Ukrainian Cyber Volunteers

Everyday tens of thousands of volunteers turn on their devices, log in, and grind attempting to move Ukraine closer to victory, one digit at a time.

“You are a hero,”she said. A Russian soldier deployed in Ukraine had been messaging with Tania, a local girl from his hometown in Russia for a few weeks now, since they met online on  Russian social network Vkontakte. At this point he was comfortable sharing his feelings and some details of his deployment in Ukraine. He was glad to find some support–his other friends and some of his relatives were not so understanding. “They all say I’m a fool for even being here,” he replied about his deployment in Ukraine.But Tania wasn’t from his hometown. She was a part of a cyber-group called The Elves, and one the of tens of thousands of Ukrainian digital volunteers logging in every day to stir trouble on the other side, get information and sow disinformation. Her unit’s primary mission was to get acquainted with Russian soldiers they know are involved in the war with Ukraine and get as much information as possible. 

The information that Tania is after is not just the location of his unit or movements of Russian troops, but also things like personal motivations, patriotism, what makes him happy or sad, and what drives him to continue fighting in the war against her country.

What Tania was learning from her mark was that he feels abandoned, that it seemed like people back home have no interest in what is happening in Ukraine and have no understanding of his own level of desperation, as well as the general disorganized state of the Russian Army. So he was glad to find a sympathetic ear. And Tania was happy to listen.

Information like this is passed on to other groups or official channels tasked with weaponizing  it.

The Elves originated  in Lithuania in 2014. The founders saw Russia’s invasion of Crimea, war in the Donbass region of Ukraine, as well as other Russian acts of aggression and disinformation as a looming threat to their own country and decided to do something about it. It started as a group of cyber-volunteers and they chose the name for the mythical creatures that fight trolls. Now the Elves organization has become something much larger, with an active network spread across about a dozen countries in Europe, Ukraine being one of them. A common goal remains–to resist Russia in its efforts to create a parallel universe based on the Kremlin’s false narratives.

Maria, a volunteer in a digital activist network called The Elves in her rental apartment in the West of Ukraine

“Since 2014 I knew that Russia was an enemy,”says Maria, a cyber volunteer for the Ukrainian Elves. A Donetsk native, she  saw the war coming to her home 8 years ago. After the Maidan Revolution in Ukraine she got involved in civil activism. Traveling around Europe she was surprised that the people outside of Ukraine weren’t aware that the armed conflict in Ukraine was still happening. “People didn’t understand there is war, they didn’t understand there is an occupation [of Ukrainian land]. And myself, I couldn’t understand why the Russian disinformation isn’t getting enough attention.”

Russia has a powerful propaganda machine in place that constantly offers its version of recent history, distorting current and historical events and successfully presents it to Russians and the rest of the World. But the last few months has tipped the scale and gave Ukraine the voice it never had. Russia’s amassing troops while denying it, starting a war immediately after promising not to start one, and lastly, conducting this war in such a barbaric and brutal manner while denying any wrongdoing has eroded any credibility that Putin’s propaganda machine was able to assemble prior to the full scale invasion in most of the World. However, on the Russian domestic information market it continues to produce results as Russia still has a tight grip on its powerful disinformation machine. According to Levada-Center, an independent pollster, about 76% of Russians are in favor of Russia’s actions in Ukraine.

And that’s where organizations like Elves come in. They operate as information partisans trying to get lost among the milieu of anonymous users on social media, message boards and comment sections. Maria spends hours monitoring dozens of Telegram channels, as well as Russian segments of Facebook and Russian social networks like Vkontakte and Odnoklassniki. “Our goal is lifting the information blockade of Russia,” Maria says. But it’s not a simple task. Most people living in Russia believe Putin’s version of events and often express joy over news of Ukrainian casualties, even civilian ones.

What Maria has found out is that most comments she saw online in local group chats across Russia and in social media comments under articles regarding the war in Ukraine have little sensitivity towards civilian casualties. She also realized that direct confrontation or presenting facts doesn’t  help to engage the Russians they target in meaningful conversations. So her group has changed their strategy to find topics that bother Russians. “Our goal is not to make them angry, or to transfer our pain onto them. We want to make them think, make them feel that this isn’t right, convince them that they don’t benefit from this war.”

Ukrainian Resistance poster at the steel barricade in the center of Kyiv, Ukraine

And what hurts across Russia is Russian casualties. What Maria has noticed at some point monitoring comments in chats in rural communities is people questioning why there are much more casualties in Krasnoyarsk region, for example rather than in St.Petersburg or Moscow. Comments like that are analyzed, and if there are enough of them to form a population cluster that is unhappy with the situation, Elves form a task force that targets this specific group to try to influence their opinion by reaching out directly.

These online missions can take days or weeks and there is no guaranteed result or a sense of an accomplishment. It's slow and systematic work. And in some cases Maria feels hopeless. “Some people are so deeply affected by propaganda that it seems there is nothing that will ever change their opinion.”

The fight between Russia and Ukraine on the cyber front started long before the full scale invasion this February, both sides throwing punches throughout the past decade, mostly under the radar of the general public. But as Russian tanks entered Ukrainian soil, cruise missiles landed in residential neighborhoods and shopping malls, so off came the cyber gloves. Ukraine has made an unprecedented effort to mobilize its state structures with massive support from volunteers to wage a new type of war–an attack on everything in the cyber and information spaces that support Russia’s bloody invasion of their country.

One of the most visible structures on the foreground of this battle became the IT Army. It’s an open cyber-volunteer organization that was put together by Ukraine’s Ministry of Digital Transformation. Before February, the Ministry was responsible for implementing digitization into various spheres of governance and civil life, and had very little to do with the military.

Mykhailo Fedorov, Vice Prime Minister and the Minister of Digital Transformation of Ukraine  photographed in Kyiv, Ukraine

“We are a new ministry and it was created with the idea of building the most convenient country in the world from the point of view of public services,”  says Mykhail Fedorov who has headed the ministry since 2019. With the full scale invasion, tasks have shifted toward servicing the war effort: reestablishing Internet service to affected areas, supporting Ukrainian IT industry, advocating for Ukraine on international digital forums–which often involved reaching out to companies to stop doing business with Russia, as well as raising money to help the war effort in the digital and high-tech fields. Their latest initiative is a donation campaign for the “Army of Drones” which has already collected over $20M.

Diia, an e-governance app that helps Ukrainians do everything from paying for a parking ticket to filing taxes, created a wartime add-on called eVoroh (eEnemy), a chatbot where Ukrainians could report on the movements of the Russian Armed Forces, describe suspected war crimes, or inform on collaborators in occupied territories. By mid-October the Ministry says it has been used over 408,000 times, although it has not released the number of reports.

On February 25th when a Russian missile hit a location in Kyiv where servers for the Diia app were located, cloud backups had already been made on servers located outside of Ukraine. And the following day Minister Fedorov made a post on his Facebook page that announced the creation of the IT Army of Ukraine. From the post it wasn’t clear what kind of structure and organization the IT Army would have, or who would be directing its operations, or even exactly what its mission was; just a brief description saying that anyone who can help on the cyber front is welcome. A link to a newly created telegram channel followed. The first missions appeared on the same day. The government of Ukraine was asking to wage DDoS attacks on large Russian conglomerates–Gazprom, Lukoil, Yandex, Sberbank as well as a number of governmental structures and Kremlin-aligned media outlets.

People strolling past the damaged Russian military equipment exhibited in the center of Kyiv, Ukraine

This was an unprecedented move. Never before had governmental officials asked their citizens to wage cyber warfare. DDoS or Distributed Denial-of-Service attack is simply overflowing a host server with traffic to the point where it is no longer accessible, thus if a customer wants to visit a service online it becomes unavailable. The attacks can last hours and can create some inconvenience and even bring on  a level of  chaos depending on the service, time and location. In the hacker community DDoS attacks are considered not much more than foolery, but for the people volunteering in the IT Army taking down Russian sites and services brought a sense of being needed in the moment and inflicting at least some damage to the enemy.

The IT Army has more than 250,000 active volunteers, and there are dozens more groups made up of amateurs and enthusiasts operating independently as well as being part of various hacktivist and info resistance groups.

Publicly, IT Army often gives out reactionary assignments, depending on current events or Russian holidays. Before May 9th, for example, a Kremlin-aligned video hosting service RuTube owned by Gazprom Media went down for three days. A scheduled May 9th Victory Parade online broadcast  was canceled.

Another notable hit was carried out by the IT Army on June 17th at the St. Petersburg Economy Forum where another DDoS attack derailed the entry protocols to the event, delaying a speech, given by Putin, by an hour. After the mobilization was announced in Russia Ukrainian hackers, including the IT Army, went after the stores and businesses supplying clothing and gear to the Russian Army. After the missile strikes on the Ukrainian power Grid, the IT Army tried to attack LOESK, the main power distributor in Saint-Petersburg region.

But according  to Minister Fedorov about 90% of the targets the IT Army attacks are not made public, and most damaging work is being done under the radar with the network of IT professionals the government trusts.

One of the people trusted by the government is Yegor Aushev, co-founder of Cyber Unit Technologies, a cyber-security company. He was among the first of those called to arms as a member of the hacker community of Ukraine and the World.

Mr. Aushev, a Physics major, never considered himself a hacker but felt he was in a position to rally the cyber security and hacker community around himself. His company specialized in block-chain, “white” hacking, providing cyber security for major businesses in Ukraine as well as to the Ukrainian government, its infrastructure, and even training Ukrainian cyber police.

Yegor Aushev, a cyber security and blockchain specialist, founder of Cyber Unit Technologies photographed at the Unit.City hub in Kyiv

His offices are located in now vacant UNIT.CITY, a former industrial complex that was converted into a Ukrainian version of Silicon Valley. The complex is now empty – just several security guards and an unplugged robot that used to greet tenants remain. Mr. Aushev was planning to start a “hackerspace” on the top floor of one of the buildings within the campus but fell a few days short when the war interrupted his plans. “This was supposed to be a gathering place for “white” hackers,” he wanted to give about 600 square meters and let the community of hackers use it as they wanted. “Now we don’t know when we’ll open. I’m sure if it was open now, they [the Russians] would spare a rocket for us.” The closest missile landed just a couple hundred meters away from his former office.

First day of the war Mr. Aushev posted a link on his Facebook. It was a fillable form on Google Drive asking the hacker community to join the fight. He received more than 100 applications on the first day. More than 50 percent of applicants were rejected. Among those rejected were hackers from Russia opposing the war. “They knew they would not qualify but some provided access to several [Russian] databases,” including ones containing military personnel’s personal information. That was just within the first 24 hours. “Now the Ukrainian Security Forces probably have the entire database [of Russian military personnel] including their wives and lovers,” Mr. Aushev adds.

Having connections in the Ukrainian Security Services, Mr. Aushev  immediately offered his assistance, and with help of his resources and the newly created flying squad of volunteer hackers he entered the battlefield in the cyber domain gathering information and passing it to the Ukrainian military. The structure of this group is fairly flat and shattered into many sub groups, all based on qualifications and trust. “Some folks thought we will just provide access to truthful information for the Russian public,” says. Mr. Aushev. In the first days of war there were multiple deface hacks on major Russian media outlets where hackers replaced Kremlin narrative with the information of what was actually happening in Ukraine. “We thought they [Russian citizens] just don’t know what is going on.”

It soon became clear that things like that didn’t yield any results. “They knew everything,” Yegor summarized. Within the first couple of weeks deface operations almost ceased, although some still continue to this day. His group focused their attention on reconnaissance, communication interception, databases–finding out the troop movements, supply chain and routes, anything that would be useful for the Ukrainian military.

When the Russian Army entered Ukraine on February 24th many of them carried their cell phones with them. It wasn’t difficult to analyze the Russian cell phone users and create a parceling map pointing out, for example clusters of Russian Telegram accounts. “The iPhone gives out about 200,000 signals per hour and they didn’t realize we could track them like that,” Mr. Aushev says.

IT campus in Kyiv Unit.City hub remains vacant due to ongoing war and security concerns

It quickly became evident that Russian intelligence made a mistake in calculating the amount of resistance they would receive in Ukraine. To compensate, Russians started activating the sleeper cells, or diversion reconnaissance groups (DRGs) within Ukraine. Such groups required quick cash infusions. Every time a large sum of money would be transferred from the Russian Federation to a banking customer in Ukraine and used at an ATM, or a Russian banking card was used, authorities would be notified with an automated ATM photo of a customer making a withdrawal along with their personal information.

The images of suspected DRG members withdrawing the money from an ATM and their information would be exchanged in chats such as WhatsApp, where members of local police or territorial defense would be added to, and in minutes dispatched to find the suspects. “Within the first week we had 7 DRG’s found in Dnipro,” Mr. Aushev says laughing, “It was both Russians or Ukrainians they were recruiting.”

In Mr. Aushev’s case, being known and trusted by the Ukrainian security forces, his banking and infrastructure clients, and the hacker community, it was a matter of calling a few numbers and creating a WhatsApp chat room for those involved. People in the chat might not have known each other but were trusted by one or more of the participants. And in minutes the wheels were set in motion across the country.

Now Mr. Aushev is consulting the government on creating a cyber unit for the Ministry of Defense. “Few hundred of some of the best specialists are united. It’s a unique situation.” Some of them are the CEOs of Ukrainian IT companies, or chief cyber security officers working for Western companies. None of them want to publicize their names. But Yegor wants to seize the opportunity and offer the government the opportunity to create a separate Cyber Army. “I want us to be considered combatants of this war”.

Real combat is already happening on the cyber front and has been long before the full scale invasion. An attack on the Ukrainian power grid in 2015 was reportedly carried out by a group called Sandwarm, associated with the cyber-military wing of the GRU, the organization in charge of military intelligence in Russia. NotPetya, a malware attack affected Ukrainian infrastructure, banking and energy sectors in the summer of 2017. The Chernobyl nuclear plant had to go offline and disconnect their radiation monitoring equipment as a result of the attack. NotPetya was most likely targeting Ukraine specifically but the effects of the attack spilled far outside its borders and to this day considered the largest malware attack in history. Maerks, the largest global shipping company, a network of British hospitals, pharmaceutical giant Merck, headquartered in New Jersey, were all impacted. The damage was estimated at 10 billion dollars and Sandwarm was eventually accused of the attack. And as Ukrainian officials pointed to Russia’s involvement, no actions were taken globally. In 2020, the DOJ charged six Russian nationals, all GRU officers, for their part in NotPetya, as well as an attack on Ukrainian’s power grid, and a hack of the 2018 Olympics, in which the Russian team was not allowed to fly its flag after being caught in a state-sponsored doping scheme in Sochi.

“In 2014 Ukraine did not have any program or any cyber capabilities in state structures, even in special services such as S.B.U. It can be said that we were the first to actively build Ukrainian cyber defense,” says Tim Karpinksy, one of the founders of Ukrainian Cyber Alliance and now an active duty officer in one of the Cyber security units in the Ukrainian Military. Like many other Ukrainians he was inspired by the Maidan revolution and hoping to build a better future for himself and his country he got involved. Seeing an obvious gap in the cyber vulnerabilities of Ukraine he, along with several others individuals and hacktivist groups such as RUH8, CyberHunta, Trinity and Falcon Flame formed the organization Ukrainian Cyber Alliance, which was later registered as an NGO. The identity of most members have been kept secret except for the three people whose names appeared in the government registry when Cyber Alliance became an official entity: Andrii Baranovych, Oleksandr Galushchenko and Mr. Karpinski himself.

Tim Karpinsky, one of the founders of Ukrainian Cyber Alliance, a hacktivist group in Kyiv, Ukraine

The organization was formed in 2016. Before that, for two years, Tim and his colleagues were building up a network of connections. He speaks of this period with the brevity of a secret agent. “We had a certain list of personal contacts in state structures, special services, and the defense sector. We used these contacts to transmit certain information for the benefit of the state.”

One of the largest successes of that period for the Ukrainian Cyber Alliance was a hack of emails belonging to Vladslav Surkov, a person nicknamed “Russia’s Gray Cardinal” and a figure once extremely close to Putin, as well as someone credited with building Putin’s propaganda machine until he fell out of favor with the Russian president. In those leaks Surkov discusses preparation for the annexation of Crimea and outlines ways to bankroll and support the Russian-backed pseudo-republics DNR and LNR.

The Ukrainian Cyber Alliance occupies a unique position, it is a registered civil organization that openly does International hacking on behalf of its country. Tim claims that they don’t receive any monetary rewards from the government and their actions are purely based on civic duty in order to defend Ukrainian sovereignty. “The initiative comes from us–we set ourselves the task, define our own targets, work on these targets ourselves. We collect this information ourselves, decide to whom to transfer it and in what volume. We do this from a civic standpoint.”

The civil activism that united Ukrainians against common enemies isn’t uncommon since the beginning of Russian aggression. Over the past 8 years a network of volunteers, various official and unofficial initiatives and action groups, as well as NGOs that closely work with the government have formed strong bonds and connections. With the full scale invasion this cooperation went nuclear and now involves practically each cell of Ukrainian society, with help of unprecedented International support.

Volunteerism has exploded since the invasion began, often filling in holes that were left blank  by the government. Over the past 8 years a network of volunteers, various official and unofficial initiatives and action groups, as well as NGOs that closely work with the government have formed strong bonds and connections. With the full scale invasion this cooperation went nuclear and now involves practically each cell of Ukrainian society, with help of unprecedented International support.

IT-Troops is a group that started, as so many other volunteer efforts in Ukraine with a group chat created on February 24th where a question was asked: “What can we do?”  Dmytro Nalbat was among the 200-something trusted IT professionals in that chat. He knew what his strong suits were. He got his experience on how to bypass the Facebook advertising guidelines when he worked in online gambling–a segment that was very lucrative in Ukraine before the war.

Dmytro Nalbat, a volunteer in the IT Troops  in his office in Kyiv, Ukraine

“Clearly, you can’t run ads with torn off heads and dead bodies on Facebook,” he says. But when the time came for him to do just that he didn’t hesitate to use his knowledge. The shock value was important. He and a few of his colleagues tasked themselves with running ads showing the results of the Russian invasion of his country on social media.

Early on, it started with simply pleading to the Russian segment of Facebook to come out to the streets in protest. Then to Russian mothers to demand to return their children home. Some ads showed imprisoned or dead Russian soldiers; a lot of the work was buying up space in local facebook groups in Russia to place an article between posts from an established publication showing the atrocities perpetrated by Russia in Ukraine.

But to the surprise of Dmytro he didn’t see the reaction he expected  from Russians he was targeting with the ads and articles.  The most common reply was: “Why is this in my feed?” according to his own observations monitoring the comment sections under the articles he was placing. People in Russia were dismissing this content as fake news or fabrications. “Propaganda machine really works there,” Dmytro says.

And while their digital work in Russia seemed futile, the European Facebook segment was much easier to reach. Outraged about the war, Europeans willing to fill their market squares didn’t need much convincing. The IT-Troops, sometimes worked with local NGOs and created events in distant European capitals, started organizing protests, marches, events supporting Ukraine and brought people to the streets in Lisbon and Vienna with their marketed ads. The dead Russian soldiers were replaced with white doves, the grieving Russian mothers with suffering Ukrainian children.
Over the past couple of months the “information operations” as Dmytro calls them have ceased. IT Troops have switched their attention to supplying humanitarian and military aid towards the frontlines and fundraising. Mr. Nalbat doesn't think that the information war is over, and he points to Russian efforts to wage influence over European and American politicians to stop their countries' support of Ukraine.

“Noone believes they are doing an evil thing,” says Dmytro about their failed attempt to influence Russians via the Internet. “It’s all going towards catastrophe there, just like with the Germans after World War II.” He firmly believes that the propaganda machine in Russia has turned most Russians into blind followers of Putin and nothing but the fall of the regime will change their views. One thing is different now compared to 1945, now you can do most of the analysis by reading Facebook comments.