- InformNapalm.org (English) - https://informnapalm.org/en -

Cyberwar: top operations of Ukrainian Cyber Alliance (UCA) in 2016

This is the battlefield that has no peace treaties, boundaries, or “Minsk agreements”. It encompasses economic, military, informational, and other areas of administration and communication of any world country.

The Russian propaganda aggression against Ukraine that used both traditional and internet media began long before the annexation of the Crimea and the military invasion of the Donbas, but it was the final phase of “hybrid war” and its transition to the conventional confrontation that exposed not only the problem of equipping and supplying the military, but also the vulnerability of Ukraine’s information systems.

(Video with English subtitles)

Since March 2014, in the wake of the rise of the volunteer movement, several activist groups and individuals assumed the state security functions in the media- and cyber-space.

InformNapalm, Myrotvorets, Ukrainian Cyberarmy, and other volunteer communities organized a series of effective campaigns in data collection, data analysis, identification of hostile activities and retaliation against them. The volunteers took on the roles of intelligence and counterintelligence agents. They collected the information on locations and movements of enemy weapons and equipment, blocked servers and websites engaged in Russian terrorist propaganda, and blocked bank accounts of the militants. And they still continue carrying out the important volunteer work in cyberspace.

2016 became the year of escalation of cyber-warfare.


It also became the year when Ukrainian IT-activists joined their forces. The groups of computer engineers FalconsFlame, Trinity, Ruh8, individuals from the CyberHunta group, and other volunteers joined together in a powerful Ukrainian Cyber ​​Alliance (UCA) [2], which brought Ukrainian hacktivism to the world scene.

90% of UCA operations have operational importance. The ability to have a holistic view of multiple separate discoveries of enemy plans elevates its work to the new level and helps expose previously hidden connections between individual enemy agents. This is why only 10 percent of hacktivists’ actions become publicized.

InformNapalm has become the hub of analysis and dissemination of the information obtained by the hacktivists to the broad international audience. The combination of the capabilities of UCA hacktivists and creative media support offers a powerful opposition to the activities of the aggressor.

Let us recap the most prominent UCA hacktivist operations of 2016.

January 2016 – Ruh8 hacked the SMS correspondence of hundreds of thousands of Russians.

March 2016 – FalconsFlame hacked the phone of an operative of Russian Federal Penitentiary Service. Thanks to the photographs that contained full EXIF data, and the video from his phone, they were able to prove his involvement in the fighting in the east of Ukraine.

Additionally, the official site of the so-called “Ministry of Foreign Affairs” of the Russian terrorist organization “Donetsk People’s Republic (DPR)” was hacked and defaced.

April 2016 was very productive.

As part of the operation #OpDonbasLeaks, groups FalconsFlame and Trinity hacked about 100 pages and mailboxes of militants, propagandists, and their curators. A number of mailboxes of Donbas terrorist operations and their Russian curators were hacked, and tens of gigabytes of useful information were acquired by the Ukrainian hacktivists.

The mailboxes of the organization “Union of Donbas volunteers”, curated by the former Prime Minister of “DPR”, political strategist, and FSB Major General Alexander Boroday, were hacked. The acquired forms, copies of personal documents, and numerous letters of mercenaries and Russian troops became weapons that the Ukrainian hacktivists are now using against them. This information was partially released by InformNapalm.

Also in April, a Russian soldier’s phone was hacked, which helped prove that the Russian Army used a P-330Zh EW system in the battle of Debaltseve. Images of the work terminal of the station were made public.

The Ruh8 Group published the draft of the report “On the main directions of the regional government policy in the Russian Federation.” The Head of the Federation Council Valentina Matvienko spoke about the preparation of the report on April 29.

A powerful blow to Russian propaganda was dealt by the hacking and defacement of the website of its news agency “Anna News”. The site not only remained inoperative for over 5 days, but it also irrevocably lost some of its information, which was destroyed the Ukrainian hacktivists. A video using the meme “Lviv subway”, which the Ukrainian hacktivists based on a shot from the German movie “Who am I”, was placed on the pages of the hacked site. In this video, they asked the Ukrainian society to unite in the fight against the aggressor. The video received considerable public attention: on YouTube it received over 270,000 views, and InformNapalm team translated it into 6 foreign languages. The video was widely broadcast by Ukrainian TV channels and more than 100 media outlets. This address became the starting point for the creation of UCA, which became the framework for joint activities of hacktivists from different groups.

In May 2016, UCA held a series of powerful operations on hacking enemy systems and sites.

Operations #OpMay9 and #OpMay18 revealed a whole network of resources of the Crimean occupation government, and the occupied regions of Luhansk and Donetsk regions.

Hacktivists placed new video messages on enemy resources.

At the same time, RUH8 conducted successful sabotage on the aggressor’s own territory. They conducted a series of attacks on government information resources of Orenburg Oblast in Russia, which preceded spontaneous protests in neighboring Kazakhstan. They also conducted attacks on the websites of government structures of Chelyabinsk and Belgorod Oblasts in Russia.

In June 2016, the Cyber ​​Alliance provided InformNapalm volunteers with a huge cache of data procured from hacked mailboxes and cloud storage of Russian journalists and propagandists. They released the Russian propagandists’ correspondence regarding Flight MH17, the shelling of Ukrainian territories, and the Russian propaganda influence attempts against not only Ukraine, but also the USA. In particular, they disclosed interesting details of the work of Sergey Zenin, a journalist and propagandist of the Russian state-owned “Channel 1”, as well as his cooperation with “Russia Today” regarding attempts to discredit the US National Security Agency.

For the 20th anniversary of the Constitution of Ukraine, the Cyber ​​Alliance conducted a new operation, #OpDay28. During the operation, in the span of a few hours they hacked 17 Russian terrorist sites, and placed there a new video address from the Lviv subway.

July 2016 was no less productive.

The activities of the assistant to a Duma representative, who financed the terrorist media, were exposes, giving the public the opportunity to see how Russian propagandists receive their assignments and payments and what they report to their handlers.

Furthermore, for the first time the hacktivists broke into the document server of the Russian Defense Ministry, where they found information on Russian state defense procurement.

August 2016 continued the parade of hacking of Russian military propagandists. The mailbox of Gennady Dubovoy, known for his hysteria after his social media pages got hacked, was hacked once again.

Thanks to the hacking of the personal correspondence of the “Luhansk People’s Republic (LPR)” militant with the call sign “Grom”, preparations for provocations in Lviv on the Independence Day of Ukraine were uncovered.

To celebrate the Independence Day of Ukraine, on August 25 2016, the UCA hacktivists defaced 25 sites of pro-Russian organizations and the so-called official sites of terrorist groups “LPR” and “DPR”; content congratulating Ukraine on its Independence Day was posted on the enemy sites.

Without a pause, in the early September 2016, the Ukrainian hacktivists hacked 11 other enemy resources.

Also in September, the UCA hacktivists conducted a large-scale operation #op256thDay, timed to the Programmers’ Day. In a single night, they destroyed or defaced over 33 enemy websites. On many of the Russian terrorist propaganda sites, hacktivists posted a video by InformNapalm identifying 33 types of Russian weapons and military equipment present in the Donbas. They also posted other videos offering irrefutable evidence of the military aggression of Russia against Ukraine.

Among other things, hacktivists managed to gain access to e-mail addresses of 13 regional offices of the so-called “military commandant of the Donetsk People’s Republic (DPR).” For two months, data from these boxes was being readily offered for analysis to the InformNapalm volunteers, the staff of the Peacemaker Center, and Ukrainian Security Service and Special Forces.

At the same time, a number of enemy sites and social network groups were blocked. They were affiliated with the Office of Special Operations of the Center of Special Purpose of the FSB (headquartered on Vernadsky Avenue in Moscow). Irrefutable evidence of involvement of the FSB in the preparation and placement of anti-Ukrainian propaganda on the Internet was obtained.

In October 2016, the Cyber Alliance published 240 pages of e-mail correspondence of Alexey Mozgovoy, the notorious battalion commander of the “LPR” terrorist group “Prizrak”. The correspondence demonstrated that right before his assassination, Mozgovoy was completely dependent on the orders of an agent with the callsign “Deva”.

Hacktivists also revealed intercepted correspondence and videos from the phone of Arseny “Motorola” Pavlov, a Russian warlord and a media personality assassinated by the FSB. Investigations on this topic led to a significant public resonance: over 500,000 users from the Russian Federation viewed the correspondence and the published video.

The beginning of November 2016 was the defining moment in the context of the #SurkovLeaks operation.

The data extracted by the hacktivists from the mailboxes of the reception office of Vladislav Surkov, an aide to the President of Russia, led to significant international resonance. And while the media community in Ukraine engaged in ridicule because of inconvenient details of the cooperation of a number of Ukrainian politicians and journalists with the Russian aggressor, the details of Surkov’s correspondence were treated by the Western media as a major sensation.

Both of the published mailbox dumps were verified, and their authenticity confirmed by international organizations, such as InformNapalm, Bellingcat, Atlantic Council, and many others.

Publications about the hacking of Surkov’s office appeared on the pages of internationally renowned media, including the BBC, TIME, Daily Mail, The Times, Radio Free Europe / Radio Liberty, The Guardian, and others. It was amusing to read the interviews [3] of some Western experts, who speculated that U.S. intelligence was behind the hack – in their opinion, the video that accompanied the publication of #SurkovLeaks was too professional; they were also confused by the fact of almost instantaneous translation of the reports into several foreign languages. That is, the media support of the UCA hacktivist operation by the volunteers of InformNapalm international community was considered to be on par with the work of U.S. intelligence agencies.

Hacking of the correspondence of the so-called “coal and power ministries” of the occupied regions of Donetsk Oblast revealed the plans of the occupants for the Donbas coal industry: elimination of the majority of coal mines and partial relocation of Ukrainian mining equipment and workers from the mines to Russia.

The end of November was marked by a new hacking of the Russian Ministry of Defense systems. Confidential information was extracted, pertaining to the fulfillment of Russian state defense procurement in 2015-2016.

In December 2016, a large-scale operation #FrolovLeaks took place. It involved publishing five out of seven episodes of correspondence extracted from the mailbox of Kirill Frolov, the deputy director of the Institute of CIS States, the press secretary of the Union of Orthodox Citizens, and a “proper Orthodox expert”. Cyber ​​Alliance hacktivists revealed Frolov’s correspondence for the period from 1997 to 2016. It provided new evidence of the preparations for the Russian aggression against Ukraine long before 2014. The intervention was carried out at the highest levels through the Moscow Patriarchate, the clergy, which was placed near senior Ukrainian politicians, and media and community activists coordinated by Russian handlers.

The correspondence revealed Frolov’s close ties with Sergey Glazyev, Russian presidential advisor on regional economic integration, Patriarch of Moscow Vladimir Gundyaev (aka Kirill), as well as Konstantin Zatulin, a member of the Council for Foreign and Defense Policy, a deputy of the State Duma [4], and director of the Institute of CIS States. The messages also featured hundreds of other names, in one way or another related to the subversive activities of the Russian fifth column in Ukraine.

On Christmas and New Year holidays of 2017, UCA and InformNapalm congratulated Ukrainians by disclosing the details of another major data intercept operation. The data was being exchanged between the “head of intelligence” of the “second army corps” of the occupation forces in the Donbas, 12th Command of the Russian Army Reserve (Novocherkassk, Russia), and recon units which operated in the interests of “the corps”, in particular, Russian UAV, electronic intelligence, and satellite reconnaissance units.

For a long time now, the volunteers and hacktivists have been analyzing the received information practically on the fly, and passing it to the Ukrainian military. Some of the information has lost its operational importance, and has been revealed as new hard evidence of Russian military aggression: the use of standard Russian military drones for reconnaissance and artillery spotting to support Russian occupational forces’ shelling of Ukrainian territory.

All this is just a small part of the achievements of UCA hacktivists and InformNapalm volunteers in 2016 – the part that could be made public.

Any Russian bear, invading the Ukrainian bee yard, can be defeated by a well-coordinated swarm attack. The most important thing is to act, because the truth and the higher powers are on our side! Let us unite, and let the fiery 2017 bring us even more victories!

Glory to Ukraine!


Evidence data was exclusively provided to InformNapalm by the hacktivists of the Ukrainian Cyber Alliance for analysis and processing. InformNapalm Community bears no responsibility for the sources and origin of the data.

Translated by Victor Danilchenko, edited by Max Alginin

(CC BY 4.0) This [5] information has been specially prepared for InformNapalm.org, an active link to the authors and our project is obligatory for any reprint or further public use of the material.
We call on our readers to actively share our publications on social networks. Broad public awareness of these investigations is a major factor in the information and actual warfare.