Ukraine Digital Army Brews Cyberattacks, Intel and Infowar

BOSTON — 

Formed in a fury to counter Russia’s blitzkrieg attack, Ukraine’s hundreds-strong volunteer “hacker” corps is much more than a paramilitary cyberattack force in Europe’s first major war of the internet age. It is crucial to information combat and to crowdsourcing intelligence.

“We are really a swarm. A self-organizing swarm,” said Roman Zakharov, a 37-year-old IT executive at the center of Ukraine’s bootstrap digital army.

Inventions of the volunteer hackers range from software tools that let smartphone and computer owners anywhere participate in distributed denial-of-service attacks on official Russian websites to bots on the Telegram messaging platform that block disinformation, let people report Russian troop locations and offer instructions on assembling Molotov cocktails and basic first aid.

Zahkarov ran research at an automation startup before joining Ukraine’s digital self-defense corps. His group is StandForUkraine. Its ranks include software engineers, marketing managers, graphic designers and online ad buyers, he said.

The movement is global, drawing on IT professionals in the Ukrainian diaspora whose handiwork includes web defacements with antiwar messaging and graphic images of death and destruction in the hopes of mobilizing Russians against the invasion.

“Both our nations are scared of a single man — (Russian President Vladimir) Putin,” said Zakharov. “He’s just out of his mind.” Volunteers reach out person-to-person to Russians with phone calls, emails and text messages, he said, and send videos and pictures of dead soldiers from the invading force from virtual call centers.

Some build websites, such as a “site where Russian mothers can look through (photos of) captured Russian guys to find their sons,” Zakharov said by phone from Kyiv, the Ukrainian capital.

The cyber volunteers’ effectiveness is difficult to gauge. Russian government websites have been repeatedly knocked offline, if briefly, by the DDoS attacks, but generally weather them with countermeasures.

A woman has breakfast inside a cafe in Lviv’s downtown, western Ukraine, March 4, 2022.

It’s impossible to say how much of the disruption — including more damaging hacks — is caused by freelancers working independently of but in solidarity with Ukrainian hackers.

A tool called “Liberator” lets anyone in the world with a digital device become part of a DDoS attack network, or botnet. The tool’s programmers code in new targets as priorities change.

But is it legal? Some analysts say it violates international cyber norms. Its Estonian developers say they acted “in coordination with the Ministry of Digital Transformation” of Ukraine.

A top Ukrainian cybersecurity official, Victor Zhora, insisted at his first online news conference of the war Friday that homegrown volunteers were attacking only what they deem military targets, in which he included the financial sector, Kremlin-controlled media and railways. He did not discuss specific targets.

Zakharov did. He said Russia’s banking sector was well fortified against attack but that some telecommunications networks and rail services were not. He said Ukrainian-organized cyberattacks had briefly interrupted rail ticket sales in western Russia around Rostov and Voronezh and knocked out telephone service for a time in the region of eastern Ukraine controlled by Russian-backed separatists since 2014. The claims could not be independently confirmed.

A group of Belarusian hacktivists calling themselves the Cyber Partisans also apparently disrupted rail service in neighboring Belarus this week seeking to frustrate transiting Russian troops. A spokeswoman said Friday that electronic ticket sales were still down after their malware attack froze up railway IT servers.

Over the weekend, Ukraine’s minister of digital transformation, Mykhailo Fedorov, announced the creation of an volunteer cyber army. The IT Army of Ukraine now counts 290,000 followers on Telegram.

Zhora, deputy chair of the state special communications service, said one job of Ukrainian volunteers is to obtain intelligence that can be used to attack Russian military systems.

In this image from video, Victor Zhora, a top Ukrainian cybersecurity official, holds a news conference for international media March 4, 2022, from a bunker in Kyiv, Ukraine.

Some cybersecurity experts have expressed concern that soliciting help from freelancers who violate cyber norms could have dangerous escalatory consequences. One shadowy group claimed to have hacked Russian satellites; Dmitry Rogozin, the director general of Russia’s space agency Roscosmos, called the claim false but was also quoted by the Interfax news agency as saying such a cyberattack would be considered an act of war.

Asked if he endorsed the kind of hostile hacking being done under the umbrella of the Anonymous hacktivist brand — which anyone can claim — Zhora said, “We do not welcome any illegal activity in cyberspace.”

“But the world order changed on the 24th of February,” he added, when Russia invaded.

The overall effort was spurred by the creation of a group called the Ukrainian Cyber Volunteers by a civilian cybersecurity executive, Yegor Aushev, in coordination with Ukraine’s Defense Ministry. Aushev said it numbers more than 1,000 volunteers.

On Friday, most of Ukraine’s telecommunications and internet were fully operational despite outages in areas captured by invading Russian forces, said Zhora. He reported about 10 hostile hijackings of local government websites in Ukraine to spread false propaganda saying Ukraine’s government had capitulated.

Zhora said presumed Russian hackers continued trying to spread destructive malware in targeted email attacks on Ukrainian officials and — in what he considers a new tactic — to infect the devices of individual citizens. Three instances of such malware were discovered in the runup to the invasion.

U.S. Cyber Command has been assisting Ukraine since well before the invasion. Ukraine does not have a dedicated military cyber unit. It was standing one up when Russia attacked.

Zhora anticipates an escalation in Russia’s cyber aggression — many experts believe far worse is yet to come.

Meantime, donations from the global IT community continue to pour in. A few examples: NameCheap has donated internet domains while Amazon has been generous with cloud services, said Zakharov.

China Suspected of Cyberattacks Targeting US Organizations

washington — 

Media giant News Corp is investigating a cyberattack that has accessed the email and documents of some of its employees and journalists.

On Friday, New York-based News Corp, whose entities include The Wall Street Journal and the New York Post, sent an internal email to staff, stating that it had been the target of “persistent nation-state attack activity.”

“On January 20th, News Corp discovered attack activity on a system used by several of our business units,” David Kline, News Corp chief technology officer, wrote in the email.

News Corp said that as soon as it discovered the attack, it notified law enforcement and launched an investigation with the help of Mandiant, a cybersecurity firm.

The cyberattack affected a “limited number of business email accounts and documents” from News Corp headquarters as well as its News Technology Services, Dow Jones, News UK and New York Post businesses.

FILE – Bundles of the New York Post are stacked for distribution in front of Penn Station, Nov. 27, 2013, in New York.

“Our preliminary analysis indicates that foreign government involvement may be associated with this activity, and that some data was taken,” Kline wrote. “We will not tolerate attacks on our journalism, nor will we be deterred from our reporting.”

“Mandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China’s interests,” Dave Wong, Mandiant vice president and incident responder, said in an email to VOA.

Wong’s suspicion echoed that of human rights groups, which have also faced an increase in cyberattacks thought to originate from a “foreign government” they also believe is China.

Liu Pengyu, spokesperson for the Chinese Embassy in the U.S., told VOA in an email Friday that rather than making allegations based on speculations, he hoped there could be “a professional, responsible and evidence-based approach” to identifying cyberattacks.

“China is a staunch defender of cybersecurity and has long been a main victim of cyberthefts and attacks,” Liu said. “China firmly opposes and combats cyberattacks and cybertheft in all forms.”

Rights groups targeted

Cyberattacks might be used to intimidate those who are critical of the Chinese government, according to Peter Irwin, senior program officer for advocacy and communications at Uyghur Human Rights Project (UHRP) in Washington.

“They might want journalists to think twice before they continue to do critical work uncovering issues in the country,” Irwin told VOA, adding that his organization had also seen a major spike in cyberattacks believed to be from China in recent weeks, targeting its website and staff email.

Uyghur rights groups such as UHRP have been calling for a boycott of the Beijing Winter Olympics on social media, using the hashtag #GenocideGames and citing allegations of human rights abuses of Uyghurs and other Turkic ethnic groups in Xinjiang, where China has been accused of arbitrarily detaining more than 1 million people in internment camps.

On Tuesday, The Wall Street Journal reported that pro-China accounts had flooded Twitter messages with the #GenocideGames hashtag. Hashtag flooding is the act of hijacking a hashtag on social media platforms to dilute or change its meaning.

FILE – People from China’s Uyghur Muslim ethnic group protest outside the city’s Turkish Olympic Committee building, calling for a boycott of the Winter Olympics in Beijing over China’s treatment of the minority, in Istanbul, Turkey, Jan. 23, 2022.

In early December, the U.S. announced a diplomatic boycott of the Beijing Winter Olympics, citing China’s “ongoing genocide and crimes against humanity in Xinjiang and other human rights abuses.”

Beijing denies accusations of mass detention and says that all ethnic groups in Xinjiang “live in together in harmony” and experience “healthy and balanced development.”

Tahir Imin, a Uyghur activist and founder of the Washington-based Uyghur Times, says his news organization has long been the target of cyberattacks he believes are coming from China.

Volexity, a Washington-based cybersecurity firm, stated in a September 2019 blog post that “cyberspace has become a battleground for the Uyghur people. The level of surveillance occurring in China against Uyghurs extends well beyond their borders and has fully entered the digital realm.”

“Recently, especially starting from January 10, 2022, we have seen more cyberattacks by unknown hackers aimed at the main index of English and Chinese websites of Uyghur Times,” Imin told VOA, adding that his organization’s email server had also been the target of similar attacks.

FILE – FBI Director Christopher Wray testifies before a Senate Homeland Security and Governmental Affairs Committee hearing, Sept. 21, 2021, on Capitol Hill in Washington.

FBI assessment

In a speech at the Ronald Reagan Presidential Library and Museum in California, FBI Director Christopher Wray said that in the U.S., Beijing had unleashed “a massive, sophisticated hacking program that is bigger than those of every other major nation combined.”

“They’re not just hacking on a huge scale but causing indiscriminate damage to get to what they want,” Wray said. “Like in the recent Microsoft Exchange hack, which compromised the networks of more than 10,000 American companies in a single campaign alone.”

According to Salih Hudayar, president and founder of the East Turkistan National Awakening Movement, a Washington-based Uyghur independence advocacy group, his group’s website has seen a “severe increase” in cyberattacks in recent weeks, especially since the beginning of the Beijing Winter Games.

“It seems, on average, in the past 24 hours (per hour), we had over 15 million attacks against our website,” Hudayar told VOA, adding that most of the attacks were originating from Singapore.

He said he believed Singapore was being used “to mask the true location” of the origin of the attacks. “We definitely think China is behind this attack,” Hudayar said.