IT Army YouTube video
Image: IT Army/YouTube

How Ukraine’s volunteer hackers have created a ‘coordinated machine’ around low-level attacks

Before Russia invaded Ukraine almost three years ago, a Ukrainian entrepreneur who goes by the alias Ted said he spent his time building tech companies in Ukraine and abroad. When Moscow launched its first missiles on Ukrainian cities, Ted and other local techies joined a group called the IT Army, crowdsourced by Ukraine’s Ministry of Digital Transformation, to fight Russia in cyberspace using scrappy attacks like defacing websites and knocking them offline.

Ted never had much interest in hacking, but he figured some of his skills could be useful for the volunteer "army." He’s since focused on engaging with the press on behalf of the IT Army and curating the group's Telegram channel, which serves as its primary communication platform.

Since its early days, the work of the IT Army has raised many questions in the global cyber community: How is it linked to the government? What is its role in the ongoing cyber war? What could be the consequences of participating in the group? As the war in Ukraine rages on, most of these questions remain unanswered. The IT Army, however, isn’t slowing down — the group is improving its tools and sharpening its tactics, hoping that their attacks will help tip the scales in the war.

Just last month, the IT Army claimed responsibility for attacks on a Russian satellite communications system, several internet providers and a ticket payment system. Many of the group’s claims are difficult to verify, although the hackers often highlight Russian media reporting on the hacks as well as statements from companies affected by distributed denial-of-service (DDoS) attacks.

Similar to most DDoS attacks — which flood targeted services with junk traffic, making them unreachable — those conducted by the IT Army rarely result in long-term disruptions. The group is aware of its limitations, Ted said. Their attacks won’t win the war with Russia, but they could take a mental toll on people, disrupt Russian business operations and force companies to spend money on cyber defense.

“We’d like to be a straw that broke the camel’s back,” Ted said.

Founding and evolution

When Ted joined the IT Army in the early days of the war, he recalled that “nobody really knew why it was created or how it was supposed to operate.” The group didn’t have any structure or strategy, besides attacking as many Russian companies as possible. Initially, the IT Army’s targets included Russian delivery services, cinema websites and e-commerce platforms. Later, it moved to more strategically important targets, such as telecommunication companies, large banks and payment systems.

The group gained a significant following on its Telegram channel, peaking at around 300,000 members. Not all of them are actively engaged in hacking; some are merely curious about the group's activities, while others are Russian users gleaning insights into the hackers’ next moves.

Ukrainian state officials said that the IT Army and other hacktivist groups played a significant role at the outset of the war. "Russia did not anticipate such backlash from the Ukrainian and international community," said Serhii Prokopenko, who oversees operational activities at Ukraine’s National Cyber Security Coordination Center (NCSCC).

"The operations conducted by hacktivists diverted Russia's resources from attacks on Ukraine to fortifying its own defense, and we benefited significantly from this," he told Recorded Future News.

International experts have also praised the group’s activities. “Our analysis underscores the significant role played by the IT Army among pro-Ukrainian threat actors,” said a spokesperson from the Geneva-based nonprofit CyberPeace Institute. 

Its researchers detected at least 92 cyberattacks attributed to the IT Army over the past two years — the group itself claims that its attacks have impacted over 400 Russian companies in the last year alone.

Most of these attacks are low-hanging fruit, including DDoS attacks, defacements and hack-and-leak operations.

“DDoS attacks are simple and accessible for people without special hacking skills. Besides, you can never be completely protected from these types of attacks," Ted said.

For the group to carry out more destructive attacks, they'd need to overhaul their operations, which is challenging given that the community consists of thousands of volunteers spread across Ukraine and abroad, Ted explained. "It is better to improve and expand what we already have rather than switch to something new.”

Much has changed in the group’s operation over the past two years, however. Comparing the IT Army from its early days to what it's like now is akin to comparing a startup to a small yet well-established company, Ted said. 

“In the beginning, we didn’t have any software or an intelligence team, but now our processes are much more efficient, allowing part-time volunteers to carry out complex operations." he added. “Few people believe that volunteers can be turned into such a coordinated machine.”

Now, the IT Army consists of several different units — an intelligence team that chooses targets and plans attacks, software developers and a communication team. Each unit has a person in charge of its operations, but there's no single leader of the group.

The process of launching new products is similar to that used by startups: “Someone comes up with an idea, presents the minimum viable product (MVP), then it's tested and the group decides whether to launch it or not,” Ted said.

Hacktivists or state-controlled

Hacktivism has been a popular form of civilian resistance for years, but the IT Army has distinguished itself as a unique threat actor due to its founding, according to the CyberPeace Institute. 

“While the Ukrainian government has repeatedly stressed it does not control the IT Army, it has originally called upon hackers to join their efforts, provided instructions, and continues to benefit from their activities,” said Pia Huesch​​​​, research analyst at the UK’s security and defense think tank Royal United Services Institute (RUSI). “This leaves questions about the Ukrainian government’s involvement and any legal implications that could follow.”

The IT Army was formed in response to a call by Ukraine’s Minister of Digital Transformation, Mykhailo Fedorov. However, both the group and state officials claim that their cooperation hasn’t extended beyond this initial establishment.

“We didn't expect anything from the government, and they haven't provided anything. The business sector doesn't back us either, since we operate in a gray area," Ted said.

Ukraine’s Ministry of Digital Transformation told Recorded Future News that they do not comment on the IT Army, adding that its a separate volunteer community and any statements from hacktivists represent the position of the IT Army, not the ministry.

Many researchers, however, disagree with the IT Army’s hacktivist status, suggesting that it likely collaborates with Ukraine’s defense and intelligence personnel and brings together civilians and dedicated professionals to conduct offensive operations against Russia.

“For Ukraine’s defense and intelligence services to roll their thumbs and let the IT Army conduct operations freely and independently – particularly during war time – seems to be not only an analytical stretch but would highly likely also lead to strategic confusion and tactical interference with the defense and intelligence services’ own operations in cyberspace,” said Stefan Soesanto, a senior researcher at the Center for Security Studies (CSS) at ETH Zurich in his report about the IT Army.

According to Ted, the group can only collaborate with the state in an unofficial and personal level. Prokopenko from Ukraine’s NCSC said that government officials do not assign any tasks to the IT Army but sometimes the group’s members contact representatives of Ukraine’s intelligence services directly and offer their assistance.

Legal consequences

The IT Army isn't recognized as a legal entity in Ukraine, so its activities are punishable even under local laws. When the war began, the legal consequences of hacking Russia weren't a concern for the group. However, now many Ukrainian hacktivists, as well as the international community, are concerned about how international humanitarian law will apply to civilian hackers once the war is over.

The group’s activities can carry legal consequences under international law, Huesch​​​​ said. “For example, if their actions amount to direct participation in hostilities, members of the IT Army lose their civilian protection from direct attack by the adversary.”

This means that Russia could legally target a member of the IT Army who is directly participating in the war via online means.

Ted said that the group’s members are not afraid of such attacks: "Russia already fires missiles on everyone.” However, he does admit that some kind of regulation is necessary to provide more protection to Ukrainian hacktivists. "We would like Ukraine to set an example for the whole world and legalize such activism. Soldiers kill, partisans kill — and they do it legally, while our attacks are illegal," he added.

Ted suggested that assigning IT Army members the status of combatants could be one possible solution. According to the CyberPeace Institute, combatants enjoy specific legal protections if they are captured, wounded or sick, and they cannot be prosecuted for lawful acts of war. However, civilians participating in the IT Army may not receive the same protections and could be held accountable if they violate the law.

There are even greater risks for international members of the IT Army, researchers said. According to UN cyber norms, states are prohibited from allowing their territory to be used for internationally wrongful acts involving information technology. Individuals engaged in such activities may face prosecution under national, regional or international law.

"Launching a cyber operation from the comfort of your living room in another country may seem distant from the frontline, but it can still carry significant legal consequences," Huesch​​​​ warned.

Despite numerous discussions over how the work of the IT Army should be viewed legally, neither Ukraine nor the international community has come to a definitive conclusion. 

Prokopenko said that it's unlikely that the group’s status would be changed in Ukraine. Instead, the country is considering the possibility of establishing a distinct cyber reserve, which will include the best members of the hacktivist community.

Cyber reservists groups help to maximize the army’s cyber capabilities, according to Huesch​​​​. “Estonia, for example, has an established cyber reserve force. The Ukrainian government previously said it wants to remodel its structures to something similar to those of Estonia,” she added.

As Prokopenko explained, Ukraine’s cyber reserves will consist of professionals who have expertise in cybersecurity and may be called upon to assist the state in cyber operations or cyber defense. Ukraine’s cyber reserve would likely be a part of the country’s Ministry of Defense, Prokopenko said, but the final decision is yet to be made.

Alongside cyber reserve forces, Ukraine is also considering establishing joint response teams with its international partners, where Ukrainian hacktivists could leverage their expertise, Prokopenko said. But while the war continues in Ukraine, “we want these people to remain with us," he added.

Ted said that the question of legal consequences of hacking has become more urgent recently, as there’s less likelihood that Ukrainians will lose their country to Russia. "Now we can think about our own security," he added.

The legal ambiguity, however, doesn't deter the group's members from continuing operations against Russia.

Ted said that the group is persisting for so long because its members feel that they cannot just stand by. “For most people, working in the IT Army is compensation for the guilt of not being on the front lines,” he added.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.