Robin* remembers the start of Russia’s invasion of Ukraine very clearly. “It was like watching Hitler’s invasion of Poland live on television,” they said.
The head of cybersecurity at a major company in Stockholm, Robin had a deeply-rooted suspicion of Russia and a particular set of skills they wanted to put to use to help Ukraine.
In the months since the invasion, the Swede joined the ranks of a large guerrilla network of global hackers who are taking on Russia from their keyboards. Due to the illegal nature of their actions, they spoke to Euronews Next on the condition of anonymity.
Robin’s involvement began on Signal, an encrypted messaging app. They were added to several Signal groups that gathered highly-skilled cybersecurity professionals in Europe to discuss the cyber developments in the unfolding war.
But when the invasion took place, Robin wanted to do more than talk.
“For me, that was important; knowing that through all this until now, I have done something,” they told Euronews Next, looking back on their actions earlier this year.
“Whatever happens, even if we go into nuclear winter, I know I tried something to help”.
As a penetration tester, someone who is hired to test system vulnerabilities by hacking into them directly, Robin said they wanted to take direct action against Russia in the wake of the invasion.
“I noticed someone in one of these groups wrote something oddly specific, so it seemed clear they had connections to Ukraine,” Robin said.
“I decided to just go for it and posted that I’m willing to do something offensive, and asked if anyone is doing anything offensive in here”.
Shortly after, they were contacted by a person known only as “PR,”* who wanted to get a sense of what kind of skills Robin could bring to the table.
Paranoia, vetting, and first targets
“My immediate concern was that this might be a Russian spy,” Robin said. “So, I reached out to a few Swedish cybersecurity specialists I knew and they both said they knew this person and that this was legit”.
They found out PR was a prominent Ukrainian security researcher specialised in Industrial Control Systems, the digital devices that control critical infrastructure, manufacturing, and industry.
The vetting went both ways. PR asked Robin questions about their background (ex-military, offensive cyber operations), what skills they had (hacking, security) and what sectors they were familiar with (telecoms).
Once they were both satisfied, PR sent Robin a message: “Can you sabotage systems?”
Hackers can get into computer systems relatively easily through a weakness in a file sharing programme run on Windows operating systems, Robin says.
So, the first thing they did was start targeting Russian IP addresses through this vulnerability and deleting everything they could find.
“It was broad spectrum, like a trawling net,” Robin said.
“I had several scripts running that would delete everything and leave just one text file, saying something like ‘you might not support this war but this will keep happening until you stop your dictator'”.
Many times, Robin says, the Russian systems had already been wiped by another hacker who had gotten there first, breadcrumbs indicating the flurry of cyber activity sparked by Russia’s invasion.
A cyberstorm brewing
The spike in cyberattacks against Russia was condemned in a rare statement in April by the Russian Foreign Ministry, which said it observed hundreds of thousands of weekly attacks coming mainly from North America, EU member states, and Ukraine.
It accused the West of supporting the attackers and warned them against “flirting with the hacker community”.
“Whoever sows the cyberwind will reap the cyberstorm,” the statement read.
Around the same time, Microsoft’s Digital Security Unit released a report detailing multiple cyber operations Russian government hackers carried out against Ukraine up to a year before the ground invasion began.
From February 27 to April 8, Microsoft’s researchers found evidence of “nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine”.
It’s not unusual for Russia to use destructive cyberattacks against its enemies. While tracing individual cyberattacks to a state actor is nearly impossible, a 2007 cyberattack by Russian hackers against Estonia is widely recognised as the first instance of a cyber weapon being used by one state actor against another.
In recent years, Russian hackers were also widely suspected of being behind efforts to disrupt elections in Western countries including the United States, Germany, and France.
‘Delay and create chaos’ in Russia
Robin’s second task was more specific and strategic. PR said there was an operation to stop Russia from using its state-owned railway to transport equipment to the frontlines.
“We need to interrupt their business processes and prevent them from using railways,” PR wrote in a message on February 28, seen by Euronews Next. “The goal would be intrusion and wiping out internal IT infrastructure”.
PR sent Robin a comprehensive file on Russian Railways, with information exposing owners, IP addresses, locations of data centres, and more. Every time Robin got access to an admin system, they would drop the database, and subsequently, delete any files on the system.
“This was just to delay and create chaos,” Robin says. “It would never stop the invasion, but it would delay and make it harder”.
Robin says they never got any feedback on the result of these tasks from PR or their Ukrainian contacts. But around this time, videos began emerging on social media showing Russia’s military struggling to restock their ammunition and fuel, which Robin hoped could have been partly due to their actions.
“I don’t know how many it helped, if it helped,” Robin said. “Maybe delaying that railway another month gave civilians another window to get out. That’s enough for me”.
As Robin continued receiving tasks from PR, from gathering information on Russia logistical companies to cracking surveillance cameras to give Ukrainian forces more eyes in occupied territories, they said they were surprised to find how easy it was to get into Russian systems.
“I don’t think Russia as a whole was prepared for the idea that they would become a cyber training range for every hacker in the world once they started this invasion,” Robin said.
“Everything was so undefended, so open. And that was strange because cyber warfare has been going on for so long”.
Since the start of the invasion, pundits and commentators have repeatedly overestimated Russian capabilities on and off the battlefield.
“It’s one of the big lessons of the war in Ukraine,” said James Lewis, Senior Vice President and Director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS). “The Russians aren’t as competent as we thought”.
But in overestimating Russia, the West also underestimated Ukraine, and all the lessons Kyiv has learned over years of dealing with its hostile neighbour.
A Volunteer IT Army
One of the remarkable things about Ukraine’s response to the Russian invasion is the speed at which it was able to rally support from outside its borders.
Two days after the Russian invasion began, Ukraine’s Minister of Digital Transformation, Mykhailo Fedorov tweeted a request for cyber specialists to join Ukraine’s “IT army”.
The tweet said tasks would be assigned through a dedicated Telegram channel run by the government, which quickly racked up more than 300,000 members.
It’s the first time a government has called for help from volunteer hackers in an actual war, Lewis said.
“The Ukrainians have done a good job of integrating these volunteer efforts from the hacker community and from their own citizens,” Lewis told Euronews Next.
“You can’t just do that on the fly, so I think they must have been thinking of this (before Russia’s invasion)”.
In Lewis’ words, Ukraine “got a little help from Estonia,” which developed a volunteer Cyber Defence League after its digital systems were paralysed by a Russian cyberattack in 2007.
The Baltic nation and NATO member is a global heavyweight in cybersecurity, ranking third on the UN’s Global Cybersecurity Index. It’s also been one of Ukraine’s staunchest supporters since long before Russia’s latest invasion.
Learning from Tallinn
Estonia’s defence minister Hanno Pevkur told Euronews Next that Tallinn has been sharing knowledge and information with Kyiv for years on issues including cyber cooperation.
“Ukrainians have learned from our past experiences,” Pevkur said.
“One of those has been that for different kinds of cyber threats, we also use the private sector and private experts. They probably saw that this is also one of the best options for them because they’re not relying on one institution, the state. You have to be flexible”.
Estonia’s volunteer Cyber Defence League taps into the digital talent found across the private sector, giving the government access to specialists it couldn’t normally afford. The key to its success, according to Pevkur, is cutting through the red tape.
“When we see that (cyber) threats are getting high, we have the possibility to contact the volunteers and they can come help us,” Pevkur said.
“We try to keep things simple, not to overregulate or put any burdens on different cooperations”.
Since Ukraine was accepted as a “contributing participant” this year to NATO’s Cooperative Cyber Centre of Excellence in Tallinn, the issue of volunteer cyber defence capabilities could become a more prominent discussion topic.
Lewis is convinced the war in Ukraine won’t be the last time we see the line between civilian and military cyber operations become blurred.
“It’s going to be crucial (to integrate civilian volunteers) because there’s a difference between a mob and an army,” he said.
“A mob runs around and does things and they may not be beneficial. An army does things that are directive to contribute to the outcome of the conflict. So finding a way to organize and integrate and guide these non-military, non-governmental hackers is a big part”.
As for Robin, the time has nearly come for them to hang their hat, after months of sleepless nights chasing Russian targets in cyberspace.
“Over the summer I took a few weeks off because I was getting really tired,” they said.
“It’s hard to describe, but I just had to stop caring for a while. My partner was getting pissed off too. And lately, I’ve been taking steps back and I’m trying to phase myself out completely”.
Robin says it’s a surreal feeling disconnecting from a mission that used to take up every free moment of their day, but that they’re not worried about future cyber operations in Ukraine.
“Life on this side of the war is like it was before, just going to work,” Robin said.
“Very few people talk about it nowadays at all. It’s become like wallpaper news. But as I understand, there are still a lot of assets working, so I don’t think me leaving or going is anything that turns the tide”.
*Names have been changed in this piece at the request of the interviewee to respect their wish to remain anonymous.