamshina added.

Earlier in March, the IT Army claimed responsibility for taking offline nearly 50 media websites in Kursk, a city in western Russia. Back in August, Ukraine launched a cross-border incursion into the Kursk region, seizing parts of Russian territory.

The group also claims to have targeted major Russian cities. On Tuesday, it said it had disrupted a transport payment app in St. Petersburg, temporarily knocking the service offline. The company confirmed the attack to local media but didn’t attribute it to a specific group.

The IT Army’s alleged attack on the operator of Krasnodar’s transport communication network in January temporarily made gated paid parking lots free.

“Our actions are starting to look more and more like a Hollywood hacker movie, just without the popcorn,” the group said in a statement at the time.

The IT Army of Ukraine was crowdsourced by Ukraine’s Ministry of Digital Transformation at the start of Russia’s invasion to fight in cyberspace using attacks such as defacing websites and knocking them offline.

Although the group now publicly claims fewer attacks than at the beginning of the war, it says it continuously improves its tools and updates the DDoS participant leaderboard.

“Each day brings new goals, new victories,” the group said. “We will carry our flag to the end.”

Ukraine-linked attacks

Civilian hackers have played an important role in the cyber war between Ukraine and Russia. Earlier in March, Ukraine's military intelligence service (HUR) honored a group of civilian cyber activists for their role “in strengthening national security,” marking the agency’s first official recognition of cybersecurity specialists outside the military ranks.

Ukrainian state officials have previously acknowledged cooperating with hacktivists in cyber operations and have praised their efforts. However, they have rejected claims that they control these groups or issue them assignments.

Ukraine’s military intelligence has also become more vocal recently about its cyberattacks against Russia. Over the past few months, HUR has claimed responsibility for attacks against one of Russia’s largest privately-owned banks, the website of the ruling party and a Russian scientific research center.

Earlier this month, Russia’s security agency accused HUR of hacking two Kremlin-backed youth military-patriotic organizations to gather student data for potential recruitment in espionage or terrorist activities.

Russian cybersecurity firms also track other threat actors they suspect of having links to Ukraine’s government. Among them is Sticky Werewolf, which primarily targets government agencies, research institutes and industrial enterprises in Russia, Poland and Belarus.

Other allegedly state-backed hacker groups attacking Russia include XDSpy, GamaCopy, and Sapphire Werewolf, but none have been publicly attributed to a specific country.