When the Russian military invaded Ukraine in a blitzkrieg of heavy weaponry, pro-Ukraine hacktivists looking to take down www.mil.ru met with something unexpected: a 418 error in which a server declares it cannot complete your request because it is a teapot.
The teapot error is a decades-old April Fools’ joke occasionally repurposed to tell would-be hackers that their efforts have been foreseen and blocked. “It’s almost like giving a middle finger," Amit Serper, the director of security research at Akamai, told BuzzFeed News. Akamai, like its competitor Cloudflare, runs much of the plumbing that supports the internet.
A few days later, the teapot error vanished, and mil.ru and websites of prominent Russian banks such as Gazprombank went dark for most internet users outside Russia. The government had geofenced key websites — meaning those outside the country couldn’t access these sites, and so couldn’t hack them.
“I assume the Russians realized that pretty much whatever they are trying to do to everyone else, the same thing can be done to them,” Serper said. “By geofencing you are making it impossible for someone outside Russia to reach all those targets.”
In other words, Russia had expected retaliation for its invasion of Ukraine and had already preempted the cyberattacks it suspected were coming — and come they did.
A day after the invasion began, Reuters reported that a prominent Ukrainian entrepreneur was working closely with his government to assemble a phalanx of volunteers for cyber offense and cyber defense. While the offense would conduct espionage operations, the defense would secure critical infrastructure such as Ukraine’s power plants and water treatment facilities that have been targeted by Russia in the past. Then Ukrainian Vice Prime Minister Mykhailo Fedorov called for volunteers to join a Telegram channel for the IT Army of Ukraine. “There will be tasks for everyone. We continue to fight on the cyber front,” Federov said.
Since then, social media accounts associated with hacker collectives and pro-Ukraine Telegram groups claim that groups such as Anonymous have taken some Russian websites and servers offline. Yet the Russian geofence and Russia’s own long history of spreading disinformation has made it difficult to confirm the extent to which these websites were hacked, and if so, how long it took before they were restored.
Yet even if the claims of hackers are true, security experts are circumspect about the consequences of crowdsourced attacks.
"Do you trust these people in your infrastructure?"
“A lot of people are fantasizing that these hacktivists can just go do the same type of attack that the Russian threat actors did in 2015 and 2016, and go shut off power to these areas,” said Jake Williams, a cybersecurity expert who has worked with the US government and has analyzed Russia’s 2015 malware attack on Ukraine’s power grid. “The thing that they're missing is that that was a state operation that required just millions and millions of dollars in research and months of time that this ragtag group of civilians doesn't have.”
Crowdsourcing a cyber defense for critical infrastructure is even more complicated, as asking volunteers to defend a vital asset would involve first giving them access to it.
“Nobody's ever crowdfunded or crowdsourced cyber defense before. So we're in uncharted territory,” Williams said. “You have the obvious potential problem of ‘Do you trust these people in your infrastructure?’”
Thus far, most of the exploits against Russia this week by hacker collectives such as Anonymous have been restricted to what security experts call distributed denial-of-service (DDoS) attacks — in which hackers crash a server by inundating it with fake traffic — or defacement attacks, in which hackers vandalize websites. Prolonged DDoS attacks against vital targets such as banks can be damaging, but most businesses and governments are now pretty good at bringing these services back online within a few hours.
Williams likened these actions to a cyberprotest rather than an attack. Yet, global protest and international solidarity have served as a weapon of choice for civilians as long as there has been war, and the case of Ukraine is no different.
"It's too early to write about IT Army. We must win [against] Russians first."
Dmytro Zolotukhin, Ukraine’s former deputy minister for information policy, is not involved in coordinating hackers targeting Russian websites. Instead, he said he was working with international volunteers on the painstaking but important task of fighting disinformation and using open source investigations to document evidence of war crimes for future prosecutions. Highlighting the tragic consequences of Russian shelling of civilian areas can also put pressure on Western governments.
On Monday, the prosecutor of the International Criminal Court at the Hague said he would investigate the possibility that Russia had committed war crimes in Ukraine, a day after Lithuania called on the ICC to do so. In Ukraine, Zolotukhin called upon volunteers from around the world to crowdsource images and videos and use open source investigative techniques to rigorously document possible atrocities by Russian forces — in preparation for a future when the war in his country would abate, and the aggressors would be brought to account.
For now, Zolotukhin said, every act of resistance was important.
“Maybe someone will just go to the streets and shout, ‘Stop war now.’ Maybe he will hack a Russian website and put a poster on the website saying, ‘Stop war,’” Zolotukhin said.
“I don’t care about the scale. The idea is that a person has left his space of comfort to contribute to the kind of world he wants to live in.”
Yet as missiles and heavy artillery pound civilian centers and Russia continues to pour fresh forces into Ukraine, the limits of cyber volunteering are painful to some. “It's too early to write about IT Army,” a cybersecurity professional in Ukraine said in a LinkedIn direct message. “We must win [against] Russians first.”