DDoS hacktivism: A highly risky exercise

Ensuring your security while using these tools is difficult to achieve, and by participating in these actions, you risk your privacy.

The Russian invasion of Ukraine has sparked a tremendous amount of empathy from people across the globe. Some have contributed by providing aid and shelter to refugees, while others have donated funds to charities supporting those in Ukraine. 

There are also those who have taken a different approach: hacking Russian computers. These hacktivist communities have gathered in various places — a Telegram channel called IT ARMY of Ukraine, a dedicated subreddit, and the notorious Anonops network — and have begun to develop tools to help their cause. 

One category of these tools are websites that are participating in DDoS attacks on Russian servers. Many people may already be familiar with the original one, hxxps://stop-russian-desinformation.near[.]page. 

This site has inspired at least half a dozen additional clones or variations, starting with simple design changes to rather ingenious ideas, like the popular 2048 game that also participates in the DDoS in the background.

A screenshot of code with targeted websites

How do these websites work? 

Put simply, these websites contain a list of servers, along with counters to monitor the number of requests made, and a JavaScript code that repeatedly makes requests to servers from the list. The lists mostly contain Russian and Belarusian services that range from the government, banks, and media to bands and various Russian companies. Among the most known websites, we’ve observed the following pages:

  • hxxps://1tv.ru: A main Russian TV channel
  • hxxps://sberbank.ru: The biggest Russian bank
  • hxxps://belta.by: State-owned national news agency of the Republic of Belarus
  • hxxps://fsb.ru: The Federal Security Service of the Russian Federation

While the lists often differ (either according to personal preferences of the list creators or including tips incorporated from Telegram, for example), it’s interesting that the underlying code is mostly the same. This raises a question: Are these efforts worth such risk?

Play For Ukraine, a DDoSing variant of the 2048 game

The current method using JavaScript in the browser to generate network traffic is rather inefficient. There are also other considerations that should worry you — in the EU, such usage of a computer is usually illegal, and while there may not be repercussions now, they might come back later on (and Russia may not be the only one to use that against you). 

Furthermore, many servers in Russia — even ones that are not associated with the government (we’ve seen a repository mirror for various Linux distributions) — have already implemented geo-blocking. In other words, these servers are outright rejecting or restricting requests from non-Russian IP addresses. Rostelecom, Russia’s largest digital services provider, stopped publishing public prefixes of e-government infrastructure (AS196747) in Border Gateway Protocol (BGP) outside Russia, effectively limiting their incoming traffic to Russian IP addresses of government institutions.

Visitors of DDoSing websites

It’s important to spell out the fact that by visiting such pages, the user is immediately signed up to participate in an illegal activity (DDoS). This dangerous behavior happens without the explicit consent of the website visitor because the malicious JavaScript starts attacking as soon as it is loaded. 

Moreover, the user is assigned a fixed list of targets that has been curated based on the preferences of the page creators. This leads to situations in which hacktivists unexpectedly attack targets like a Ukrainian mining company (hxxps://ugmk.ua) or over 7,000 targets from the page hxxps://kuzelovi[.]cz/FuckPutin.html, including Fedora repository mirrors, which is hosted by a Russian media group, or pages of the Russian branch of European UniCredit Bank. Attacking targets that have been selected by someone else also means that individual targets can be silently replaced without much notice. This has led our team to the decision not to dismiss these websites as hacktools, but instead, to classify them as malware.

The same things can be said for various Python or command-line scripts that aim to achieve similar results. For convenience, many of them provide Docker images; nevertheless, their insides are basically the same: they’re either simplistic scripts pinging targeted servers or variants of open-sourced stress testing tools. We have seen several GitHub projects wrapping older tools into Docker for convenience, some of them already having nearly a hundred forks.

While there are some differences to the ready-made DDoS webpages — you have to run it and provide targets by yourself — everything else that we’ve described still applies. From README files, the intention is clear, instead of a usual thin-line walking by profiling itself as stress-testing tools. These tools may also become targets of counter-operations by using their code and bundling them with malicious code, which can be easy to miss, as some of these tools are already obfuscated.

Unfortunately, it’s not only the users of these sites and tools that can potentially be exposed to danger. Many of the pages and tools have been publicly on GitHub by developers or collaborators using their private or work accounts. As a result, the majority of these malicious activities could easily be traced back to them in the future by employers, police, or possibly even by hackers seeking retribution.

To conclude, we’d like to recap the most important takeaways from our team’s research and offer some advice to stay safe:

  • We discourage everyone from engaging with these initiatives.
  • Performing DDoS attacks is illegal. 
  • Ensuring your security while using such tools is difficult to achieve, and by participating in these actions, you risk your privacy. 
  • By using these tools, you could cause counterproductive collateral damage, especially if you don’t understand what you’re doing by using them. 
  • Historically, similar tools have been abused by various actors who piggybacked on their popularity and started distributing their own variants including malware.

Further reading: In times of war, hacktivism is not the answer

--> -->