The IT Army of Ukraine

The IT Army of Ukraine has mobilized thousands of volunteers to launch high profile cyberattacks against Russian targets in response to Russia’s 2022 invasion of Ukraine. It has quietly transformed from an ad-hoc force of volunteers into a tightly organized operation, with ongoing support from Ukrainian government officials, tens of thousands of international participants, and industry-leading tools. Its evolution presents vital lessons for the landscape of cyber conflict.

The idea for the IT Army resulted from a February 2022 meeting between Yegor Aushev, a Ukrainian IT entrepreneur, and Ukrainian Minister of Digital Transformation Mykhailo Fedorov regarding the creation of a volunteer IT Corp to defend Ukraine’s digital infrastructure from Russian cyberattacks. Aushev organized this defensive force alongside the Ukrainian Ministry of Defence, assembling 1,000–1,500 Ukrainian IT specialists to protect critical infrastructure companies. Fedorov, meanwhile, began creating an offensive IT volunteer group, officially launched as the IT Army of Ukraine on February 26. The Army organized around a Telegram channel, which, supported with calls by other Ukrainian government organizations, ballooned to 300,000 members by March 2022, including committed IT professionals, amateur volunteers, and interested observers.

The primary tool of the IT Army is Distributed Denial-of-Service (DDoS) attacks, where attackers attempt to overwhelm a site with traffic to prevent its normal use. A network of DDoS tools was developed by former Ukrainian cybersecurity experts for Army purposes, including Aushev. Volunteers run these tools via cloud services, with the tools themselves hosted on GitHub repositories, a popular American program-hosting service. These tools violate GitHub’s terms of service. Microsoft, the owner of GitHub, has selectively banning such tools, according to researchers: Pro-Russian groups have had their tools banned, while most of the IT Army’s tools remain available.

By June of 2022, analysts believe the IT Army had evolved into two sections: a public call to action, mobilizing anyone willing to participate in coordinated DDoS attacks against Russian infrastructure targets, and an in-house team supposedly consisting of Ukrainian defense and intelligence personnel.

The public-facing side of the IT Army has slowly evolved from a single Telegram channel into a network of individual groups, DDoS tool developers, and data-hosting platforms. After its initial rise, the IT Army’s Telegram channel has slowly declined in membership to 170,000 in August 2023 due to departures by observers, according to IT Army researchers. Skilled labor, like IT professionals and veteran hackers, is now spread across many Telegram channels. In addition to these active members, many international volunteers offer passive support, lending computing power to organized attacks. Their efforts are coordinated by a robust network of automated tools, allowing for continued involvement with minimal effort. These so-called “Sofa hackers” were estimated to number 65,000 in May 2022. The current number is difficult for researchers to estimate, since involvement has varied significantly over time.

The private side of the IT Army likely experienced a managerial takeover by the Ukrainian intelligence service and the Ministry of Defence, according to some researchers. In September of 2022, a Dutch hacker involved in the IT Army suggested that the present structure is built around 25-30 “Generals” from the Ukrainian Secret Service and other ministries, who organize operations by “Colonels,” high level hackers who organize and carry out attacks. Researchers believe that this structure likely serves as a means for coordination between government officials and non-government affiliated hackers.

While the exact number of attacks conducted to date is unknown, it was estimated to be 2,000 in June 2022 and has likely increased, with researchers working to determine which attacks can be attributed to the IT Army and which are from other Ukrainian hacktivists. This includes several high-profile takedowns: in February 2022, the IT Army shut down the websites for the Moscow Stock Exchange and Sberbank, the largest bank in Russia. In October 2022, they reportedly gained access to Loesk, an electrical utility which supplies power to the Leningrad oblast, creating outages throughout the region. In November, the IT Army attacked Gazprombank, the bank for Russia’s state-owned energy company, with one Gazprom official claiming that the attackers knew the entire pool of the bank’s IP addresses, even those not involved in the banking services. Since 2022, documentation of IT Army attacks has decreased as other Ukrainian hacktivist groups have formed independently of the Army.

The IT Army of Ukraine raises several lingering questions about the legality and risks of its operations. First, the legality of cyberattacks during war is a grey space, especially when it comes to foreign volunteers. Second, the large-scale dissemination of DDoS tools to IT Army volunteers could give thousands of hackers the capacity to carry out cyberattacks, with the potential to use their skills for more nefarious purposes, a problem that governments have struggled with previously.

The hybrid structure of the IT Army is a combination of the operational efficiency of a structured government agency and the versatility of a volunteer force. By integrating a state-led command structure, it has retained focus and purpose, and by allowing for independent operations, it has attracted many thousands of international volunteers. The It Army has grown into a model for coordination between state and non-state cyber strategies during the war in Ukraine, and could represent the first of many such wartime partnerships.

Aiden Render-Katolik was an intern with the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

Aiden Render-Katolik

Intern, Strategic Technologies Program