Cybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks
Ukraine's 'IT Army' Call-Up: Don't Try This at HomeDespite Russian Aggression, Distributed Denial-of-Service Attacks Remain Illegal
After Ukraine called on the world to help it hack Russia, what could possibly go wrong?
See Also: How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward
Russia has targeted Ukrainian government and financial services sites with distributed denial-of-service attacks before and since its Feb. 24 invasion. Some wiper malware attacks, likely authorized by Moscow, have also hit some Ukrainian targets and appear to be tied to intrusions that began last summer.
"We are creating an IT army. We need digital talents."
As the BBC has reported, Ukrainian cybersecurity official Viktor Zhora says his country is now fighting the first-ever "hybrid war" that bridges both the physical and online realms. Crucially, however, this "cyber war can only be ended with the end of conventional war" (see: Ukraine Fighting First-Ever 'Hybrid War' - Cyber Official).
Nevertheless, Ukraine has issued a call not only to citizens but to anyone in Russia or the rest of the world who supports its cause to act online.
"We are creating an IT army. We need digital talents," said Mykhailo Fedorov, Ukraine's digital minister, on Feb. 26, just two days after Russia invaded. Fedorov directed anyone who wanted to help to a Telegram channel where tasks could be assigned.
We are creating an IT army. We need digital talents. All operational tasks will be given here: https://t.co/Ie4ESfxoSn. There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists.— Mykhailo Fedorov (@FedorovMykhailo) February 26, 2022
British cybersecurity expert Kevin Beaumont on Thursday reported that the number of Ukraine IT Army participants had reached 307,000. About half of institutions and services being targeted in Russia and ally Belarus - banks, GPS service providers, law enforcement telephone bridges and more - appear to be getting disrupted as a result, he says.
IT ARMY of Ukraine are now targeting Russian GPS, railway, telecoms providers, and ATMs. pic.twitter.com/GzoLBZlH5w— Kevin Beaumont (@GossiTheDog) March 3, 2022
Top targets have included Russian TV station Channel One; the country's biggest bank, Sberbank; Russia's Federal Security Service, known as the FSB; and Belarusian state-owned news agency Belta, cybersecurity firm Avast reports.
Not all citizen DDoS attacks are targeting Russia. Attacks from inside Russia that appear to trace to patriot hackers have also been occurring. Some cybercrime syndicates, such as the Conti ransomware operation, have vowed to prioritize critical infrastructure targets in any country that works to undermine Russia's invasion.
Hacktivism: Still Not Legal
Despite horrific images of Russia targeting hospitals in Ukraine and warnings from the White House that Moscow appears to be building a fake pretext for using chemical weapons, laws across Europe and the U.S. remain clear: Launching distributed denial-of-service attacks, even in the name of freedom or under the banner of the Anonymous collective, remains illegal.
"In a distributed denial-of-service attack, the attacker enlists the help of (many) thousands of internet users to each generate a small number of requests which, added together, overload the target," according to Britain's National Cyber Security Center, which is the public-facing arm of intelligence agency GCHQ. "These participants may either be willing accomplices - such as attacks initiated by loosely organized illegal 'hacktivist' groups - or by unwitting victims whose machines have been infected with malware."
The Ukraine government obviously won't be prosecuting anyone inside the country who targets Russia online. For everyone else, however, might they end up doing more harm than good?
Anonymous remains a concept that anyone can join and use to express rage over perceived injustices. But have Anonymous' DDoS attacks ever done anything more than inconvenience targets?
Such online flexing often comes with a cost. Most DDoS practitioners - and even those offering the service at scale as part of the cybercrime-as-a-service ecosystem - don't have the operational security skills required to remain anonymous. Many individuals, including the so-called "PayPal 14" - tied to 2010 DDoS attacks conducted under the banner of Anonymous - have learned that lesson the hard way, when their attacks were traced back to their own IP addresses and they found themselves with a court appearance and prison sentence.
Expert: Civilian Attacks Carry Consequences
That's not the only way in which non-Ukrainians' urge to target Russia with DDoS attacks - to do something - might be easy to understand but still misguided.
"Asking civilians to wage your war will have consequences," tweets cybersecurity expert Vesselin Bontchev, who works at the National Laboratory of Computer Virology at the Bulgarian Academy of Sciences. Bontchev has criticized Ukraine's move to call on civilians in any country to launch online attacks.
Because if a civilian attacks a government or military target in support of another government, are they really a civilian any longer, or rather some type of enemy combatant?
"If I were Ukrainian, there's nothing you could say to keep me from targeting Russian organizations," tweets Jake Williams, a former member of the U.S. National Security Agency's hacking unit who's now CTO of incident response firm BreachQuest. "My country is being invaded and I'm fighting for its survival any way I can."
But he said for everyone else, joining this fight sets "a terrible precedent and we should expect to see blowback from it."
If I were Ukrainian, there's nothing you could say to keep me from targeting Russian organizations. My country is being invaded and I'm fighting for its survival any way I can.
That said, Vess is right - this is a terrible precedent and we should expect to see blowback from it. https://t.co/iu3bg42nKg— Jake Williams (@MalwareJake) March 10, 2022
Of course, Russia doesn't need a pretext to launch destructive cyberattacks on the West. At least so far, however, it doesn't appear to have done so, including against Ukraine (see: Why Hasn't Russia Launched a Major Cyberattack on Ukraine?).
But the U.S. and its NATO allies continue to carefully delineate what they are doing to support Ukraine. At least publicly, they have not called for or said that they have been launching such online attacks or disruptions against Russia. If they were to do so, or if Russia so targeted anyone in NATO, it might easily cause the conflict to escalate and potentially spill over to other countries - and not just online. Since Putin has reminded the world that he possesses nuclear weapons, Western leaders remain keen to keep Russia's invasion of Ukraine from becoming a third world war.