Ukraine’s Other Front: The Battle in the Cyber Domain

A SBU Cyber Crime Department detective amidst the multiple pieces of hardware including GSM and VoIP gates that were used by the Kharkiv-based Russian bot farm

On February 24, without officially declaring war, Russia launched a full-scale invasion of Ukraine (Dpsu.gov.ua, February 24). The aggressor attacked Ukraine by land, air and sea. But alongside those military operations, Russia continued to wage its warfare in the cyber and information domains.

The Kremlin’s hackers have been targeting Ukraine for years (see EDM March 3, 2020 ). However, the Russian re-invasion of Ukraine this year included a dramatic intensification of both “soft” (e.g., propaganda, disinformation) and “hard” (e.g., cyberattacks against critical infrastructure) cyber/informational threats toward Ukraine. Even in the hours prior to the launch of President Vladimir Putin’s so-called “special military operation,” Russia conducted unprecedented cyberattacks against Ukrainian government websites, affiliated organizations, media and critical financial infrastructure (Epravda.com.ua, February 24).

In late March, the Security Service of Ukraine (SSU) announced that its cyber units managed to shut down an inter-regional network of five enemy bot farms with the capacity to direct over 100,000 fake social media accounts. These bot farms—operated in Kharkiv, Cherkasy, Ternopil and Zakarpattia oblasts—had been spreading anti-Ukrainian and pro-Kremlin propaganda and disinformation about the invasion. Some examples include false reports about failures of Ukrainian resistance and successes of the Russian army, attempts at instilling panic among the citizens of the war-torn country, efforts to promote distrust in Ukrainian political elites (e.g., statements that Ukrainian President Volodymyr Zelenskyy fled Kyiv, abandoning his people) or the national Armed Forces, and attempts to discredit Ukraine in both the international arena and in Russia (e.g., spreading lies that Ukraine was fabricating civilian casualties) (Ssu.gov.ua, March 28).

The SSU’s investigation showed that the network, “supervised by the Russian special services, used various social networks, including those banned in Ukraine, to carry out large-scale information sabotage activities to destabilize the socio-political situation in various regions of Ukraine.” The “army of bots” spread disinformation about the Russian war in Ukraine, which justified Russian aggression and parroted the Kremlin’s ideological rhetoric. During searches at the physical locations hosting the bot farms, law enforcement officers seized numerous pieces of special equipment, including around 100 GMS gateways, 10,000 mobile phone SIM cards of various mobile operators used to disguise the activities of the bot farms, and an unspecified number of computers and laptops used to run cyber operations (Slovoidilo.ua, March 28).

Another bot farm, which exclusively targeted Ukrainian military and law enforcement personnel, was neutralized on March 31. According to SSU spokesperson Artem Dekhtyarenko, the Russian special services tried to conduct a, “special information operation, which aimed at shaking the moral and psychological state of the Ukrainian security forces.” During a relatively short period of time, the bot farm managed to send 5,000 cellphone text messages to Ukrainian military and law enforcement personnel encouraging them to defect and surrender to the Russians. The message read, “The outcome of events is predetermined! Be prudent and refuse to support nationalism and discredited leaders of the country who have already fled the capital!!!” (Ukrinform.ua, March 31).

The bot farm was quickly discovered by SSU cyber specialists. It turned out that the operation was being conducted remotely by the Russians, with equipment located in the Dnipropetrovsk region. The owner of the house where the equipment was installed said he did not know about his role in Russia’s “special information operation.” For connecting the equipment to the Internet and downloading SIM cards from mobile operators, he received $ 2,000 a month (Facebook.com, March 31).

A bot farm that created tens of thousands of fake accounts monthly was also dismantled in the Zhytomyr region. This particular network carried out attacks on systems of critical infrastructure facilities, sent malware phishing emails and executed distributed denial of service (DDoS) attacks on government information resources, all using Russian domains forbidden in Ukraine (Ssu.gov.ua, April 8).

Some bot farms tasked with carrying out wartime disinformation campaigns on Telegram, WhatsApp and Viber are physically situated in Russia. Cyber specialists of the SSU have identified more than 7,000 Russia-based mobile phone numbers used for this purpose (Interfax, February 26).

According to Farid Safarov, Ukraine’s deputy minister of energy for digital development, digital transformation and digitization, the number of cyberattacks against Ukraine’s energy sector during the first 40 days of the ongoing war exceeded 200,000. During the week of April 4 alone, there were approximately 20,000 cybersecurity incidents. Since the beginning of the large-scale hostilities, Ukraine recorded 50 attempted DDoS attacks against the country’s electric supply. In contrast, Ukraine experienced only two such incidents in 2021. Safarov said that the purpose of these attacks is to “stand in Ukraine’s way of linking up with the Pan European electrical grid” (Epravda.com.ua, April 12). The latest attempted attack sought to damage high-voltage electrical substations, computers and networking equipment. It was conducted by the notorious hacking group Sandworm (UAC-0082), linked to Russia’s military intelligence agency (Unit 74455) (Biz.liga.net, April 12). However, Ukraine’s Computer Emergency Response Team (CERT-UA) was able to block this cyber assault (Derzhspetszvyazok, April 12).

To help counter Russia’s attacks and coordinate efforts in the information war, the Ukrainian Ministry of Digital Transformation and the Ministry of Culture and Information Policy launched the “Internet Army of Ukraine” volunteer movement, which includes an International IT Legion. This grouping brings together more than 310,000 Ukrainian and international IT professionals, cyber specialists, creative workers and ordinary people, who are fighting against Russia in the cyber domain (Ain.ua, March 17). To join the IT Army, one needs to subscribe to either the Telegram or Discord channels of the project, in which current tasks are published (Ivukr, accessed April 12). Apart from these messengers, the IT Army also uses Viber, Facebook, Twitter, Instagram and Reddit. The IT Army’s tasks include defending Ukrainian cyberspace, blocking Russian digital propaganda and disinformation outlets, spreading truthful information about the war in Ukraine among the Russian population, and putting pressure on companies that do not want to withdraw their business from Russia (Ain.ua, March 17).

Although the majority of Russia’s cyber/information operations are now mostly concentrated in Ukrainian cyberspace, the international community needs to remember that due to the interconnectedness of the global web, even local cyberattacks can quickly become transnational in nature. To prevent spillover effects from these cyberattacks, the international community will need to continue to pay special attention to the developments on the Ukrainian cyber front.