Join today’s leading executives online at the Data Summit on March 9th. Register here.
While you have to sympathize with Ukraine’s desire to do whatever it can to impede Russia, the Ukraine IT army initiative raises some major questions and could have serious unintended consequences, cyber experts told VentureBeat.
“I believe it’s important to recognize that Ukraine is in a dire situation, which may call for unprecedented measures,” said David Kuder, senior cyber threat intelligence analyst at Critical Start.
At the same time, Kuder said, “it’s difficult to ignore the potential risks and outright dangers of this effort.”
Ukraine’s IT army was announced last Saturday by vice prime minister Mykhailo Fedorov, two days after Russia’s unprovoked invasion of the country. The initiative has mainly focused on forcing Russian websites offline using distributed denial-of-service (DDoS) attacks. DDoS falls on the simpler end of the cyberattack spectrum, but can still be disruptive.
And the Ukraine IT army — which has more than 290,000 subscribers to its Telegram channel — has been pretty successful in its work: More than half of the sites they’ve targeted have faced partial or total outages in Russia, according to data provided by security professional Chris Partridge.
“I believe the data shows the galvanized mob can clearly impose cost and chaos on many targets,” said Partridge, who’s been tracking the IT army’s activities on GitHub, in a message to VentureBeat.
At last check, numerous government, financial and media websites targeted by the Ukraine IT army were seeing 0% or 10% uptime within Russia, Partridge’s data shows.
Meanwhile, on Thursday, the group expanded its tactics by targeting SIP servers, he said. The servers are used for internet-based voice calls, and are considered to be more difficult to defend against cyberattacks.
‘This is the blueprint’
Everyone in security should be paying attention to what’s happening with Ukraine’s IT army, because it’s a sign of things to come, Partridge said.
“This is the blueprint for future cyberwar,” he said. “It seems inevitable that future conflicts would try to replicate the passion from this.”
Still, Partridge said he recognizes there are potential risks that can’t be ignored — and many others agree.
“There’s no question that vigilante hacking wars can have unintended consequences,” said Chris Grove, cybersecurity strategist at Nozomi Networks.
Cyber weaponry can go off-target, for instance, and end up hitting services that normal citizens depend on. “Our supply chain ecosystem is so intertwined that attacking one link can have unplanned consequences elsewhere,” Grove said.
Casey Ellis, founder and CTO at Bugcrowd, said that while he can understand Ukraine’s motivation in doing this, “it’s certainly adding to the fog of war which exists in the cyber domain around this conflict.”
Participating in this type of effort is also extremely risky for an individual, Ellis said.
“Aside from direct Russian retribution, a well-intentioned hacktivist in the state of Missouri, for example, is probably violating both state laws and federal laws by ‘helping out’ – even though the target is the socially accepted ‘bad guy’ in this equation,” he said.
In other words, a social call-to-arms doesn’t change local laws, Ellis said.
“I’ve been talking a number of enthusiastic rookies out of doing anything stupid over the past week — as well as trying to work with folks to minimize the potential harm of getting involved for participants,” he said.
Attribution risk
Misattribution for the attacks carried out by the IT army is another massive danger, mentioned by Ellis and a number of other experts to VentureBeat.
“It’s difficult, if not impossible to quickly determine where an attack came from, or who was behind the attack,” said John Dickson, vice president at Coalfire. “Things can get messy quickly. And the risk of ‘hack back’ cyberattacks from the Russians directed toward the U.S. and west becomes more likely.”
Looking ahead, Dickson said, “I’m afraid that what Ukrainian volunteers are doing is more likely to widen a cyber war outside Eastern Europe than have a tangible effect on the Russians.”
There’s also the likelihood of their efforts interfering with intelligence collection by western nations, several experts said.
“With a public call to anyone willing to help Ukraine defend themselves from cyberattacks during a physical conflict, we have entered unprecedented territory,” said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security.
And yet: The assault on Ukraine is a horribly tragic situation that is getting worse by the minute. And if Ukraine feels the IT army is helpful, then isn’t that really up to them to decide?
“Everything is a matter of perspective,” said Kevin Gonzalez, director of security at Anvilogic.
Fighting back
Ukraine is using any resources it can muster to fight back against Russia — whether for combat on the streets or in the cyber realm — and “who can blame them?” Gonzalez said.
While unintended consequences are certainly possible, he noted that the U.S. and many other countries already have their own offensive cyber operations. Those are just much more under-the-radar than Ukraine’s IT army is currently.
“Ukraine deems this group necessary for their survival, just as the U.S. has deemed the CIA and NSA essential for our survival against evolving threats,” Gonzalez said.
At a certain point, though, launching cyberattacks that aren’t actually coordinated with broader military objectives can amount to little more than vandalism, said John Bambenek, principal threat hunter at Netenrich.
That being said, “the conflict is a fight of attrition,” Bambenek said. “Does Kiev fall first, or does the pressure on Putin get enough to get him to back off? In that sense, it’s all additive — and [the IT army] may help. Time will tell, really.”
“Ukraine deems this group necessary for their survival.”
Kevin Gonzalez, director of security, Anvilogic
Future implications
Over the longer term, much will depend on how the international community responds to these events after the fact, Schmitt said.
For instance, it will be crucial to watch whether hactivism supporting Ukrainian cyber operations ends up being considered a criminal offense, as it normally would be, he said.
But with the outcome of that very unclear at this point, it makes joining the IT army effort “dangerous territory for an adventurous soul with an internet connection to tread down,” said Tim Wade, deputy CTO at Vectra. “It’s not one to be tread lightly.”
Also yet-to-be-determined is where this style of warfare — involving hactivists and cyber criminals alike — goes from here. SightGain CEO Christian Sorensen, who was formerly operational planning team lead for the U.S. Cyber Command, noted that the Ukraine IT army is far from alone in what it’s doing right now. The hactivist group Anonymous appears to have been especially “impactful” in its cyber efforts to aid Ukraine so far, he said.
Ultimately, “regardless of whether these groups should be doing these types of activities,” Sorensen said, “it seems like a new way of war.”
