What you should know before joining the IT Army
The IT Army
Ukraine had no military cyber command prior to the Russian invasion, but a mere two days after its start, the government found a way to mobilize international support and retaliate in cyberspace. On February 26, Mykhailo Fedorov, Minister of the Digital transition and Vice-prime minister declared the creation of the IT army, the first offensive cyber-group of the kind.
The IT Army is organized around a Telegram channel where Ukrainian officials post lists of Russian targets for volunteers to attack. The channel is public, thus anyone can join and every supporter of Ukraine is welcome, no matter their origin or capabilities. Most volunteers are civilians. The instructions are simple: participants are told to “use any vectors of cyber and DDoS (Distributed Denial of Service, ed) attacks on these resources”. The targets include banks, corporations, and public institutions such as the sites of the Ministry of Defense and of Public Services.
A hybrid structure with hybrid issues
The IT Army is a structure of a new kind, made of two parts: the first is the continuous call to action and its volunteers from all horizons, and the second is a team of Ukrainian defense and intelligence personnel who chooses the targets from behind the scene. Stefan Soesanto of the Center for Security Studies describes this organization as “neither civilian nor military, neither public nor private, neither local nor international and neither lawful nor unlawful”. This hybrid structure brings its lot of questions regarding the application of international law in cyberspace, the targeting of civilian infrastructure and the legal status of civilians taking part in a conflict in which their state is not belligerent.
The participants face a variety of risks
In addition to these legal and ethical questions, participants in the IT Army incur both geopolitical and individual risks. A successful attack against Russian infrastructures could give Russia a reason to retaliate in an unpredictable manner. When it comes to cyberspace the threshold of violence for state retaliation is not yet codified, therefore it is difficult to predict how much damage caused by a cyber-attack will give rise to a military response. Moreover, cyberattacks tend to have unintended consequences, as we saw with the Viasat hack.
On an individual level, amateur hackers taking part in the IT Army are taking the risk of exposing themselves and their personal information to groups of Russian hackers. Russian supporters have already launched a doxxing campaign in response to the IT Army, Project Nemesis. This initiative is another Telegram channel and a website where the photographs and personal details of individuals fighting on behalf of Ukraine are posted. The thousands of followers in this channel are encouraged to mock and harass the people exposed. Members of the Ukrainian military and secret service are the main targets but the hundreds of individuals exposed also include volunteers assisting in the fight against Russia.
Hence, aspiring members of the IT Army must be aware that they risk exposing themselves and their families to crowdsourced harassment from enraged supporters of Russia. It is essential that they be mindful of their digital footprint. In her article about Project Nemesis, Elise Thomas highlights that this mass doxxing is used as a form of psychological and information weapon. Hence it is no surprise that several western officials strongly discourage their population from joining the IT Army.
The first trap of the IT Army
The first risk of joining the IT Army lies in the search for the channel on Telegram. If you enter the terms “IT Army” in the search function of the Telegram application, the actual group does not appear in the list of results (Figure 2). Moreover, if you look for the exact handle of the group (@itarmyofukraine2022), the official group still does not appear.
Instead, you will find in the first result an almost-perfect replica of the IT Army channel. The handle is almost the same: @itarmyukraine2022, only missing the article “of”. The visual is almost identical: both channels have the title “IT ARMY of Ukraine”, the same profile picture, their both descriptions were the same on March 10th (the original channel changed it since, and the replica is no longer active). More misleading even, from the creation of the channels to March 10th, both published exactly the same messages within a few hours interval.
It is clear that the @itarmyofukraine2022 channel is the official group: it has 251 130 subscribers whereas its replica only counts 15 238 of them (as of 29/06, Figure 3) and in the replica, no messages were posted since March 10th. Interestingly, unlike all the other messages of the channel, the last message in @itarmyukraine2022 does not match any of the messages posted on the official IT Army channel (Figure 4). It also contains a file called “Disbalancer”, which is the name of the software developed by the Ukrainian team to organize their attacks. When put through VirusTotal, the compressed file did not show any sign of malware, however as this message does not come from the original channel but from the replica, it would be ill-advised to open it.
Word of advice
The first conclusion to draw from this article is that Telegram users must be mindful of all the details of the channels they join. Slight changes make all the difference between an official source and a good replica. There can be an added or missing article, numbers instead of letters and vice versa, or just a single character difference. Hence better check twice that you have the correct username.
It is also helpful to check for unusual signs such as the number of subscribers, the language used, the time when messages are posted. If any of these does not match what you expected, check again that you are on the right channel.
Finally, additional tools like custom search engines (CSE) can be used for searches on specific sites. For Telegram, Telegago will show you all the pages on Telegram that have been indexed by Google. This tool does not replace the search function of the app but it is a good complement. In our case, Telegago does show the official IT Army channel in the first result for the search “IT Army”.
Overall, keep an eye out for fake channels and if you decide to join the IT Army, make sure you have taken all the risks into account.
