Menu
Browse

Cyber Threat Actor: IT Army of Ukraine

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Activist
Ukraine
34 incidents
Profile

The IT Army of Ukraine, also known simply as IT Army, is a hacktivist group that operates from Ukraine and emerged after the Russian invasion in February 2022. It was formed following public calls from Ukrainian officials, including Vice Prime Minister Mykhailo Fedorov, for volunteers to support cyber operations against Russian targets. The group describes itself as a volunteer‑driven collective that coordinates attacks through Telegram channels and has received the official blessing of the Ukrainian government. Its members are civilians who contribute distributed denial‑of‑service effort and other hacking activities without formal military structure.

The group’s publicly stated objectives include damaging Russian IT infrastructure and disrupting the work of important industries, as noted by Rostec in reference to repeated attacks on the Leonardo flight‑booking system. IT Army has also declared that its actions aim to make it difficult for Russian banks to process payments, delay financial obligations, and sow doubt among recipients of those payments. These statements show a focus on disruption and economic pressure rather than financial gain or espionage. The group’s targeting reflects these goals, repeatedly hitting Russian banking institutions, state media outlets, energy companies, transportation systems, and government‑linked organizations.

Observed tactics, techniques, and procedures center on distributed denial‑of‑service attacks, website defacement, and data exfiltration. The actors use readily available DDoS‑for‑hire services, custom tools such as the Liberator app and the Death by 1,000 needles script, and they have leveraged tutorials, online games mimicking 2048, and other low‑barrier methods to generate traffic. In addition to overwhelming servers, they have compromised file‑hosting services and physical servers to steal documents, as seen in the Skolkovo Foundation breach, and they have hijacked broadcast systems to transmit false emergency warnings. Claims of responsibility and operational updates are consistently posted on the group’s Telegram channel.

Representative operations illustrate the breadth of their activity. In December 2022 they claimed a massive DDoS attack that took Russia’s second‑largest bank VTB offline, disrupting online services while core functions remained intact. In January 2023 they announced access to a 1.5 GB archive from Gazprom containing drilling and financial reports. In May 2023 they breached the Skolkovo Foundation’s file hosting service and exfiltrated project documents. Throughout early 2023 they repeatedly hacked Russian state television and radio stations to broadcast fabricated radiation and missile alerts, and in February 2023 they disrupted websites carrying President Putin’s address with a DDoS effort. Earlier, in July 2022 they targeted Russian cinema chains to block online ticket sales, and in November 2022 they claimed to have leaked documents from the Central Bank of Russia. These examples demonstrate the group’s reliance on DDoS, defacement, and information theft to pursue its stated disruption objectives.

Incidents
Attributed incidents available to members
34 incidents
Sources
Sources available to members
7 sources