Ukrainian hackers: an ex-ghost, a Starlink and “owner” of Russia

Hours after Russia invaded Ukraine, Nikita Knysh rushed to join the resistance.

He went to the Kharkiv office of his former employer, the Security Services of Ukraine (SBU), and asked for an assignment.

But the town, just 30 km from the Russian border, was in chaos. Leaving empty-handed, the 30-year-old IT professional, an ex-hacker, realized he would have to create his own mission.

He moved employees of his cybersecurity company, HackControl, and a bunch of IT equipment into the basement of a wallet factory. As the Russian army pounded Kharkiv, Knysh’s team began to hack into Russia.

Moscow’s invasion of Ukraine has sparked an unprecedented cyber war, with legions of hackers on both sides. Dozens of government-sponsored groups took advantage of the uproar to target their adversaries, as did criminal gangs, hiding behind the noise to carry out ransomware heists.

Ukraine’s pre-war IT industry, with 300,000 professionals working in cybersecurity or outsourced back offices, proved to be a crucial pool of talent in the first full-scale cyber war.

Six months into the conflict, stories of the hacks they inflicted on Russian companies and the Russian government have been bouncing around the internet. But with Anonymous groups claiming overlapping credit for “pwning” – online slang for “owning” – Russia, separating truth from bragging is often impossible.

Not all of Knysh’s claims can be verified, but the Financial Times spoke to government officials and other hackers who vouched for him and reviewed photographs, videos and log files that backed up some of them. of his assertions.

Nikita Knysh: “For me, it was like a fight”

Its story is the story of talented programmers forced to adapt to the turmoil of war. It involves the recruitment of low-level criminals into mobs of coders, bomb hoaxes, the large-scale infiltration of internet-connected security cameras to monitor Russian-occupied territory, and the honey trapping of Russian soldiers. so that they reveal their bases.

But the group, nicknamed Hackyourmom, first needed a base of its own. The wallet factory worked the first week, when Knysh dusted off an old trick from his SBU days – spoofing his way as an administrator in massively popular Telegram channels in places like busy Donetsk to blast pro- Ukrainians.

“But Kharkiv was still under attack – we had to move,” he said. They evacuated west to a cheap inn in the Vinnytsia region, away from the Russian advance. Knysh had rented it months earlier, fearing war was coming, and carrying out a small project. “It wasn’t plan B, it was plan C.”

Knysh asked a favor from a former mentor, Vsevolod Kozhemyako, general manager of the grain company Agrotrade and one of Ukraine’s richest men.

He wasn’t looking for money, but one of Elon Musk’s Starlinks, satellites the world’s richest man had sent in their thousands to give Ukrainian authorities free internet access. “He asked, so I took one from him,” said Kozhemyako, who had picked up weapons himself and formed a battalion of volunteers to guard Kharkiv. “I didn’t ask him what he was doing with it, but knowing him, it was probably something good.”

In Vinnytsia, his motley crew of no more than 30 people relied on the Starlink’s carefully protected internet access. “We’ve become like family in a way,” said team member Maxim, who asked to be identified by his first name. “I never thought I would be on the front lines of a cyber war, but that is what it was.”

Knysh soon realized he needed more experienced people than he could fit into the hostel. He remembered a group of high profile Ukrainian hackers who stole some company secrets he had tracked at the SBU.

He recruited dozens to send him databases of stolen credit cards, which he traded to create a low-level hacker Telegram channel with one set of instructions – flood flights to Russia bogus bomb threats.

Dozens of flights were delayed or canceled, including some operated by Air Serbia, on the dates for which he showed FT logs. Serbian President Aleksandar Vučić blamed Ukrainian intelligence services for the hoaxes.

Wanting to provide more targeted aid to the overwhelmed Ukrainian military, Hackyurmom turned to an even more elaborate scheme: they hacked into thousands of security and traffic cameras in Belarus and parts of Ukraine occupied by the Russia.

To filter the information, the team wrote machine learning code that helped them separate military movements from ordinary traffic, and they routed the information to the military through a public portal.

In one example, described to the FT with photographs and locations, they identified a remote Russian base near occupied Melitopol in southern Ukraine. Then, using fake profiles of attractive women on Facebook and Russian social media websites, they tricked soldiers into sending photos which they geotagged and shared with the Ukrainian military. “Russians, they always want to fuck,” Knysh said. “They send [a] a lot of bullshit to the ‘girls’, to prove that they are warriors.

A few days later, they watched on TV as the base was blown up by Ukrainian artillery. “My first thought was – I’m effective, I can help my country,” Maxim said, though Ukrainian authorities declined to discuss the hackers’ role in the attack. “Then I realized I wanted more – I want to find more bases, over and over again.”

Knysh claimed his team had been involved in other hacks, ranging from deceiving Russian TV stations to airing news clips about Ukrainian civilian casualties; linking home routers in occupied territory to large botnets that have taken down Russian websites; and even hacking into and leaking the databases of Russian military contractors.

The hostel group physically disbanded in early summer, when it became clear that the Russian army was held up in eastern and southern Ukraine.

The members began working remotely, including posting complex guides online for targets Knysh declined to discuss.

They are still keeping tabs on the cameras they hacked, sharing with the FT a recent image of a Russian navy vessel at a port in Sevastopol, which has been occupied by Russia since 2014.

“To me, it felt like a fight,” Knysh said. “Without money, without shiny software, and even without shiny hacks, you can use fraudsters, the dark web against your enemy. Right now, Russian laws don’t matter – what we have, c is the experience of having participated in the first cyberwar.

Comments are closed.