ETH Zürich CSS report: “The IT Army of Ukraine: Structure, Tasking, and Ecosystem”

Zurich-based Center for Security Studies Cyberdefense Report by Stefan Soesanto provides the first-​ever comprehensive analysis of the IT Army’s structure, tasking, and ecosystem.

The IT Army of Ukraine was stood up in an ad-​hoc manner without a clearly structured and proven plan. Born out of necessity, the IT Army subsequently evolved into a hybrid construct that is neither civilian nor military, neither public nor private, neither local nor international, and neither lawful nor unlawful. 

Overall, both Kyiv and the Ukrainian IT community at large have shown the world what digital diplomacy on steroids looks like.


  • For several years prior to the Russian invasion on 24 February 2022, the principal idea of creating a cyber volunteer army had been bouncing around in Ukrainian government circles. In part, those discussions were informed by the success of the Estonian Defence League’s Cyber Unit and other efforts around the globe to organize, incorporate, and surge civilian IT volunteers into existing military  structures in times of need. 
  • In contrast to these well-established and purely defensive  cyber volunteering efforts, the IT Army of Ukraine was stood up in an ad-hoc manner without a clearly structured  and proven plan. Similarly, the absence of a Ukrainian military cyber command likely also pushed Kyiv to think creatively about how to combine its nascent military and intelligence cyber capabilities with a massive, willing, and  global civilian IT community in the defense of the nation.  Born out of necessity, the IT Army subsequently evolved  into a hybrid construct that is neither civilian nor military,  neither public nor private, neither local nor international,  and neither lawful nor unlawful. 
  • The IT Army consists of two parts: (1) a  continuous global call to action that mobilizes anyone  willing to participate in coordinated DDoS attacks against  designated – primarily civilian – Russian infrastructure  targets; and (2) an in-house team likely consisting of  Ukrainian defense and intelligence personnel that have been experimenting with and conducting ever-more complex cyber operations against specific Russian targets.  Both parts of the IT Army are purely offensive in nature  and serve to bring willing amateurs (civilians) and dedicated professionals (civilian, military, intel) into one – most likely – hierarchically organizational structure. 
  • In addition, the IT Army has also given rise to an ecosystem that includes Ukrainian-owned IT companies and individuals located outside of Ukraine, as well as Ukrainians living in Ukraine working for Western companies. This  ecosystem has been continuously creating new tools,  generating knowhow, identifying new targets, and fulfilling other intelligence support functions to underpin  Ukraine’s offensive efforts in cyberspace. 
  • The creation of the IT Army of Ukraine begins with Yegor Aushev, a well-known Ukrainian IT entrepreneur and the co-founder of three companies that have become increasingly relevant amidst the eight year-long war with Russia – CyberUnit.Tech, Cyber School, and Sometime between 24 February (the day of the Russian invasion) and 26 February, Aushev pitched the idea of a cyber volunteer army to Mykhailo Federov, Ukraine’s 31-year-young Minister of Digital Transformation. 
  • Around the same time, Aushev also embarked on assembling a 1,000-men strong Ukrainian cybersecurity volunteer group at the request of a senior Ukrainian Defense Ministry official. Aushev facilitated the latter on Twitter and in various hacking fora by posting a Google Docs application form to gauge an applicant’s skill level and area  of expertise. According to Aushev, this group of around 1,000 Ukrainian cybersecurity volunteers would be divided into an offensive and a defensive group. Talking to Reuters on 24 February, Aushev elaborated that the defensive group will be “employed to defend infrastructure  such as power plants and water systems,” and the offensive group would help “Ukraine’s military conduct digital  espionage operations against invading Russian forces”. As Aushev put it, “we have an army inside our country. […]  We need to know what they are doing”. As of this writing, the ratio between these two groups is still unknown. 
  • Inspired by Aushev’s idea of an army of cyber-volunteers, Federov took to Facebook on 26 February at 9.00 a.m. CET and posted the following message in Ukrainian: “We have  a lot of talented Ukrainians in the digital sphere: developers, cyberspecialists, designers, copywriters, marketers,  targetologists, etc. We are creating an IT army. All operational tasks will be presented in the telegram channel: There will be tasks for everyone”. Federov posted the same message in Ukrainian on his verified 170,000 subscriber strong Telegram channel. And  at 7.38 p.m. CET his verified Twitter account tweeted in  English that: “We are creating an IT army. We need digital  talents. All operational tasks will be given here:”.
  • On 10 June, the IT Army subscriber count stood  at 259,225. So, how many members does the IT Army really have? Nobody actually knows, not even the IT Army itself. What the  IT Army does know – or more precisely put – what the IT  Army’s coordination team and Telegram channel administrators know, is the exact number of people that have  directly approached them to offer their skills and time via  the IT Army’s Gmail account and Google Docs contact  forms. As of this writing, that number has not been publicly disclosed. 
  • In an interview with Ukrainian outlet Media Sapiens in late March, Mstislav Banik, the Head of the Electronic Services Development at the Ministry of Digital Transformation explained  that “all tasks are formed by channel curators, who distribute them in the channel for volunteers. Anyone can  subscribe to the project’s telegram channel and receive assignments”.
  • The visible part of the targeting flow works in practice: The first example is on “simple tasking”. The second example is on what is best described as “target enrichment.” The third example is “external clustering”, which is when the targeting information fails to circulate widely and only  survives in a small cluster of channels and chats. The fourth example is on what might be adequately  termed “ad hoc prioritization” – bits and pieces of targeting information pop up now and then in various channels and chats but are only consolidated at a much  later point in time when the target is designated high priority by the IT Army. 
  • According to the Russian Foreign Ministry, “as of May  2022, over 65,000 ‘sofa hackers’ from the USA, Turkey,  Georgia, and EU countries regularly took part in coordinated DDoS attacks on [Russia’s] critical information infrastructure”.
  • Overall, the IT Army has been primarily utilizing the coordination document as an introductory guide to newcomers which is why it included two DDoS attack level categories: “attack: simple level” and “attack: advanced level”. 
  • So how tightly is disBalancer interwoven with Hacken and  the Ministry of Digital Transformation? Well, the disBalancer team leaders are prominently displayed on their  website. They include Serhii Dovhopolyi, who works as  tech lead and is also on Hacken’s Kyiv-based R&D team. Oleksandr Horlan is operations lead, and he also works for Hacken in Kyiv as a penetration tester and security an alyst.89 Dyma Budorin serves as advisor and is also the Co founder and CEO of Hacken. Finally, Denis Ivanov is an advisor and also the Head of the Expert Group at the Ministry of Digital Transformation.91 The disBalancer web site’s privacy notice similarly explains that “we are Hacken  OÜ, located at Kai tn 1-5M, Tallinn city, Harju county,  10111, Estonia”.92 This is the physical address of Hacken’s headquarter in Estonia, a NATO and EU member state.
  • While the program [HackenProof] does not pay any bounties, it is important to understand that for a long-time ethical hackers  “could face fines of up to $42,000 USD or even three years  in prison for trying to detect bugs in the computer systems of the Ukrainian parliament, ministries, or state  companies”. Only on 21 April, roughly seven weeks after HackenProof initiated its defensive bug bounty program, did the Ukrainian Parliament adopt the law on  “Amendments to the Criminal Code of Ukraine to Increase  the Effectiveness of the Fight against Cybercrime in the  Conditions of Martial Law”, which tweaked the criminal  code to enable bug bounty programs for the public sector. As of this writing it is still unclear whether  HackenProof’s bug bounty program ever ran afoul of  Ukrainian law or whether Hacken’s physical location in Estonia shielded it from prosecution. It is also unknown  whether the program was supported by members in the  Ukrainian government, or how exactly HackenProof  streamlined its information flow to contact the multitude  of Ukrainian authorities and companies affected. 
  • Apart from HackenProof’s two bug bounty programs, Yegor Aushev also started his own bug bounty program  called “Hack/Fuck Russia” that ran its first phase from 1  March to 10 March. It was financially supported by  Aushev’s Kyiv-based Cyber Unit Tech company with a donation of 100,000 USD. Curiously, the bug bounty announcement also included a Tether wallet address for donations. To date that wallet has received a combined 70  Tether, which is a mere 70 USD (Tether is pegged 1:1 to  USD). Yet, in an interview with The Record, a Cyber Unit  Tech representative explained that “our company has  contributed the initial $100,000, but we see participation  and contribution from all over the world. The amounts are  very, very significant and might be one of the biggest  bounties ever, maybe the biggest ‘unofficial’ bounty”
  • As of 21 April, neither Aushev nor CyberUnit.Tech has announced the start of phase two of their bug  bounty program. It is unknown whether the program actually paid out any bounties or to whom any of the reported vulnerabilities were forwarded. Given Aushev’s  closeness to the Ukrainian government and CyberUnit.Tech’s strategic partners – which includes the National Security and Defense Council of Ukraine – we can infer with some level of confidence that the vulnerabilities might  have ended up in the hands of the Ukrainian Ministry of  Defense, the intelligence services, or the IT Army. 
  • As of this writing, it is still unknown how large the IT Army’s in-house team is, or who exactly is tasking and feeding them information. The in-house team likely consists of members located in Ukraine and Ukrainians living abroad. As of this writing, the IT Army has open vacancies for pentesters, desktop developers, hackers, system administrators, graphic designers, and, most importantly, connoisseurs of English.
  • Open-source intelligence researcher CyberKnow has assembled the most comprehensive overview of all the different hacking groups/individuals that have popped up  since the Russian invasion. On 1 May, CyberKnow identified 74 active groups/individuals, 46 pro-Ukraine, 26  pro-Russia, and two whose allegiance is unknown
  • Apart from the IT Army’s DDoS cooperation with a variety  of groups on Telegram, there is very little known about  how the IT Army views groups such as the Belarusian Cyber Partisans and the numerous sub-groups that are  operating under the banner of Anonymous.  
  • The Partisans were formed back in September 2020 in reaction to the protests and subsequent violent crackdown  following the contested presidential election in Belarus. 
  • By contrast, Anonymous is an umbrella term for a decentralized collection of activities that feed into the global  Anonymous movement and its diffuse ideology. Following the Russian invasion of Ukraine, several prominent  Anonymous information hubs on social media accounts  announced the beginning of Operation Russia or #OpRus sia. Generally speaking, each Anonymous group/personality conducts their own operations.
  • The first item to note is that both the Belarusian Cyber Partisans and almost all groups operating under the banner of Anonymous are primarily active on Twitter. The IT Army by contrast exclusively operates on Telegram. That  being said, the closest to an official IT Army representative on Twitter is an account called sudo rm -RF (@su dormRF6), who says that he represents the “Ukrainian Cyber Front”.
  • So how does Anonymous’ outrage fit into the bigger picture? Looking at the dynamics and possible motives, it is  highly likely that someone identifying with the Anonymous movement rebranded their account to pretend to  be the IT Army on Twitter. The ITarmyUA account was  then subsequently hyped by numerous Anonymous accounts to gain a massive Twitter following out of nowhere. The account was then utilized to provide legitimacy to the claims that Anonymous was actively cooperating with the IT Army, and by extension created the illusion that the Ukrainian government endorsed Anonymous’ actions. 


  • The IT Army of Ukraine is a unique and smart construct whose organizational setup and operational impact will likely inform the art of cyber and information warfare in future conflicts. On the public side, the IT Army serves as a vessel that allows the Ukrainian government to utilize  volunteers from around the world in its persistent DDoS  activities against Russian government and company websites. As of 7 June 2022, this includes 662 targets. On the  non-public side, the IT Army’s in-house team likely maintains deep links to – or largely consists of – the Ukrainian  defense and intelligence services. 
  • Overall, both Kyiv and the Ukrainian IT community at large  have shown the world what digital diplomacy on steroids  looks like. 
  • Currently, it is unclear what kind of cyber operations the in-house team side is going to focus on in the future. But, if the evolutionary trajectory over the past 4 months is any metric to go by, Russian defenders will highly likely face a variety of experimental cyber ops that  will try to produce more and more severe impacts and  longer lasting effects.
  • Overall, the hybrid setup the IT Army has mastered requires a healthy sense of paranoia and the need to take operational security extremely seriously – to guard  against Russian infiltrators and information breaches. Particularly in times of war, discerning between who is a friend, a foe, and everything else in between is an inherently complicated task.
  • EU and NATO member states have equally failed to adapt  to – or even grasp – what the IT Army really is. Western  observers and governments still believe that it is just a collection of random volunteers conducting meaningless DDoS attacks against Russian websites. They have so far failed to see the underlying organizational structure, operational conduct, and wider ecosystem that underpins the IT Army and Ukraine’s fight in the cyber and information domain. For better or worse, continuing to ignore  the essence of the IT Army will wreak havoc on the future  stability of cyberspace and with it the national security  landscape in Europe and beyond. 

There are many questions this report leaves unanswered or can only answer in varying degrees of certainty. Time will tell how the IT Army evolves from here on out and  whether history will judge this report as being both balanced and objective.

Read the full report

Post details