LVIV, Ukraine — M, a Ukrainian engineer in his early 20s, is not healthy enough to enlist in the military. So every day, he sits down at his computer to do what he can as part of Ukraine’s IT army, an informal group of volunteer hackers whose job it is to wreak as much havoc on Russian websites as possible.
“I try to do whatever I can, whatever I can reach to end the war, to stop it, to stop killing Ukrainian people,” said M, who asked to use only an initial from his first name out of fear for the safety of him and his family.
M’s tool is a simple one: Flooding Russian websites with fake web traffic, an old and basic cyberattack more commonly known as a distributed denial of service, or DDoS. He can execute it from the computer in his bedroom in Lviv, Ukraine.
Though unsophisticated, the DDoS attack has had a renaissance during the opening weeks of Russia’s invasion of Ukraine. And though the attacks do not tend to do much damage — many websites can either mitigate the attacks or come back online quickly — they’re a way for almost any hacktivist to participate.
“They’re quite an easy task that most people can do on their phones and their laptops,” M said.
The DDoS attacks are the most conspicuous part of a hacktivist-driven cyberbattle around Ukraine, with little evidence of more advanced, state-based cyberattacks — at least so far. President Joe Biden warned Monday of “evolving intelligence that the Russian government is exploring options for potential cyberattacks.”
Shane Huntley, the head of Google’s Threat Analysis Group, which tracks hacking trends, said that DDoS attacks are appealing to novice hackers because widely available programs make them easy to deploy.
“DDoS is the easiest thing to do. It’s one click now. If you’re a teenager anywhere in the world, you can participate,” he said. “It has the lowest barrier to entry.”
They also can make a visible, immediate impact, he said.
“DDoS is the most obvious of all attacks, so it’s really easy to see this activity, versus espionage or subtler destruction attacks,” Huntley said. “It’s very clear when a site goes offline.”
Metrics on the size of DDoS attacks and their impact on Russian companies and agencies can be difficult to come by, but Russia has given some indications that they’ve become a serious hindrance. A number of Russian sites have recently made themselves available only to computers with a Russian IP address, meaning someone has to be in Russia or use a virtual private network to route their internet connection through the country to access it.
Russian state news outlets have also said that Ukraine’s IT army is responsible for some of the largests and most sustained DDoS attacks Russia has seen in years. Russia’s Ministry of Digital Development and Communications reportedly declared last week that the volume of DDoS attacks in the country had become “unprecedented,” and the agency noted on its Telegram channel that it had offered assistance to banks that were under attack.
Some hackers have taken extra steps to gain a foothold in Russia, like hacking Russians’ browsers or routers, so that they can direct those devices to repeatedly visit sites there without needing a VPN, but most simply try to visit sites directly, according to Russian state media.
Outside of Ukraine’s IT army, hackers from around the world have also lent their efforts. Some hackers who have self-designated as Anonymous — a hacktivist label that now points more toward a statement of purpose than a discrete group — have claimed to have hacked Russian TV networks, forced printers in Russia to spit out anti-war sentiments and recently threatened to target companies that still do business in Russia.
Pro-Ukraine hackers aren’t the only ones deploying DDoS attacks. Cyberattacks that Ukraine and the U.S. have attributed to Russia have included them as part of a more elaborate campaign, like in an information operation to tell Ukrainians their government had surrendered, or to distract while skilled hackers deployed programs to delete all material on Ukrainian computers.
Some American companies, including Microsoft and Google, have offered free cybersecurity services for Ukrainian websites. Google’s Project Shield, a free DDoS protection service for nonprofit groups and journalists, also covers some government websites in Ukraine, a spokesperson said, and protects more than 150 websites in the country.
While DDoS attacks appear to be by far the most visible way that hacktivists are trying to support Ukraine, some hacktivists have also defaced Russian websites or leaked alleged Russian government or corporate files.
Emma Best, the co-founder of Distributed Denial of Secrets, a group that curates leaked material, said the group has so far released 15 different sets of Russian information provided by people who identified as hacktivists, and had received even more. NBC News has not verified the authenticity of those leaked documents.
A number of hacktivists have also defaced Russian websites, often with pro-Ukraine or anti-Vladimir Putin messages, though such defacements often are quickly fixed and there’s little indication they’re often seen by many people.
And hacktivists have employed some other tools, some of which have been contentious. In at least one instance, a developer who writes open-source software — programming code that’s free for anyone to view and use — modified it so that it would wipe the computer of anyone who downloaded it from a location in Russia or Belarus.
Huntley, of Google’s Threat Analysis Group, said that while DDoS attacks are the most visible, they’re a fraction of the cyber conflict happening between Russia and Ukraine and their supporters.
“There’s more happening than any individual observer will be able to pick up,” he said. “Denial of service is the one that people are going to immediately notice.”
Kevin Collier reported from New York. Shanshan Dong and Ali Arouzi reported from Lviv, Ukraine.