Threat Intelligence, Threat Management

‘This isn’t your war’: As frustration breeds hacktivism for Ukraine, experts weigh sitting out

A proteter in New York holds a sign and flags as he joins others who gathered for a rally in support of Ukraine (Photo by Michael M. Santiago/Getty Images)

Ukraine has roped in volunteer hackers to run cyberwar operations. So what happens if Americans join?

Certainly, the notion of delivering support to Ukraine has gained traction. Cybersecurity companies have in fact found ways to deliver free product and services to support Ukraine in its efforts to counter cyberattacks.

But experts warn: that is a far cry from partaking in retaliation.

A call to the "IT Army"

Ukrainian Vice Prime Minister Mkhalio Federov announced the government-sanctioned volunteer "IT Army" on Twitter on Feb. 26, running offensive operations against the Russian government and infrastructure. The project, coordinated via Telegram, translates all of its targeting directives into English for an international audience to participate.

"While you still taking down Russian Railways (sic), here you go with mailbox of high Russian officials like parliament, government, media. Including Russian Ministry of Digital Transformation, which is special," the Telegram account posted this morning alongside a file of potential target email accounts to hack.

The IT Army addresses a clear need. Kiev has faced ongoing and continuous cyber aggression from Russia for nearly a decade, with very little recourse, including election tampering in 2014, blackouts in 2015 and 2016, the NotPetya wiper in 2018, and smaller cyberattacks leading up to the invasion. Ukraine, in general, appeared to be at a substantial disadvantage at the beginning of the conflict. On paper, Russia was supposed to make quick work of Ukraine. It came with a larger, more modern military and a penchant for hybrid warfare, including its previous dominance over Ukraine in cyber conflict.

The speedy end didn't happen. There are no shortage of reasons Russia has struggled: Ukraine's stronger than expected resistance, Russia's fumbling of battlefield logistics, and the big stick of globalist economic measures. But Kyiv has had a remarkable eye for bringing non-state actors into its cause — both above and below board. On the more legitimate end, Ukraine has masterfully controlled the media narrative, despite information warfare being a supposed Moscow strength. On the less legitimate end, the use of volunteer legions to fight cyberwars on its behalf.

Russia faced ongoing attacks from hacktivist groups, including Anonymous and AgainstTheWest in addition to IT Army. At a time when people with infosec experience in the United States see a humanitarian disaster and feel helpless to help, one of these groups might seem like a good venue.

Stop and think, say experts

First a reminder: hacking is first and foremost illegal, regardless of righteous indignation. That may not be too big a hurdle for someone particularly motivated. What could be more of an issue are the ethical and strategic implications of third-party involvement.

"It is very easy in this world to push a button and to have some kind of impact somewhere," said Matt Onley, director of Cisco's Talos Threat Intelligence. "What is hard to do is unpush the button. As we saw in Colonial there can be unforeseen knock-on effects of what you did."

As unrestrained third-party hackers get involved, with many groups selecting their own targets, there is a legitimate risk that a well-meaning volunteer disrupts the strategic mission of either Ukraine or NATO nations. Amid the crossfire, global intelligence agencies still use cyber means to gather intelligence and militaries use it as a means of attack. Volunteer groups risk removing the gears better-prepared governments might need for more strategically effective actions.

"Successful approach requires martial coordination," said Jonathan Reiber, former chief strategy officer for cyber policy at the Department of Defense, and current senior director for strategy and policy at AttackIQ. "So as long as there's a command and control system for people to follow orders, it could be quite productive to assemble a legion."

The pure hacktivist groups, the Anonymouses and AganstTheWests for example, lack the intelligence and strategic coordination that would prevent collisions between their actions and those of nations.

That could be less of an issue for the IT Army.

Maria Pylyp, a volunteer with Ukraine's digital response efforts, said via email, "We have great communication from our ministers and leaders, they make sure and warn people not to interfere."

But legality and the effectiveness within the Ukrainian conflict might not be the only considerations in play. With a volatile actor there is a risk that, in either the fog of war or the need of propaganda, the actions of an individual may be attributed to a country.

"Russia, as we have seen, has its own standard for what an appropriate level of responses to something that it perceives as risk or aggression against itself," said Jen Ellis, Vice President for community and public affairs at Rapid7. "We have seen that with a lot of the rhetoric that we're hearing right now. In fact, we have seen it with the invasion of Ukraine."

"There is the potential for them to view attackers not as individuals, but as representative of a Western whole," she continued.

US citizens' involvement in the attack risks escalating tensions between the nation as a whole and the government. In turn, it runs the risk of reprisal.

Several times since the beginning of the year, CISA has warned that Russia may respond to the threat of sanctions or other NATO involvement by launching cyberattacks at the West. That came even before volunteers launched actions outside of government control.

Beyond the geopolitical reasons that it may be good to fall back on volunteer actions, there could be a humanitarian one as well.

"There's enough people running around feeling righteously angry about the state of the world, and this is their way of making a statement that somebody is going to get lucky and hit something that isn't ready for what's happening," said Onley.

The targets listed by IT Army include oil and gas companies, banking, freelancer marketplaces, and transport. While the target may be associated with the Russian government, the victims may be Russian citizens or global customers.

Pylyp said Ukraine is ready and eager for any help it can get to put pressure on Russia to cease its invasion. The "not-all-Russians" argument falls flat in the face of an assault on all Ukrainians.

But for some experts, the risks do not outweigh the rewards, no matter how frustrating inaction may feel.

"Unless you're going to go to the front lines and make Molotov cocktails in Ukraine, you may have to accept that, right now, this isn't your war," said Ellis.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.