 | This article has multiple issues. Please helpimprove it or discuss these issues on thetalk page.(Learn how and when to remove these messages) (Learn how and when to remove this message)
|
 | |
Type of site | Hacktivism |
|---|---|
| URL | fb |
The Ukrainian Cyber Alliance (UCA;Ukrainian:Український кіберальянс, УКА,romanized: Ukrainskyi kiberalians, UKA) is a community ofcyberactivity fromUkraine and around the world. The UCA was formed in the spring of 2016 by the merger of two cyberactivity groups,FalconsFlame [uk] and Trinity. It was later joined by the RUH8 group and individual activists from the CyberHunta group,[1]hacktivists who joined together to counterRussian aggression in Ukraine.[citation needed]
Thehacktivists began engaging in cyber activities aimed at protecting Ukraine's cyberspace in the spring of 2014.[2] Over time, the hacktivists began to conduct joint operations with Ukraine's government. Gradually, somehacker groups united in the Ukrainian Cyber Alliance, in accordance with Article 17 of theConstitution of Ukraine, with an aim of defending the independence of their country and its territorial integrity.[3][4][5] The Ukrainian Cyber Alliance exclusively transmits extracted data for analysis,reconnaissance, and publication to the international intelligence community,Inform Napalm, as well as to the law enforcement agencies of Ukraine.[6]
In the spring of 2016, the Ukrainian Cyber Alliance conducted Operation #opDonbasLeaks. The UCA conducted approximately one hundred successful hacks of websites and mailboxes belonging to militants, propagandists, and their curators, operating in the occupied territories. Among the targets was the mailbox of the Russian organization, "Union of Volunteers of Donbas."[citation needed]
From this, they obtained passport data and photo documents of Spanish, Italian, Indian, and Finnish citizens, who were fighting in thePrizrak Brigade, for which Russia grants and, if necessary, extendsvisas.[7] It was reported that Russians injured during the fighting in eastern Ukraine were treated in military hospitals operated by the Ministry of Defense.[8][9]
On 29 April 2016, theInform Napalm website, in a call to the UCA, reported on the hacking and interface of theAbkhazian Network News Agency (ANNA News).[10] As a result of the hacking, the site was non-functional for approximately 5 days. The hacktivists posted their first video message on the site's pages,[11] stating that the website had been a Russian terrorist site and that they had removed all its confidential information and backups, transferring it to Inform Napalm and the Ukrainian special services. The message also called for solidarity for those from Georgia, Ukraine, and Syria, asking that they support each other in the face of aggression from the Russian Federation.[citation needed]
On May 9, 2016, the UCA conducted Operation #OpMay9.[12][13] Nine sites of theDonetsk People's Republic (DNR) and Russianprivate military companies (RPMCs) were hacked. The broken sites were left with the hashtags #OpMay9 and #oп9Травня, along with three short videos about World War II andUkrainian contributions to the victory over Nazism – something the UCA described as the "serum of truth".[14] The hacktivists also posted their new video message on the pro-Russian sites they dubbed 'terrorist sites'.[15] The message gave more details on the ANNA News attack, stating that ANNA spread lies against Georgia, Ukraine, and Syria. It also carried a patriotic message for Victory Day, comparing Russian aggression to past enemies, and promised that the information network of "Russian terrorists in Donbass will be paralyzed".[citation needed]
On May 18, 2016, the day of remembrance of thedeportation of the Crimean Tatars in 1944, the UCA conducted Operation #opMay18.[16][17] It targeted the website of the head of theRepublic of Crimea,Sergey Aksyonov, posting a fraudulent message pretending to be him:[18]
Dear citizens of Crimea, today I propose that we honor the memory of those difficult days in 1944 and make every effort to prevent such tragic events from happening again. Currently, the international situation is such that in 2017, Russians can be deported from the Crimea. In conclusion, I am delighted that the Crimean Tatar singer Jamala won the Eurovision 2016 contest, and I look forward to the successful hosting of Eurovision 2017 in Ukraine, specifically in the Crimea.
— Ukrainian Cyber Alliance (UCA)
The UCA hacked the website ofPervy Kanal (Channel One Russia) as part of a project to force Russia to stop occupying the Donbass region and fulfill its obligations under theMinsk agreements.[19] Details of Pervy Kanal propagandistSerhiy Zenin's cooperation withRussia Today, a Russian state-owned propaganda network, were also revealed, along with documentation of Zenin's salary and lavish lifestyle.[20] Twenty-five videos of DNR members shooting in the settlement of Nikishine were found in Zenin's cloud storage.[21]
In 2016, on the eve ofConstitution Day, the UCA conducted Operation #opDay28.[22] 17 websites belonging to Russian terrorists were hacked to play another Lviv Metro video,[23] which purported to be from the leader of the DNR,O. Zakharchenko:[24]
On June 28, Ukraine celebrates another anniversary of the adoption of the Constitution. But now, this holiday is overshadowed by the conflict in Donbas, which we, inferior fools, have resolved and caused numerous violations of the constitutional rights of normal citizens. I have to admit that, despite the work done by my stupid press service and loyal, sly dogs of the MDB DNR, the whole world sees that we started playing not in our sandbox, because of which the civilian population of Donbass suffers and dies. The truth is that Rashka has once again framed us and is trying to squeeze the Donbass after the Crimea with our own hands. I personally apologize to all the people of Ukraine for their idiocy, and I hope that this anniversary of the Constitution of Ukraine will be a turning point in the relations of Donbass with its Motherland - Ukraine! Contrary to racist propaganda, we are cured of schizophrenia, and the Ukrainian constitutional order will prevail in the Donbass!
In July 2016, the UCA hacked the document management server of the Department of theMinistry of Defense of the Russian Federation, and made defense contracts, which were executed during 2015, public.[25] The negligence of Russian Rear Admiral Vernigora Andrei Petrovich largely determined the operation's success.[26] At the end of November 2016, the UCA broke into the Ministry server a second time and obtained confidential data on the provision of the state defence order of 2015–2016. According to analysts atInform Napalm, the documents indicate that Russia is developing adoctrine ofair superiority in the event of full-scale hostilities with Ukraine, citing the amount allocated for maintenance, modernization, and the creation of new aircraft.[27]
BeforeProgrammer's Day, UCA conducted Operation #op256thDay, in which more than 30 sites of Russian foreign aggression were destroyed. On many propaganda resources, the hacktivists embedded anInform Napalm video demonstrating evidence of Russia's military aggression against Ukraine.[28][29]
The activists gained access to the postal addresses of 13 regional branches of the "military commandant's office" of the DNR in Operation #OpKomendant. For six months,[30] the data from the boxes was passed for analysis byInform Napalm volunteers, employees of thePeacemaker Center, theSecurity Service of Ukraine, and theSpecial Operations Forces of Ukraine.[31]
In October 2016, the UCA obtained 240 pages of e-mail correspondence of the leader of thePrizrak Brigade,Aleksey Mozgovoy. Judging by the correspondence, Mozgovoy was entirely under the control of an unknown agent with the codename "Diva".[32]
The UCA obtained data from the devices ofArsen "Motorola" Pavlov, leader of theSparta Battalion, and his wife, Olena Pavlova (Kolienkina). In the weeks leading up to his death, Pavlov was alarmed by the conflict with Russian curators.[33]
In October 2016, the UCA accessed the mailboxes ofVladislav Surkov, the political advisor ofVladimir Putin, regarding relations with Ukraine. Inform Napalm published the leaked emails in late October to early November.[34][35] The emails revealed plans to destabilize and federalize Ukraine, and demonstrated high-level Russian involvement from the start of the war in eastern Ukraine. A US official toldNBC News that the emails corroborated information the US had previously provided.[36] The authenticity of the emails was confirmed by theAtlantic Council[37][38] andBellingcat,[39] and was published by numerous Western news sources.[40][41][42][43][44][45][46][47][48][49][50][51][52] In the aftermath of the leaks, Surkov'schief of staff resigned.[53] Additional emails belonging to people in Surkov's circle were published in early November, detailing Russia's financing of the "soft federalization" of Ukraine,[54] recruiting in theOdesa region, and evidence of funding election campaigns in theKharkiv region.[55] The emails stated that Yuriy Rabotin, the head of the Odesa branch of theUnion of Journalists of Ukraine, received payment from the Kremlin for his anti-Ukrainian activities.[56] On April 19, 2018, the British newspaperThe Times published an article stating that the SurkovLeaks documents exposed Russia's use of misinformation about the downing ofMalaysia Airlines Flight 17 in order to accuse Ukraine.[57]
In November 2016, the UCA obtained emails from the DNR's "Ministry of Coal and Energy", including a certificate prepared by theMinistry of Energy of the Russian Federation in January 2016, which detailed the plans of the occupiers for theDonbas coal industry.[58]
Operation FrolovLeaks was conducted in December 2016[59] and revealed correspondence from Kyrylo Frolov, the Deputy Director of the CIS Institute (Commonwealth of Independent States) and Press Secretary of the Union of Orthodox Citizens, spanning the period from 1997 to 2016. The correspondence contains evidence of Russia's preparation for aggression against Ukraine (long before 2014).[60] It also revealed Frolov's close ties withSergey Glazyev, the Russian president's advisor on regional economic integration, Moscow PatriarchVladimir Gundyaev, andKonstantin Zatulin, a member of the Foreign and Defense Policy Council, an illegitimate[61] member of the Russian StateDuma, and director of the CIS Institute. The letters mention hundreds of others connected with the subversive activities of Russia'sfifth column organizations in Ukraine.[citation needed]
For some time, UCA activists monitored the computer of the Chief of Intelligence 2 AK (Luhansk, Ukraine) of theRussian Armed Forces. This officer sent reports with intelligence obtained from regular Russianunmanned aerial vehicles (UAVs) – Orlan,[62]Forpost,[63] and Takhion[64] – which were also used to adjust fire artillery. Documents have also been published proving the existence of the Russian ground reconnaissance station PSNR-8 "Credo-M1" (1L120) in the occupied territory.[65] In July 2017, based on the obtained data, additional reconnaissance was conducted on social networks and the Russian UAV Takhion (servicemen of the 138th OMSBR of the RF Armed Forces, Private Denis Alexandrovich Laptev and Corporal Artem Ivanovich Angalev).[66] The surveillance provided evidence of troop movements to the Ukraine border in August 2014.[67] A list of these soldiers, their personal numbers, ranks, exact job titles, and information on awards for military service in peacetime was published.[68] The operation also determined the timeline of the Russian artillery unit of the 136th OMSBR's invasion in the summer of 2014, from the moment of loading equipment to fortifying in the occupied territory of Ukraine in Novosvitlivka, Samsonivka, and Sorokine (formerly Krasnodon).[69]
In February and March 2017, the UCA exposed correspondence between Belarus citizen Alexander Usovsky, a publicist whose articles were often published on the website ofUkrainian Choice, and an anti-UkrainianNGO backed by oligarchViktor Medvedchuk.[70][71] Inform Napalm analysts conducted a study of the emails and published two articles[72][73] on how the Kremlin financed anti-Ukrainian actions in Poland and other Eastern European countries. The published materials caused outrage in Poland,[74][75][76][77][78][79][80][81][82] the Czech Republic,[83][84] and Ukraine.[85][86][87][88] In an interview with Fronda.pl, Polish General Roman Polko, the founder of thePolish Special Operations Forces,[89] stated his conviction that the anti-Ukrainian actions in Poland and the desecration of Polish monuments in Ukraine were inspired by the Kremlin. Polko said that the information war posed a threat to the whole of Europe and that Russia manipulated the Polish radicals.[90]
An analysis of hacked emails from CIS Institute (Commonwealth of Independent States) revealed that the NGO is financed by the Russian state companyGazprom. Gazprom allocated $2 million annually to fund the anti-Ukrainian activities of the CIS Institute.[91] The head of the institute, State Duma deputyKonstantin Zatulin, helped terrorists and formerBerkut members who fled to Russia to obtain Russian passports.[92]
Access to O. M. Gorchakovan's mailbox, an employee of the Russian Foundation for Public Diplomacy, provided insight into the forms of Russia's foreign policy strategy. On the eve of the war, funding for a six-month propaganda plan in Ukraine reached a quarter of a million dollars.[93] Under the guise of humanitarian projects, subversive activities were carried out in Ukraine, Serbia, Bosnia and Herzegovina, Bulgaria, Moldova,[94] and the Baltic States.[95]
UCA activists gained access to the mailbox of Oleksandr Aksineko, a Russian-Israeli citizen and telephone miner. The correspondence indicates that Aksinenko's terrorist activities are supported by the RussianFederal Security Service (FSB), which advised him to "work in the same spirit". Aksinenko also sent anonymous letters to theSecurity Service of Ukraine (SBU) and other Ukrainian institutions.[96]
At the end of 2017, the UCA and other IT specialists conducted a two-month action to assess the level of protection of Ukrainian public resources and to verify whether officials were responsible for information security.[97] Many vulnerabilities were uncovered in the information systems of government agencies. The activists identified and reported these vulnerabilities openly to those who could influence the situation. The activists noted the effectiveness of publicly shaming government agencies.[98] For example, it was discovered that the computer of the Main Directorate of theNational Police in the Kyiv region could be accessed without a password, and that 150 GB of information was found on a network drive, including passwords, plans, protocols, and personal data of police officers.[99] It was also discovered that theBila Tserkva police website had been compromised for an extended period, and only after the volunteers became aware of the issue did the situation improve. TheState Service for Financial Monitoring had not updated their servers for 10 years.[100] Activists also found that the website of the Judiciary of Ukraine kept reports of the courts in the public domain. TheKherson Regional Council has opened access to the joint disk.[101] The CERT-UA website (Ukraine'scomputer emergency response team) posted a password from one of their email accounts.[102] One of the capital's taxi services was found to keep open information about clients, including dates, phone numbers, and departure and destination addresses.[103] Vulnerabilities were also revealed in Kropyvnytskyi's Vodokanal, Energoatom, Kyivenerhoremont, NAPC, Kropyvnytskyi Employment Center, Nikopol Pension Fund, and the Ministry of Internal Affairs (declarations of employees, including special units, were made public).[104]
The police opened a criminal case against "Dmitry Orlov", the pseudonym of the activist who publicized the vulnerabilities in a flash mob. They also allegedly tried to hack the Orlov website, leaving a message which threatened physical violence if he continued his activities. The activist deleted the website as it had fulfilled its function.[105]
UCA activists obtained records of orders to provide food for servicemen of 18 separate motorized rifle brigades of the Russian Armed Forces, who were sent on combat missions during the Russian occupation of Crimea.[106] Inform Napalm volunteers searched open sources of information for the social network profiles of servicemen named in the orders, and discovered photo evidence of their participation in the occupation of Crimea. Records also revealed how troops had been transferred to Crimea, at Voinka.[107]
On January 31, 2017, the central German state TV channelARD aired a story about the cyber war between Ukraine and Russia.[108] The story documented the repeated cyber attacks by Russian hackers on the civilian infrastructure of Ukraine, and efforts to counter Russian aggression in cyberspace, in particular theSurkov leaks. Representatives of the UCA were portrayed as the heroes of the story.[citation needed]
Former State Duma deputyDenis Voronenkov (who received Ukrainian citizenship) made statements that Surkov was categorically against the annexation of Crimea. In response, the UCA released photos and audio recordings of the congress of the Union of Donbas Volunteers, from May 2016 in annexed Crimea and November 2016 in Moscow, at which Surkov was the guest of honor.[109]
Volunteers of the Inform Napalm community created a film about UCA's activities calledCyberwar: a review of successful operations of the Ukrainian Cyber Alliance in 2016.[110][111]
On October 12, 2023, UCAhacktivist herm1t posted screenshots of a RussianConfluence page, claiming it to be a ransomware group.[112] The page ended up belonging to the Trigonaransomware gang, and the UCA exfiltrated data from the threat actor's website. This included the administrator and victim panels, their blog, their leak site,cryptocurrency hot wallets, and data from the development environment, including source code and database records.[113] UCA also managed to map out the group's entire network infrastructure. By the time Trigona noticed and attempted to change their passwords and take their public facing infrastructure offline, the data had already been exfiltrated. Following exfiltration, UCA deleted all information and defaced Trigona's public facing websites on October 17.[114][115]
Three backups of data presumed to be stolen from victims of the Trigona gang were recovered, and UCA pledged to release any decryption keys should they be discovered.[citation needed]
