Shades of the Lviv underground:
How Ukrainian hackers hold the front in the cyber war
How Ukrainian hackers fight the cyber war
Prior to the war with Russia, these people were ordinary engineers and IT specialists. Once they lost their homes or their loved ones they turned their knowledge into a powerful yet unnoticeable weapon. As the war in eastern Ukraine grew in scale, more effort was needed. So the cyber volunteers responded to Russia’s aggression with investigative projects like Myrotvorets and InformNapalm, which got their information from, among others, many hacker groups.
HACKING THE ENEMY
In contrast to most of the volunteer military brigades or Ukrainian politicians, the hackers were able to agree to work together effectively. By spring 2016, the Ukrainian Cyber Alliance (UCA) was formed by RUH8, Falcons Flame, CyberHunta and Trinity. This event raised Ukraine’s hacker community to the world level. Its target was the Russian Federation and its collaborators in the unrecognized “republics” on post-soviet territory and anywhere else in the world.
2016 was a year of many victories for the community. Although most of its operations remain secret, the most interesting ones can already be talked about. Ukrainian hackers began last year with a massive break into the text messaging systems of hundreds of thousands of Russians. They continued their hunt for weak spots in the cellular network, they were able to get personal photos from a coworker at Russia’s Federation Penitentiary Service. Using Exif data on these photos and videos, they were able to establish incontrovertible evidence of the involvment of a special forces man in the conflict in eastern Ukraine. Thanks to Russian soldiers’ habit of taking selfies, the hackers proved that the proxy forces were using R-300Z Zhytel during the battle for Debaltseve, electronic warfare relay stations that are manufactured exclusively in Russia and have never been sold abroad.
In the spring, they broke into the site of the “ministry of foreign affairs of DNR.” In addition, as part of their #OpDonbasLeaks operation, the Falcons Flame and Trinity successfully broke some 100 pages and mailboxes of the militants, their propagandists and their handlers. For instance, the e-mail archives of an organization called the Union of Donbas Volunteers, which was run by the former “PM of DNR” Aleksandr Borodai contained application forms and copies of documents related to mercenaries and Russian servicemen.
One notable event was their break-in and defacement—meaning changing the look of the page—of the proRussian propaganda channel known as ANNA News. The Ukrainians not only broke the information service but put together a creative response to the Kremlin mouthpieces: a video message that was posted to the home page of the ANNA site and called on viewers to join forces in the battle against the Russian Federation. This “Greeting from the Lviv Underground”* from the Falcons Flame and Trinity proved remarkably popular: the clip was translated into six languages and enjoyed more than 270,000 views in YouTube.
THE SURKOV SENSATION AND MORE
Thanks to the hackers’ activities, a slew of very interesting documents about Ukraine’s northern neighbor appeared in public access mode: RF defense procurements, drafts of state regional policies, and orders to use the RF’s regular military drones to engage in reconnaissance and correct artillery fire against Ukraine.
Of course, Ukraine’s hackers also focused on highprofile individuals in the hybrid war, getting into the correspondence of Alexei Mozgovoi, the odious commander of the Prizrak or Ghost terrorist battalion. It turned out that, the day before Mozgovoi was eliminated, he was completely dependent on the orders of an agent by the name of Dyeva or Maiden. The video and text messages from the phone of another “star” terrorist, Arsen Pavlov, aka Motorolla, also caused quite a stir online. These items already attracted more than half a million views.
The interception of correspondence between an LNR militant by the name of Grom help stop preparations for a provocation by the terrorists that was supposed to have taken place in Lviv on Independence Day. In response, the hackers offered the occupiers a bit of good hacker humor on August 24, 2016, 25 pro-Russian sites and “official” portals belonging to LNR-DNR terrorist groups were defaced and a greeting on the anniversary of Ukraine’s independence posted on them. Under an operation called #op256thDay dedicated to Programmers’ Day, more than 30 sites belonging to the proxies were either brought down completely or defaced in a single night. Hacktivists plugged in an InformNapalm video with a demonstration of evidence of Russia’s military aggression against Ukraine on many propagandist media resources.
But the real sensation was the operation #SurkovLeaks. Data mined by the hacktivists from the mailbox of the reception of the office of Vladislav Surkov, a top aide to Russian President Vladimir Putin, sent an international shockwave. Articles about the hack of Surkov’s office appeared in much of the top international press, including the BBC, Time, the Daily Mail, The London Times, RFE/ RL, The Guardian, and others. The quality of the work even caused some western experts to mistakenly attribute #SurkovLeaks to US intelligence agencies. On the other hand, the Ukrainian media community virtually ignored the investigation, as it exposed far too many awkward details about how Ukraine’s own politicians and journalists were collaborating with the Russian aggressor.
Towards the end of the year, the cyber brigade provided the world with yet another sensational hack. This time, the deputy director of the Institute of CIS Countries and press secretary of the Union of Orthodox Citizens, Kirill Frolov, found himself in the sights of the cyber al-
liance. Operation #FrolovLeaks revealed that Russia had been preparing for aggression against Ukraine long before 2014. Based on these materials, the intervention was taking place at the highest level through the Moscow Patriarchate with the support of a slew of recruited highranked Ukrainian politicians and activists, who were coordinated by handlers in Russia.
In addition to its “classical” activities, the UCA takes on other non-standard assignments in the information arena. They organized a “provocation” among the DNR terrorists, which led to a real panic among the occupying forces. It was almost funny—except it was not: the leaders of the Russian proxy divisions began a real witch-hunt, looking for traitors and writing accusatory missives to the FSB about their own fighters. The hacktivists were able to delete more than 100,000 individuals from the proKremlin community in social networks. The Ukrainian specialists organized real hacker duels with their northern opponents.
As a result of these confrontations, the impact of hostile interference in Ukraine’s information sphere was minimized. Townsend admits that the level of security in Ukrainian state resources is absolutely inadequate to the situation that has developed around the country. But he adds quickly that even the only superpower in the world, the United States, which has more than enough resources and experience, has turned out to be vulnerable to the attacks of Russian hackers.
AN EXPANDING NET OF DATA
In mining a mass of data, the UCA works actively with other volunteer groups. According to Roman Burko, one of the founders of the InformNapalm international investigative community, thanks to his cyber colleagues, a huge archive of correspondence belonging to Russian journalists was hacked. This made it possible to establish that the appetites of RF propagandists are not limited to Ukraine or the shooting down of MH17. Among others, interesting details were disclosed about how Sergei Zyenin, a journalist and propagandist on Perviy Kanal, Russia’s main state channel works to discredit the National Security Agency of the United States. InformNapalm’s resources made it possible for UCA’s achievements to reach the highest international level.
The alliance shares data with state organizations. Military secrets are sent to the intelligence division of the Ministry of Defense, data about traitors and enemy agents goes to the SBU. And although the US and individual EU countries do engage in using hackers to test their national security systems, the UCA is not taking part in developing the domestic model of cyber security as it is focused entirely on attacking the enemy. Working together towards a common goal, Ukraine’s hacktivists prefer to remain independent and anonymous. Still, even such a successful group as UCA faces problems as well. The main one is the lack of resources. The number of operations keeps growing, and with it the volume of information gathered. But there aren’t always enough people or time in order to process it promptly. Although they remain outside the system, the hackers expect the country’s leadership to pay more attention to cyber security. They also complain about the lack of a consolidated position on issues of data and cyber security among top officials. They also point out that the war has been going on for three years now yet Ukraine does not have a unified doctrine for offensive action in the cyber environment.
Understanding these difficulties, the warriors on the invisible front are not about to give up. On the contrary, as they gain experience they plan to move into all-out war mode against the invaders.
The doors are closing. In this video address by the UCA, the activists said that they broke into the databases of LNR/DNR and asked the international community for solidarity with the victims of the Russian aggression