Since the beginning of the full-scale Russian invasion of Ukraine, many cybersecurity experts have joined the Ukrainian cyber front. They carry out DDoS attacks on Russian resources, defacing Russian sites, taking their popular services offline, and even more drastic operations. One of the coordinators of such IT armies is Kharkiv cybersecurity specialist Mykyta Knysh. Since the beginning of the ATO (Anti-Terrorist Operation), he has been working in Ukraine’s Security Service’s (SBU) counterintelligence department and now runs a Telegram channel with tasks for 10,000 participants.
AIN.Capital talked to him about what cyber troops do during the war.
How did you put together the cyber army? Do you test the participants, the level of their skills?
I am a sociopath, and I don’t really like interacting with people, so I focus on people like me.
Back when I worked for the intelligence agencies (in the SBU), I caught crooks and hackers, so now I know where to look for them.
Basically, we started looking among Ukrainian and Russian online con artists and other similar people: Russians were offered credit cards by Russian banks in exchange for sharing information. TikTok videos about carding and other dubious schemes played out well: they engaged precisely the right audience. Then, among them, we singled out the proactive ones, who did it not for the sake of remuneration but for altruistic reasons. So, we had a body of people who had already started picking up Docker containers and other tasks.
Later we decided to bring everyone together on Patreon. Why? Because Russians don’t have access to credit card payments for foreign services. We donate the proceeds to the Armed Forces of Ukraine, and I regularly publish reports on my Telegram. For those who donated $1-2, we ask them to email us, set up an anonymous communication channel, PGP, ask them to create a virtual number for Signal, and then these people join together in small chats and groups and perform tasks.
We have volunteers of the 1st, 2nd, and 3rd levels of proficiency. The first level is the starting level — the more tasks the participant performs, the further they progress. Only those people who have reached the third level we invite to join the team. In this way, we develop a community of Ukrainian hackers.
So, we have both professionals who do serious things for us and so-called “students” who perform simple tasks and divert the attention of the Russian security services to their actions.
How effective is the cyber army? What can you tell usabout the Ukrainian cyber front? Can you give examples? Something like the defacement of the Russian Orthodox Church website or “taking down” the Russian Railways system.
Of course, we will not claim responsibility for these cases, but we did conduct similar “special operations,” though we will not tell you about them.
How effective? We have 10,000 people on one of our Telegram channels, and we measured that audience. We asked participants to publish information with certain trackers, and we can state the fact that in that sample, 1.56% of people are active (the same as in life).
With the growth of subscribers, this number has increased, and now 3.45% of people are actively completing all of the tasks that we have listed on the channel. We measure everything with the help of UTM tags. Also, we have connected our traffic direction system. Now we are converting all the work into the format of a closed site, which has been recently launched.
In particular, we collect there all the documents and guidelines for information and other attacks on Russian resources, DDoS. That is, we collect all the possible ways to harm Russia on one site. Plus, cybersecurity data.
During the war, it will be a kind of cyber jihad website where every cyberwarrior can find all the information on how to conduct cyber attacks on Russia. And after the war, it will be a cybersecurity school; I’ve been dreaming of kicking off such a project for a long time.
I can give you one superb example of our work. After the colossal drug forum — Hydra — was closed down, we spread the word that people had run away and left their pot stashes, and the first one to find it would be the first one to get it. And at the same time, we wrote to the Russian investigative agencies that groups of Ukrainian sabotage and reconnaissance groups would be working in those locations. So in this way, drug addicts would look for the drugs, Russians would look for sabotage and reconnaissance groups among them, and the Russian police would divert their attention to it.
Such campaigns are necessary when it is crucial to divert attention from the significant projects of our groups. Creating information noise is one of the important parts of our work on the Ukrainian cyber front.
Do you experience resistance, threats, or bribery attempts?
We encounter resistance on a regular basis. Federal Security Service agents texted me personally, threatened me, and showed me pictures of documents that I could have sent via “VKontakte” before 2013. Once, a spy infiltrated the participants and complained about our Google Doc with the structure of the website.
But in general, all this is ineffective. We use many means to detect such infiltrators. And at the first and most accessible level, the tasks are so public and straightforward that their leakage is not a problem. It is already impossible to get to the second level without completing the tasks of the first level and passing the vetting process.
We also counter them by listening to their hacking and cybersecurity conferences. So, for example, we learned that one of their big problems is insiders. We listened to that presentation, thanked them, and wrote a guide specifically for insiders – how to use an encryption virus to encrypt computers inside your system if you are a Ukraine sympathizer.
And so, we learn, we read, and to our neighbor we pay heed, yet we don’t neglect our own developments. They do the same thing, by the way.
Do you continue recruiting people?
Of course, we need to increase the size of couch troops. Here are our YouTube, Telegram, and TikTok pages. If you’re ready to engage in cyberterrorism of the Russian Federation — join our army. We really need “inglorious basterds.”