What do hackers risk by joining the ‘IT Army of Ukraine’?

Illustration: Si Weon Kim

A government-backed push in Ukraine to get grassroots support for hacking Russia is raising legal and ethical questions.

People around the world are finding ways to support Ukraine during its conflict with Russia. Some are sending money; others are taking in refugees. Still others have joined the so-called IT Army of Ukraine to, as Vice Prime Minister Mykhailo Fedorov put it, “continue to fight on the cyber front.”

Close to 300,000 people have subscribed to the IT Army of Ukraine channel on Telegram. The number of hackers participating in the “operational tasks” shared on the channel is likely much lower, but independent hacktivists also claim to be targeting Russia with attacks of their own.

Many in the infosec community have pointed out that conducting operations for the IT Army of Ukraine — whether it’s a DDoS attack on Russian government websites, attempts to disrupt critical APIs, or something else — is illegal in the vast majority of participants’ home jurisdictions. Could hackers looking to support Ukraine face legal repercussions as a result?

“So far, I don’t see any indication that there is a political appetite in Western countries to prosecute anyone for conducting operations against Russia’s digital infrastructure,” Stefan Soesanto, senior cyber defense researcher at ETH Zurich’s Center for Security Studies, told README.

Soesanto noted that many Western countries have allowed retired members of the military to travel to Ukraine to participate in more traditional warfare. It’s unlikely, he said, for those same countries to prosecute hackers for lending their aid to the IT Army of Ukraine from the comfort of their homes.

“That being said, it’s unclear to me whether this legal double standard also applies to people that conduct operations from abroad against Ukraine’s digital infrastructure in Ukraine and in third-countries,” Soesanto said. “My advice: If you do it, don’t get caught. If you get caught, get the best lawyer you can afford, and hope that you are sitting in a country that does not extradite to Russia or Ukraine.”

The U.S. Department of Justice did not respond to a request for comment about the consequences American hackers could face for assisting the IT Army of Ukraine or hacking Russian targets.

But the fallout from participating in such activities wouldn’t be limited to the courtroom. Several cybersecurity experts, such as Dragos director of incident response for North America Lesley Carhart and ex-NSA hacker Jake Williams, have said that amateur hackers might interfere with official cyber operations.

“Even low-capability actors have a possibility of getting lucky,” Cisco Talos said in a blog post about this issue, “and if they get lucky in the wrong place, real-world consequences could come into play. These groups may be mistaken for state-sponsored organizations, without understanding what kind of reactions they might trigger. This is our greatest concern, that the response to a misattributed attack will lead to an escalation in the conflict.”

This isn’t speculation. A hacking group called NB65 claimed this month to have interfered with the Russian Space Agency’s satellites:

Russia denied the claims, but the head of the country’s space agency also said that if such an operation were successful, it would be considered an act of war, the Interfax news agency reported. Moscow is facing crippling sanctions, raised its nuclear readiness level, and is finding it more difficult to subdue Ukraine than anticipated.

Jon Callas, director of technology products at the Electronic Frontier Foundation, told README that the chance of escalation is part of the problem with joining a hacktivist army. “At what point are you just getting in the way or making a bad situation worse?”

Hackers leading cyberattacks on Ukraine’s behalf aren’t just risking criminal charges; they also risk interfering with intelligence agencies’ work or further aggravating the conflict.

“This is the reason why I would recommend being extraordinarily careful before involving oneself into these sorts of things,” Callas said. “There are lots of ways to help Ukraine, including stuff as simple as donating to the Red Cross or [other organizations]. That’s a way you can do good.”