Shades of the Lviv un­der­ground:

How Ukrainian hack­ers hold the front in the cy­ber war

The Ukrainian Week - - CONTENTS - Yuriy La­payev

How Ukrainian hack­ers fight the cy­ber war

Prior to the war with Rus­sia, these peo­ple were or­di­nary en­gi­neers and IT spe­cial­ists. Once they lost their homes or their loved ones they turned their knowl­edge into a pow­er­ful yet un­no­tice­able weapon. As the war in east­ern Ukraine grew in scale, more ef­fort was needed. So the cy­ber vol­un­teers re­sponded to Rus­sia’s ag­gres­sion with in­ves­tiga­tive projects like My­rotvorets and In­for­mNa­palm, which got their in­for­ma­tion from, among others, many hacker groups.


In con­trast to most of the vol­un­teer military bri­gades or Ukrainian politi­cians, the hack­ers were able to agree to work to­gether ef­fec­tively. By spring 2016, the Ukrainian Cy­ber Al­liance (UCA) was formed by RUH8, Fal­cons Flame, Cy­berHunta and Trin­ity. This event raised Ukraine’s hacker com­mu­nity to the world level. Its tar­get was the Rus­sian Fed­er­a­tion and its col­lab­o­ra­tors in the un­rec­og­nized “re­publics” on post-soviet ter­ri­tory and any­where else in the world.

2016 was a year of many vic­to­ries for the com­mu­nity. Although most of its op­er­a­tions re­main se­cret, the most in­ter­est­ing ones can al­ready be talked about. Ukrainian hack­ers be­gan last year with a mas­sive break into the text mes­sag­ing sys­tems of hun­dreds of thou­sands of Rus­sians. They con­tin­ued their hunt for weak spots in the cel­lu­lar net­work, they were able to get per­sonal photos from a coworker at Rus­sia’s Fed­er­a­tion Pen­i­ten­tiary Ser­vice. Us­ing Exif data on these photos and videos, they were able to es­tab­lish in­con­tro­vert­ible ev­i­dence of the in­volv­ment of a spe­cial forces man in the con­flict in east­ern Ukraine. Thanks to Rus­sian sol­diers’ habit of tak­ing self­ies, the hack­ers proved that the proxy forces were us­ing R-300Z Zhy­tel dur­ing the bat­tle for De­balt­seve, elec­tronic war­fare re­lay sta­tions that are man­u­fac­tured ex­clu­sively in Rus­sia and have never been sold abroad.

In the spring, they broke into the site of the “min­istry of for­eign af­fairs of DNR.” In ad­di­tion, as part of their #OpDon­basLeaks op­er­a­tion, the Fal­cons Flame and Trin­ity suc­cess­fully broke some 100 pages and mail­boxes of the mil­i­tants, their pro­pa­gan­dists and their han­dlers. For in­stance, the e-mail archives of an or­ga­ni­za­tion called the Union of Don­bas Vol­un­teers, which was run by the for­mer “PM of DNR” Alek­sandr Boro­dai con­tained ap­pli­ca­tion forms and copies of doc­u­ments re­lated to mer­ce­nar­ies and Rus­sian ser­vice­men.

One no­table event was their break-in and de­face­ment—mean­ing chang­ing the look of the page—of the proRus­sian pro­pa­ganda chan­nel known as ANNA News. The Ukraini­ans not only broke the in­for­ma­tion ser­vice but put to­gether a cre­ative re­sponse to the Krem­lin mouth­pieces: a video mes­sage that was posted to the home page of the ANNA site and called on view­ers to join forces in the bat­tle against the Rus­sian Fed­er­a­tion. This “Greet­ing from the Lviv Un­der­ground”* from the Fal­cons Flame and Trin­ity proved re­mark­ably pop­u­lar: the clip was trans­lated into six lan­guages and en­joyed more than 270,000 views in YouTube.


Thanks to the hack­ers’ ac­tiv­i­ties, a slew of very in­ter­est­ing doc­u­ments about Ukraine’s north­ern neigh­bor ap­peared in pub­lic ac­cess mode: RF de­fense pro­cure­ments, drafts of state re­gional poli­cies, and orders to use the RF’s reg­u­lar military drones to en­gage in re­con­nais­sance and cor­rect ar­tillery fire against Ukraine.

Of course, Ukraine’s hack­ers also fo­cused on high­pro­file in­di­vid­u­als in the hy­brid war, get­ting into the cor­re­spon­dence of Alexei Moz­govoi, the odi­ous com­man­der of the Prizrak or Ghost ter­ror­ist bat­tal­ion. It turned out that, the day be­fore Moz­govoi was elim­i­nated, he was com­pletely de­pen­dent on the orders of an agent by the name of Dyeva or Maiden. The video and text mes­sages from the phone of another “star” ter­ror­ist, Arsen Pavlov, aka Mo­torolla, also caused quite a stir on­line. These items al­ready at­tracted more than half a mil­lion views.

The in­ter­cep­tion of cor­re­spon­dence between an LNR mil­i­tant by the name of Grom help stop prepa­ra­tions for a provo­ca­tion by the ter­ror­ists that was sup­posed to have taken place in Lviv on In­de­pen­dence Day. In re­sponse, the hack­ers of­fered the oc­cu­piers a bit of good hacker hu­mor on Au­gust 24, 2016, 25 pro-Rus­sian sites and “of­fi­cial” por­tals be­long­ing to LNR-DNR ter­ror­ist groups were defaced and a greet­ing on the an­niver­sary of Ukraine’s in­de­pen­dence posted on them. Un­der an op­er­a­tion called #op256thDay ded­i­cated to Pro­gram­mers’ Day, more than 30 sites be­long­ing to the prox­ies were ei­ther brought down com­pletely or defaced in a sin­gle night. Hack­tivists plugged in an In­for­mNa­palm video with a demonstration of ev­i­dence of Rus­sia’s military ag­gres­sion against Ukraine on many pro­pa­gan­dist me­dia re­sources.

But the real sen­sa­tion was the op­er­a­tion #SurkovLeaks. Data mined by the hack­tivists from the mail­box of the re­cep­tion of the of­fice of Vladislav Surkov, a top aide to Rus­sian Pres­i­dent Vladimir Putin, sent an in­ter­na­tional shock­wave. Ar­ti­cles about the hack of Surkov’s of­fice ap­peared in much of the top in­ter­na­tional press, in­clud­ing the BBC, Time, the Daily Mail, The Lon­don Times, RFE/ RL, The Guardian, and others. The qual­ity of the work even caused some western ex­perts to mis­tak­enly at­tribute #SurkovLeaks to US in­tel­li­gence agen­cies. On the other hand, the Ukrainian me­dia com­mu­nity vir­tu­ally ig­nored the in­ves­ti­ga­tion, as it ex­posed far too many awk­ward de­tails about how Ukraine’s own politi­cians and jour­nal­ists were col­lab­o­rat­ing with the Rus­sian ag­gres­sor.

To­wards the end of the year, the cy­ber brigade provided the world with yet another sen­sa­tional hack. This time, the deputy di­rec­tor of the In­sti­tute of CIS Coun­tries and press sec­re­tary of the Union of Ortho­dox Ci­ti­zens, Kir­ill Frolov, found him­self in the sights of the cy­ber al-

liance. Op­er­a­tion #FrolovLeaks re­vealed that Rus­sia had been pre­par­ing for ag­gres­sion against Ukraine long be­fore 2014. Based on these ma­te­ri­als, the in­ter­ven­tion was tak­ing place at the high­est level through the Moscow Pa­tri­ar­chate with the sup­port of a slew of re­cruited high­ranked Ukrainian politi­cians and ac­tivists, who were co­or­di­nated by han­dlers in Rus­sia.

In ad­di­tion to its “clas­si­cal” ac­tiv­i­ties, the UCA takes on other non-stan­dard as­sign­ments in the in­for­ma­tion arena. They or­ga­nized a “provo­ca­tion” among the DNR ter­ror­ists, which led to a real panic among the oc­cu­py­ing forces. It was al­most funny—ex­cept it was not: the lead­ers of the Rus­sian proxy di­vi­sions be­gan a real witch-hunt, look­ing for traitors and writ­ing ac­cusatory mis­sives to the FSB about their own fighters. The hack­tivists were able to delete more than 100,000 in­di­vid­u­als from the proKrem­lin com­mu­nity in so­cial net­works. The Ukrainian spe­cial­ists or­ga­nized real hacker du­els with their north­ern op­po­nents.

As a re­sult of these con­fronta­tions, the im­pact of hos­tile in­ter­fer­ence in Ukraine’s in­for­ma­tion sphere was min­i­mized. Townsend ad­mits that the level of se­cu­rity in Ukrainian state re­sources is ab­so­lutely in­ad­e­quate to the sit­u­a­tion that has de­vel­oped around the coun­try. But he adds quickly that even the only su­per­power in the world, the United States, which has more than enough re­sources and ex­pe­ri­ence, has turned out to be vul­ner­a­ble to the at­tacks of Rus­sian hack­ers.


In min­ing a mass of data, the UCA works ac­tively with other vol­un­teer groups. Ac­cord­ing to Ro­man Burko, one of the founders of the In­for­mNa­palm in­ter­na­tional in­ves­tiga­tive com­mu­nity, thanks to his cy­ber col­leagues, a huge archive of cor­re­spon­dence be­long­ing to Rus­sian jour­nal­ists was hacked. This made it pos­si­ble to es­tab­lish that the ap­petites of RF pro­pa­gan­dists are not lim­ited to Ukraine or the shoot­ing down of MH17. Among others, in­ter­est­ing de­tails were dis­closed about how Sergei Zyenin, a jour­nal­ist and pro­pa­gan­dist on Perviy Kanal, Rus­sia’s main state chan­nel works to dis­credit the Na­tional Se­cu­rity Agency of the United States. In­for­mNa­palm’s re­sources made it pos­si­ble for UCA’s achieve­ments to reach the high­est in­ter­na­tional level.

The al­liance shares data with state or­ga­ni­za­tions. Military se­crets are sent to the in­tel­li­gence di­vi­sion of the Min­istry of De­fense, data about traitors and en­emy agents goes to the SBU. And although the US and in­di­vid­ual EU coun­tries do en­gage in us­ing hack­ers to test their na­tional se­cu­rity sys­tems, the UCA is not tak­ing part in de­vel­op­ing the do­mes­tic model of cy­ber se­cu­rity as it is fo­cused en­tirely on at­tack­ing the en­emy. Work­ing to­gether to­wards a com­mon goal, Ukraine’s hack­tivists pre­fer to re­main in­de­pen­dent and anony­mous. Still, even such a suc­cess­ful group as UCA faces prob­lems as well. The main one is the lack of re­sources. The num­ber of op­er­a­tions keeps grow­ing, and with it the vol­ume of in­for­ma­tion gath­ered. But there aren’t al­ways enough peo­ple or time in or­der to process it promptly. Although they re­main out­side the sys­tem, the hack­ers ex­pect the coun­try’s lead­er­ship to pay more at­ten­tion to cy­ber se­cu­rity. They also com­plain about the lack of a con­sol­i­dated po­si­tion on is­sues of data and cy­ber se­cu­rity among top of­fi­cials. They also point out that the war has been go­ing on for three years now yet Ukraine does not have a uni­fied doc­trine for of­fen­sive ac­tion in the cy­ber en­vi­ron­ment.

Un­der­stand­ing these dif­fi­cul­ties, the war­riors on the in­vis­i­ble front are not about to give up. On the con­trary, as they gain ex­pe­ri­ence they plan to move into all-out war mode against the in­vaders.

The doors are clos­ing. In this video ad­dress by the UCA, the ac­tivists said that they broke into the data­bases of LNR/DNR and asked the in­ter­na­tional com­mu­nity for sol­i­dar­ity with the vic­tims of the Rus­sian ag­gres­sion

Newspapers in English

Newspapers from Ukraine

© PressReader. All rights reserved.