Ukrainian Cyber Alliance

The Ukrainian Cyber Alliance (UCA, ukr. ''Український кіберальянс'', УКА) is a community of Ukrainian cyber activists from various cities in Ukraine and around the world. The alliance emerged in the spring of 2016 from the merger of two cyber activists, and Trinity, and was later joined by the group and individual cyber activists from the CyberHunta group. The hacktivists united to counter Russian aggression in Ukraine.

Participation in the Russian-Ukrainian cyber war

The hacktivists began to apply their knowledge to protect Ukraine in cyberspace in the spring of 2014. Over time, the hacktivists began to conduct joint operations. Gradually, some hacker groups united in the Ukrainian Cyber Alliance (UCA), in accordance with  17 of the Constitution of Ukraine to defend the independence of their country and its territorial integrity, as is the duty of every citizen. The Ukrainian Cyber Alliance exclusively transmits extracted data for analysis, reconnaissance and publication to the international intelligence community Inform Napalm, as well as to the law enforcement agencies of Ukraine.

Notable operations

Operation #opDonbasLeaks

In the spring of 2016, the UCA conducted about one hundred successful hacks of websites and mailboxes of militants, propagandists, their curators, and terrorist organizations operating in the occupied territories. Among the targets was the mailbox of the Russian organization named "Union of Volunteers of Donbass". From this they obtained passport data and photo documents of citizens of Italy, Spain, India and Finland, fighting in the Prizrak Brigade, for which Russia grants, and, if necessary, extends visas. It was found that Russians who were wounded during the fighting in eastern Ukraine were being treated in military hospitals of the Ministry of Defense.

ukraine attacked many company websites and more in 2023.
in the middle of the screen there is a photo and text

Hacking of the ANNA News site

On April 29, 2016, the Inform Napalm website, with a call to the UCA, reported on the hacking and interface of the Abkhazian Network News Agency (ANNA News) news agency. As a result of the hacking, the site did not work for more than 5 days. The hacktivists posted their first video message on the site's pages, in which they used the Lviv Metro meme. The message stated (translation):

Operation #OpMay9

On May 9, 2016, the UCA conducted operation #OpMay9. Nine sites of Donetsk People's Republic (DNR) terrorists, propagandists, and Russian private military companies (RPMCs) were hacked. The broken sites were left with the hashtags #OpMay9 and #oп9Травня and three short videos about World War II and Ukrainian contributions to the victory over Nazism – what UCA called the "serum of truth". The hacktivists also posted their new video message on the terrorist sites. The video stated:

Operation #opMay18

On May 18, 2016, on the day of remembrance of the deportation of the Crimean Tatars in 1944, the UCA conducted Operation #opMay18. It targeted the website of the so-called chairman of council of ministers of the Republic of Crimea, Sergey Aksyonov, putting in his voice the fraudulent message:

Channel One hacking

The UCA hacked the website of Pervy Kanal (Channel One Russia), according to hacktivists, as part of a project to force Russia to deoccupy Donbass and fulfill its obligations under the Minsk agreements. Details of Pervy Kanal propagandist Serhiy Zenin's cooperation with Russian state-owned propaganda network Russia Today were also revealed, along with documentation of Zenin's salary and lavish lifestyle. In Zenin's cloud storage were found 25 videos of DNR members shooting in the settlement of Nikishine.

Operation #opDay28

In 2016, on the eve of Constitution Day, the UCA conducted operation #opDay28. 17 resources of Russian terrorists were hacked, and the hacked sites played another Lviv Metro video which purported to be from the leader of DNR, O. Zakharchenko:

Hacking of the Russian Ministry of Defense

In July 2016, the UCA hacked the document management server of the Department of the Ministry of Defense of the Russian Federation, and made public defense contracts executed during 2015. The success of the operation was largely determined by the negligence of Russian Rear Admiral Vernigora Andrei Petrovich. At the end of November 2016, the UCA broke into the Ministry server a second time and obtained confidential data on the provision of the state defense order of 2015–2016. According to analysts of Inform Napalm, the documents show that Russia is developing a doctrine of air superiority in the event of full-scale hostilities with Ukraine, citing the amount allocated for maintenance, modernization and creation of new aircraft.

Operation #op256thDay

Before Programmer's Day, UCA conducted operation #op256thDay, in which more than 30 sites of Russian foreign aggression were destroyed. On many propaganda resources, the hacktivists embedded an Inform Napalm video demonstrating evidence of Russia's military aggression against Ukraine.

Operation #OpKomendant

The activists gained access to the postal addresses of 13 regional branches of the "military commandant's office" of the DNR in operation #OpKomendant. For six months, the data from the boxes was passed for analysis by Inform Napalm volunteers, employees of the Peacemaker Center, the Security Service of Ukraine and the Special Operations Forces of Ukraine.

Hacking of Aleksey Mozgovoy

In October 2016, UCA obtained 240 pages of e-mail correspondence of the leader of Prizrak Brigade, Aleksey Mozgovoy. Judging by the correspondence, Mozghovyi was completely under the control of an unknown agent with the codename "Diva".

Hacking of Arsen Pavlov

The UCA obtained data from the gadgets of Arsen "Motorola" Pavlov, leader of the Sparta Battalion, and his wife Olena Pavlova (Kolienkina). In the weeks leading up to his death, Pavlov was alarmed by the conflict with Russian curators.

SurkovLeaks operation

In October 2016, the UCA accessed the mailboxes of Vladislav Surkov, Vladimir Putin's political adviser on relations with Ukraine. Acquired emails were published by Inform Napalm in late October and early November (SurkovLeaks). The emails revealed plans to destabilize and federalize Ukraine, and with other materials demonstrated high-level Russian involvement from the start of the war in eastern Ukraine. A US official told NBC News that the emails corroborated information that the US had previously provided. The authenticity of the emails was confirmed by Atlantic Council and Bellingcat, and published by numerous Western news sources. In the aftermath of the leaks, Surkov's chief of staff resigned. Additional emails belonging to people from Surkov's environs were published in early November, detailing Russia's financing of the "soft federalization" of Ukraine, recruiting in the Odesa region, and evidence of funding election campaigns in the Kharkiv region. The emails stated that Yuriy Rabotin, the head of the Odesa branch of the Union of Journalists of Ukraine, received payment from the Kremlin for his anti-Ukrainian activities. On April 19, 2018, the British newspaper ''The Times'' published an article stating that the SurkovLeaks documents exposed Russia's use of misinformation about the downing of Malaysia Airlines Flight 17 in order to accuse Ukraine.

Hacking of the DNR Ministry of Coal and Energy

In November 2016, the UCA obtained emails from the DNR's "Ministry of Coal and Energy", including a certificate prepared by the Ministry of Energy of the Russian Federation in January 2016, which detail the plans of the occupiers for the Donbass coal industry.

FrolovLeaks

Operation FrolovLeaks was conducted in December 2016, and produced correspondence of Kyrylo Frolov, the Deputy Director of the CIS Institute (Commonwealth of Independent States) and Press Secretary of the Union of Orthodox Citizens, for the period 1997–2016. The correspondence contains evidence of Russia's preparation for aggression against Ukraine (long before 2014). It also revealed Frolov's close ties with Sergey Glazyev, the Russian president's adviser on regional economic integration, Moscow Patriarch Vladimir Gundyaev, and Konstantin Zatulin, a member of the Foreign and Defense Policy Council, an illegitimate member of the Russian State Duma and director of the CIS Institute. The letters mention hundreds of others connected with the subversive activities of Russia's fifth column organizations in Ukraine.

Hacking of Luhansk intelligence chief

For some time, UCA activists monitored the computer of the Chief of Intelligence 2 AK (Luhansk, Ukraine) of the Russian Armed Forces. This officer sent reports with intelligence obtained with the help of regular Russian unmanned aerial vehicles (UAVs) – Orlan, Forpost and Takhion – which were also used to adjust fire artillery. Documents have also been published proving the existence of the Russian ground reconnaissance station PSNR-8 "Credo-M1" (1L120) in the occupied territory. In July 2017, on the basis of the obtained data, additional reconnaissance was conducted on social networks and the service of the Russian UAV Takhion (servicemen of the 138th OMSBR of the RF Armed Forces Private Laptev Denis Alexandrovich and Corporal Angalev Artem Ivanovich). The surveillance provided evidence of troop movements to the Ukraine border in August 2014. A list of these soldiers, their personal numbers, ranks, exact job titles, and information on awards for military service in peacetime were published. The operation also determined the timeline of the invasion of the Russian artillery unit of the 136th OMSBR in the summer of 2014, from the moment of loading equipment to fortifying in the occupied territory of Ukraine in Novosvitlivka, Samsonivka, and Sorokine (formerly Krasnodon).

Hacking of Oleksandr Usovskyi

In February and March 2017, the UCA exposed the correspondence of Belarus citizen Alexander Usovsky, a publicist whose articles were often published on the website of Ukrainian Choice. Inform Napalm analysts conducted a study of the emails and published two articles on how the Kremlin financed anti-Ukrainian actions in Poland and other Eastern European countries. The published materials caused outrage in Poland, the Czech Republic and Ukraine. In an interview with Fronda.pl, Polish General Roman Polko, the founder of the Polish Special Operations Forces, stated his conviction that the anti-Ukrainian actions in Poland and the desecration of Polish monuments in Ukraine were inspired by the Kremlin. Polko said that the information war posed a threat to the whole of Europe, and that the Polish radicals were useful idiots manipulated by Russia.

Hacking of CIS Institute

An analysis of hacked emails from CIS Institute (Commonwealth of Independent States) revealed that the NGO is financed by the Russian state company Gazprom. Gazprom allocated $2 million annually to finance the anti-Ukrainian activities of the CIS Institute. The head of the institute, State Duma deputy Konstantin Zatulin, helped terrorists and former Berkut members who fled to Russia to obtain Russian passports.

Hacking of Russian Foundation for Public Diplomacy

Access to the mail of O. M. Gorchakovan, an employee of the Russian Foundation for Public Diplomacy, provided insight to the forms of Russia's foreign policy strategy. On the eve of the war, funding for a six-month propaganda plan in Ukraine reached a quarter of a million dollars. Under the guise of humanitarian projects, subversive activities were carried out in Ukraine, Serbia, Bosnia and Herzegovina, Bulgaria, Moldova, and the Baltic States.

Hacking of Oleksandr Aksinenko

UCA activists gained access to the mailbox of telephone miner Oleksandr Aksineko, a citizen of Russia and Israel. The correspondence indicates that Aksinenko's terrorist activities are supported by the Russian Federal Security Service (FSB), which advised him to "work in the same spirit". Aksinenko also sent anonymous letters to the Security Service of Ukraine (SBU) and other structures in Ukraine.

#FuckResponsibleDisclosure flashmob

At the end of 2017, the UCA and other IT specialists held a two-month action to assess the level of protection of Ukrainian public resources, to check whether officials were responsible with information security. Many vulnerabilities were uncovered in the information systems of government agencies. The activists identified reported these vulnerabilities openly to those who could influence the situation. The activists noted the effectiveness in publicly shaming government agencies. For example, it was found that the computer of the Main Directorate of the National Police in Kyiv region could be accessed without a password and found on a network drive 150 GB of information, including passwords, plans, protocols, and personal data of police officers. It was also found that the Bila Tserkva police website had been hacked for a long time, and only after the volunteers noticed did the situation improve. SCFM had not updated servers for 10 years. Activists also found that the website of the Judiciary of Ukraine kept reports of the courts in the public domain. The Kherson Regional Council has opened access to the joint disk. The CERT-UA website (Ukraine's computer emergency response team) posted a password from one of their email accounts. One of the capital's taxi services was found to keep open information about clients, including dates, phone numbers, and departure and destination addresses. Vulnerabilities were also revealed in Kropyvnytskyi's Vodokanal, Energoatom, Kyivenerhoremont, NAPC, Kropyvnytskyi Employment Center, Nikopol Pension Fund, and the Ministry of Internal Affairs (declarations of employees, including special units, were made public).

The police opened a criminal case against "Dmitry Orlov", the pseudonym of the activist who publicized the vulnerabilities in a flash mob. They also allegedly tried to hack the Orlov website, leaving a message which threatened physical violence if he continued his activities. The activist deleted the website as it had fulfilled its function.

List-1097

UCA activists obtained records of orders to provide food for servicemen of 18 separate motorized rifle brigades of the Russian Armed Forces, who were sent on combat missions during the Russian occupation of Crimea. Inform Napalm volunteers searched open sources of information for the social network profiles of servicemen named in the orders, and discovered photo evidence of their participation in the occupation of Crimea. Records also revealed how troops had been transferred to the Crimea, at Voinka.

On January 31, 2017, the central German state TV channel ARD aired a story about the cyber war between Ukraine and Russia. The story documented the repeated cyber attacks by Russian hackers on the civilian infrastructure of Ukraine and efforts to counter Russian aggression in cyberspace, in particular the Surkov leaks. Representatives of the UCA were portrayed as the heroes of the story.

Former State Duma deputy Denis Voronenkov (who received Ukrainian citizenship) made statements that Surkov was categorically against the annexation of Crimea. In response, the UCA released photos and audio recordings of the congress of the Union of Donbas Volunteers, from May 2016 in annexed Crimea and November 2016 in Moscow, at which Surkov was the guest of honor.

Volunteers of the Inform Napalm community created a film about UCA's activities called ''Cyberwar: a review of successful operations of the Ukrainian Cyber Alliance in 2016''.{{Cite web, date=2017-02-02, title=Кібервійна: огляд найуспішніших публічних операцій Українського Кіберальянсу в 2016 році, url=https://informnapalm.org/ua/cyberwar-2016/, access-date=2020-03-08, website=InformNapalm.org (Українська), language=uk

References

Information technology organizations based in Ukraine
Hacker groups
2016 establishments in Ukraine
Internet properties established in 2016