Ensuring your security while using these tools is difficult to achieve, and by participating in these actions, you risk your privacy.
The Russian invasion of Ukraine has sparked a tremendous amount of empathy from people across the globe. Some have contributed by providing aid and shelter to refugees, while others have donated funds to charities supporting those in Ukraine.
There are also those who have taken a different approach: hacking Russian computers. These hacktivist communities have gathered in various places — a Telegram channel called IT ARMY of Ukraine, a dedicated subreddit, and the notorious Anonops network — and have begun to develop tools to help their cause.
One category of these tools are websites that are participating in DDoS attacks on Russian servers. Many people may already be familiar with the original one, hxxps://stop-russian-desinformation.near[.]page.
This site has inspired at least half a dozen additional clones or variations, starting with simple design changes to rather ingenious ideas, like the popular 2048 game that also participates in the DDoS in the background.
A screenshot of code with targeted websites
How do these websites work?
hxxps://1tv.ru: A main Russian TV channel
hxxps://sberbank.ru: The biggest Russian bank
hxxps://belta.by: State-owned national news agency of the Republic of Belarus
hxxps://fsb.ru: The Federal Security Service of the Russian Federation
While the lists often differ (either according to personal preferences of the list creators or including tips incorporated from Telegram, for example), it’s interesting that the underlying code is mostly the same. This raises a question: Are these efforts worth such risk?
Play For Ukraine, a DDoSing variant of the 2048 game
Furthermore, many servers in Russia — even ones that are not associated with the government (we’ve seen a repository mirror for various Linux distributions) — have already implemented geo-blocking. In other words, these servers are outright rejecting or restricting requests from non-Russian IP addresses. Rostelecom, Russia’s largest digital services provider, stopped publishing public prefixes of e-government infrastructure (AS196747) in Border Gateway Protocol (BGP) outside Russia, effectively limiting their incoming traffic to Russian IP addresses of government institutions.
Visitors of DDoSing websites
Moreover, the user is assigned a fixed list of targets that has been curated based on the preferences of the page creators. This leads to situations in which hacktivists unexpectedly attack targets like a Ukrainian mining company (hxxps://ugmk.ua) or over 7,000 targets from the page hxxps://kuzelovi[.]cz/FuckPutin.html, including Fedora repository mirrors, which is hosted by a Russian media group, or pages of the Russian branch of European UniCredit Bank. Attacking targets that have been selected by someone else also means that individual targets can be silently replaced without much notice. This has led our team to the decision not to dismiss these websites as hacktools, but instead, to classify them as malware.
The same things can be said for various Python or command-line scripts that aim to achieve similar results. For convenience, many of them provide Docker images; nevertheless, their insides are basically the same: they’re either simplistic scripts pinging targeted servers or variants of open-sourced stress testing tools. We have seen several GitHub projects wrapping older tools into Docker for convenience, some of them already having nearly a hundred forks.
While there are some differences to the ready-made DDoS webpages — you have to run it and provide targets by yourself — everything else that we’ve described still applies. From README files, the intention is clear, instead of a usual thin-line walking by profiling itself as stress-testing tools. These tools may also become targets of counter-operations by using their code and bundling them with malicious code, which can be easy to miss, as some of these tools are already obfuscated.
Unfortunately, it’s not only the users of these sites and tools that can potentially be exposed to danger. Many of the pages and tools have been publicly on GitHub by developers or collaborators using their private or work accounts. As a result, the majority of these malicious activities could easily be traced back to them in the future by employers, police, or possibly even by hackers seeking retribution.
To conclude, we’d like to recap the most important takeaways from our team’s research and offer some advice to stay safe:
We discourage everyone from engaging with these initiatives.
Performing DDoS attacks is illegal.
Ensuring your security while using such tools is difficult to achieve, and by participating in these actions, you risk your privacy.
By using these tools, you could cause counterproductive collateral damage, especially if you don’t understand what you’re doing by using them.
Historically, similar tools have been abused by various actors who piggybacked on their popularity and started distributing their own variants including malware.