Background
The IT Army of Ukraine is a state-sanctioned hacktivist collective formed on February 26, 2022 — two days after Russia's full-scale invasion of Ukraine. Ukrainian Minister of Digital Transformation Mykhailo Fedorov publicly called for the formation of the IT Army via Twitter (now X) and the Ukrainian government's official channels, making it one of the few hacktivist operations in history to be explicitly established by a government.
Unlike most hacktivist groups, the IT Army operates with de facto government backing: targets are assigned through an official Telegram channel with over 300,000 subscribers, which publishes attack targets, provides DDoS tools, and coordinates operations. The Ukrainian government has maintained plausible deniability about direct control while clearly benefiting from and encouraging the collective's activities.
The IT Army represents a new model of hybrid warfare where civilian volunteers supplement state cyber capabilities. Participants include Ukrainian IT professionals, foreign volunteers supporting Ukraine, and diaspora communities. The collective has conducted thousands of DDoS attacks against Russian government agencies, state media, financial institutions, and critical infrastructure, achieving sustained disruption effects that would require significant dedicated resources from a state actor alone.
Notable Campaigns
Russian Banking Disruption (2022-present): The IT Army has conducted sustained DDoS campaigns against major Russian banks including Sberbank, Gazprombank, and VTB Bank, causing periodic outages and disruptions to online banking services. These attacks created friction in the Russian domestic financial system at scale during the conflict.
Russian Government Portal Attacks: The collective has repeatedly targeted the websites of Russian federal agencies including the Kremlin, the Russian Ministry of Defense, the Federal Security Service (FSB), and regional government portals. While individual attacks typically cause temporary outages, the sustained campaign has imposed ongoing administrative burden on Russian government IT teams.
State Media Disruptions: RT (Russia Today) and other Russian state propaganda outlets have been frequent IT Army targets, with multiple successful DDoS attacks disrupting access to Russian state media during key moments in the conflict, including immediately following major Russian military announcements.
Russian Railway System (RZhD) Attacks (2022): The IT Army targeted the Russian Railways ticketing system and booking infrastructure, disrupting travel logistics at a time when rail transport was critical to Russian military mobilization efforts.
Coordination with Anonymous (2022): The IT Army coordinated operations with the Anonymous collective and other hacktivist groups following Russia's invasion, creating a loose coalition of hacktivist forces targeting Russian interests. This coordination amplified the scale and consistency of attacks during peak operational periods.
Tactics, Techniques & Procedures
The IT Army's primary technique is coordinated volumetric DDoS attacks (T1498, T1499) orchestrated via Telegram. The collective's Telegram channel posts prioritized target lists with IP addresses, domain names, and recommended tools. Participants execute attacks using provided tools or their own methods, creating distributed traffic that is difficult to attribute to any single source.
The group provides participants with specialized DDoS tools developed or adapted for the conflict, including MHDDoS (a multi-protocol DDoS tool) and DB1000N, which routes attack traffic through volunteer Tor-like relays to amplify attack volume and obfuscate participant locations.
Beyond DDoS, more technically sophisticated IT Army volunteers have conducted web application attacks, data exfiltration from Russian government and corporate systems, and defacement operations. The group publishes leaked Russian databases on Telegram and public leak sites, including personnel records from Russian government agencies.
Tools & Malware
- MHDDoS: Open-source multi-protocol DDoS tool supporting HTTP/HTTPS floods, UDP floods, and multiple attack methods. Widely distributed through IT Army channels.
- DB1000N: Ukrainian-developed DDoS tool that routes traffic through a distributed network of volunteer relays, amplifying attack traffic volume and anonymizing participants.
- distresser: Another DDoS tool distributed by IT Army coordination channels to lower the technical barrier for participant involvement.
- Telegram Coordination Infrastructure: The IT Army's primary operational channel with over 300,000 subscribers for target assignment and tool distribution.
Indicators & Detection
Organizations not involved in the Russia-Ukraine conflict are unlikely to be targeted by the IT Army. However, companies with significant Russian business interests, subsidiaries operating in Russia, or those perceived as supporting Russia may be targeted. Monitor IT Army Telegram channels for your organization's mention in target lists.
For targeted Russian organizations, DDoS mitigation infrastructure is the primary defense. The IT Army's attack volumes can reach hundreds of Gbps during peak coordinated operations, requiring CDN-based scrubbing services with sufficient capacity. Implement rate limiting, traffic filtering, and challenge- response mechanisms on web properties.
The IT Army's activity is generally distinguishable from criminal ransomware operations — they do not seek financial gain and typically do not attempt persistent access to target networks. Incident response prioritization should focus on DDoS mitigation rather than assuming a follow-on ransomware threat, unless there are specific indicators of a more sophisticated actor.