For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!
Tuesday, November 25, 2014
13 strategies Ukrainian hacktivists use in their cyber war. Legal or tolerated.
Several Ukrainian hacktivist groups were (are) active on the Ukrainian side of the battle this year in their ongoing conflict with Russia. As Eugene Dokukin and his "Ukranian Cyber Forces" are pretty open on what they are doing, let's look at their 13 stragegies, as there appear to be striking similarities to what CyberBerkut is doing on the Russian side. Also interesting to consider is how these groups manage to keep doing things that are more than likely illegal in their countries, and how the military can use them when needed.
Background: “Ukrainian cyber forces and individual pro-Ukrainian hackers have maintained online attacks on all Internet resources linked to insurgents in the eastern part of the country, whom the Kyiv (Kiev) government deems as terrorists. As of early November, the cyber forces claimed to have downed 46 sites belonging to the breakaway pro-Russian states of the Lugansk People’s Republic (LNR) and the Donetsk People’s Republic (DNR) via multiple denial-of-service (DDoS) attacks. The cyber warfare operation, titled “Retribution,” has been ongoing since mid-2014. Last month, pro-Ukrainian hackers leaked secret documents from the DNR, representatives of Russian nationalist organizations in Crimea, and representatives of government agencies from the Russian Federation. http://uadn.net/2014/11/17/pro-ukrainian-cyber-forces-take-down-46-separatist-sites-and-target-online-money-accounts/
Pro-Ukraine hackers target e-currency accounts. The anti-insurgency cyber campaign has also moved beyond site attacks, with hackers targeting the financial networks of the DNR and LNR. A hacker at the forefront of pro-Ukraine cyber warfare efforts, Yevgeny Dokukin, has announced on his Facebook page that he managed to convince Russian online payment service Yandex Money to block the e-wallet of a notable group of DNR and LNR supporters last month. “Via my actions, I managed to stop the financing of terrorism through the Yandex Money system,” noted Dokukin via social media. However, fellow Russian electronic currency service WebMoney refused to cooperate with his blocking request. http://uadn.net/2014/11/17/pro-ukrainian-cyber-forces-take-down-46-separatist-sites-and-target-online-money-accounts/
- screenshot with Ukrainian Cyber Forces logo from their Youtube channel.
In the article on uapress[.]info/ru/news/show/48475 Ukrainian Cyber Force leader Eugene Dokukin post 13 strategies his group was using in this cyber war during last 6 months.
Hacking separatists and terrorists sites.
Operation Retribution - blocking terrorists sites with DDoS attacks.
Locking the accounts of terrorists in electronic payment systems.
Operation CyberStorm – locking phones with short messages flood.
Operation CyberHurricane - locking phones with calls flood.
Operation “Restore the Truth” - editing Wikipedia to counter Russian propaganda.
Operation “Blocked Freaks” - blocking blogs (particularly in livejournal) and sites of terrorists through support requests to livejournal and hosters.
Operation Bender - calling terrorists with threats and misinformation.
Operation “CyberStorm 2” - sending short messages with threats, disinformation and propaganda.
Operation “Bond, James Bond” - espionage operation, which involves listening to and recording audio and video information from the various headquarters of terrorists and webcams in Donbass and Crimea.
Operation “Turn off the Propaganda” - opposition to videos from terrorists on YouTube and other video hosting sites.
Operation “Crimea is Ukraine” - the return of control over all the Crimean government sites (preferably all Crimean sites in the domain zone ua). And spreading propaganda in Crimea through these sites.
Operation “Hunting for Trolls” - blocking accounts, pages and groups of terrorists and trolls in social networks.
As we can see some of these methods are copied from what (pro)Russian cyber forces were using earlier these year against Ukrainians. Like CyberShtorm, CyberStorm 2 and CyberHurricane are similar in effect to Telephony Denial of Service (TDoS) attacks that we reported earlier... Only this time it's the Ukrainian side which using it.
Eugene Dokukin is now open about his identity and gives interviews. When asked how they do things which are illegal according Ukrainian law he smiles: “Most of our work is legal. Closing accounts, websites and other resources of terrorists through complaints to electronic payment system, domain and hosting providers, etc. - it's all legal. The only question may arise about hacking: hacking sites, email and social network accounts, as well as DDoS attacks on websites terrorists. But officially, I don't know who of all of the fighters does it.” (http://uapress.info/ru/news/show/48475- in Russian)
In general Eugene Dokukin says that there're three levels in his forces: those volunteers who do legal things like Wikipedia editing and writing complains to providers, those who do illegal but simple things like DDoS attacks and other flooding, and the highest level on his group are people who do real hacking.
Speaking about his enemies Eugene Dukinin cites SBU head Valentin Nalivaychenko information that in Russian
FSP 18th Special Center there are 1500 personnel working full day use automatic systems for social networks to send messages and texts spreading panic. (http://uapress.info/ru/news/show/48475- in Russian)
Eugene Dokukin (Yevgeny Dokukin, Rus. Евгений Докукин) aka MastLive
He has a “white hacker” background (http://www.interpretermag.com/hackers-join-in-the-struggle-for-crimea/). Before creating Ukrainian Cyber Forces Eugene Dokukin was active in March fighting Russian invasion. He hacked Crimean Parliament site and posted "The referendum is canceled. Crimea continues to be a part of Ukraine. Everyone can go home, and Russian troops can return to their country." A few days later Dokukin also “dismissed” pro-Russian Crimean leaders Aksenov (prime-minister) and Konstantinov (speaker). Ukrainian Cyber Forces recent efforts to block pro-Russian financing claim to close 128 terrorists accounts with over 1 Million $. (http://uapress.info/ru/news/show/48475- in Russian)
Ukrainian law enforcers know Eugene Dokukin and his group. They don't give him visible troubles for his activities which are not according to law. Neither they confirm he is working for the government. But speaking anonymously one of the law enforcers said to Focus.UA: “Intelligence agencies often use the services of hackers in exchange for a guarantee of immunity. This does not mean that it's how things are in the Dokukin's case. But one can easily frame him: the bank will order a security audit - "network vulnerability pentesting" and the contract is made. But one security officer in the bank is told about it, others - no. The latter, seeing the external interference, scanning and active attempts to crack, report to authorities about unauthorized access to the system. And then the hacker will be "proving long and tedious that he is white and innocent." ( http://focus.ua/country/319358/ - in Russian)