“This site can’t be reached.”
That was the message greeting visitors to dozens of Ukrainian websites on Wednesday afternoon.
From 16:00 local time webpages for banks and government ministries started going down.
Naturally, fingers quickly pointed towards Moscow – Russia’s cyber army once again accused of hacking to spread fear and confusion online as troops massed on Ukraine’s borders.
But the BBC has learned that at least some of the cyber-attacks that afternoon and since have come not from the Kremlin but from groups of so called “patriotic” Russian hackers.
They work in small groups without direct orders from the Russian state and are intent on adding to the chaos in cyber-space.
By day, Dmitry (not his real name) works for a respectable Russian cyber-security company.
On Wednesday afternoon he finished work helping protect his customers from malicious hackers and went home for the night.
But while watching the unfolding cyber-attacks against Ukraine, he decided to assemble his hacking team and get stuck in.
“Considering everyone is attacking Ukraine servers. I am thinking we should cause some disruption too?” he posted on social media.
He says his team of six hackers then temporarily brought down a number of Ukrainian government websites, by flooding servers with data in denial of service (DDoS) attacks.
The BBC witnessed the crew temporarily take one Ukrainian military web page offline.
Dmitry says they communicate on encrypted channels and “never speak in person” even though two of them work at the same cyber-security firm.
“If my employer found out I would not have a job,” he says.
This wasn’t the first bit of vigilante hacking the group had done in recent days.
In the past week, Dmitry says they have carried out DDoS attacks, emailed 20 bomb threats to schools, hacked into the live dashboard feeds of an unidentified Ukrainian “rapid response team” and found a way to set up official emails using a Ukrainian government email service.
The BBC was able to confirm that they have control of at least one email address ending @mail.gov.ua. The hackers say they plan to use it to carry out targeted phishing attacks.
More attacks coming
They are also warning of more disruption and distress as they release stolen undisclosed data.
“This is just the beginning,” says Dmitry, over an encrypted call, using a voice distorter. “You’ve got to understand we are being careful and watching what we do at the moment. We could launch ransomware but we haven’t yet.”
Ransomware attacks which scramble the data on computer networks are far more serious than the sorts of things Dmitry’s team have done so far.
Ethical hacker and cyber-security lecturer Katie Paxton-Fear has looked over the material the hackers have shared.
“These hackers appear to be targeting known vulnerabilities. It’s like they’ve got a huge pair of binoculars and are trying to find weak points in any Ukrainian system they can find.
“The hacking they are doing isn’t very sophisticated, but that doesn’t mean their attacks won’t cause a potential distraction to security teams who are already very busy and stressed.”
Ukraine has been repeatedly hit by low level cyber-attacks since the start of the year.
Cyber attacks at a glance:
- On Friday 14 January about 70 government websites were hit with a DDoS attack. Some displayed a message warning Ukrainians to “prepare for the worst”. Access to most of the sites was restored within hours. Kyiv blamed Russia for the attacks.
- On 15 and 16 February more DDoS attacks temporarily took down websites for two banks and the Ukrainian army. The UK and US said that the Russian Main Intelligence Directorate (GRU) was almost certainly involved”.
- On Wednesday 23 February websites for numerous government ministries and financial services organisations were hit with another wave of DDoS attacks. Security researchers also discovered a more serious ‘wiper’ tool being used on a small number of computers to wipe all data from them.
- On Friday 25 February Ukraine’s cyber defence force issued a warning on social media about a widespread attempt to infect citizens with malicious software: “a phishing attack has started against Ukrainians! Citizens’ e-mail addresses receive letters with attached files of uncertain nature.” The authorities blamed Russian-allied Belarusian hackers.
Dmitry would not confirm his exact age or where he lives.
He says members of the crew are not worried about being caught and that in fact they hope that the Russian cyber-military is watching.
“I think there are certain people in our government who will be very pleased with what we’re doing.
“I would like to work with Russian cyber-authorities, but I would need to think about it first. I can tell you that one mistake could cost you your life when you work for them.”
He says he is motivated by the war and wants to “help beat Ukraine from behind my computer whilst they die in the streets”.
Reuters reported on Thursday that requests for volunteers had begun to appear on hacker forums, asking people to help protect critical infrastructure in Ukraine and to conduct “cyber-spying missions”.
One popular Twitter group run by members of the disparate hacker group, Anonymous, also posted on Thursday that it is “officially in cyber-war against the Russian government”.
Already some minor activity against Russia has been seen online.
Internet connectivity watchers NetBlocks tweeted on Thursday evening that “multiple government websites in Russia including the Kremlin and the State Duma have fallen offline”.
According to one source versed in underground hacker forums, a “Ukrainian cyber-army and a handful of Ukrainian hacktivists” caused disruption to Russian military website http://mil.ru/.
It’s not clear if the sites were forced offline globally or switched to only allow Russia-based computers to access them.
Russian government cyber-security authorities issued a rare alert to citizens and businesses saying: “In the current tense geopolitical situation, we expect an increase in the intensity of computer attacks on Russian information resources, including critical information infrastructure facilities.”
The warning echoes those of UK and US security teams who are warning of increased likelihood of so called “overspill” cyber-attacks that start in Ukraine and spread to other countries.
However, Andrew Morris, founder of Grey Noise Intelligence, says his researchers are seeing hacker attention concentrated overwhelmingly on one country.
“We’re seeing lots of computers around the internet that are probably trying to cause as much damage and hack as many computers located in one particular area as possible, and that particular area happens to be the country of Ukraine.”
He says hundreds of computers are constantly scanning Ukrainian networks for weaknesses. He is unable to say with certainty where they are located, but Russia must be among the prime suspects.
“Russia deploys their hackers in way that’s less ‘one big government organisation’ and more a group of people with overlap with criminals,” he says. “They’re good at causing problems for Russia’s strategic enemies. That scares me.”