Ukrainian Cyber Alliance

The Ukrainian Cyber Alliance (UCA, ukr. Український кіберальянс, УКА) is a community of Ukrainian cyber activists from various cities in Ukraine and around the world. The alliance emerged in the spring of 2016 from the merger of two cyber activists, FalconsFlame and Trinity, and was later joined by the group RUH8 and individual cyber activists from the CyberHunta group. The hacktivists united to counter Russian aggression in Ukraine.

Participation in the Russian-Ukrainian cyber war
The hacktivists began to apply their knowledge to protect Ukraine in cyberspace in the spring of 2014. Over time, the hacktivists began to conduct joint operations. Gradually, some hacker groups united in the Ukrainian Cyber Alliance (UCA), in accordance with Art. 17 of the Constitution of Ukraine to defend the independence of their country and its territorial integrity, as is the duty of every citizen. The Ukrainian Cyber Alliance exclusively transmits extracted data for analysis, reconnaissance and publication to the international intelligence community Inform Napalm, as well as to the law enforcement agencies of Ukraine.

Operation #opDonbasLeaks
In the spring of 2016, the UCA conducted about one hundred successful hacks of websites and mailboxes of militants, propagandists, their curators, and terrorist organizations operating in the occupied territories. Among the targets was the mailbox of the Russian organization named "Union of Volunteers of Donbass". From this they obtained passport data and photo documents of citizens of Italy, Spain, India and Finland, fighting in the Prizrak Brigade, for which Russia grants, and, if necessary, extends visas. It was found that Russians who were wounded during the fighting in eastern Ukraine were being treated in military hospitals of the Ministry of Defense.

Hacking of the ANNA News site
On April 29, 2016, the Inform Napalm website, with a call to the UCA, reported on the hacking and interface of the Abkhazian Network News Agency (ANNA News) news agency. As a result of the hacking, the site did not work for more than 5 days. The hacktivists posted their first video message on the site's pages, in which they used the Lviv Metro meme. The message stated (translation): Hi everyone. You are at the Lviv metro station. And this is a video appeal of Ukrainian hackers to our enemies and allies. If you are watching this video, then we have cleared the information space of another Russian terrorists site. Now we turn to the enemies. Today we have removed all confidential information from your resource. Your data of administrators and users were transferred to Inform Napalm volunteer intelligence, and also sent to the Ukrainian special services. Backups of your site were destroyed, they remained only with us. We give you one last chance to start from scratch and no longer use the information space for lies and terror. We turn to the allies. Friends! Georgia, Ukraine and Syria have faced vile terrorist aggression by the Russian Federation. Many of us have lost our homes, families and loved ones. But the key to victory over the aggressor is in the consolidation of society. We are ordinary programmers, engineers and volunteers. Our weapons are reason, faith and free will. Each of you can inflict losses on the enemy. Do not buy Russian goods, do not trust the Russian media. Support the Ukrainian military and patriots. Help those who need help and protection. Support each other. Together we are the force that will win the war against a vile and lying enemy. Glory to Ukraine!

Operation #OpMay9
On May 9, 2016, the UCA conducted operation #OpMay9. Nine sites of Donetsk People's Republic (DNR) terrorists, propagandists, and Russian private military companies (RPMCs) were hacked. The broken sites were left with the hashtags #OpMay9 and #oп9Травня and three short videos about World War II and Ukrainian contributions to the victory over Nazism – what UCA called the "serum of truth". The hacktivists also posted their new video message on the terrorist sites. The video stated: God forbid. And we are in the Lviv metro again. After our previous video on April 29, some viewers decided we were joking. But we are not joking, we are speaking quite seriously. After our last attack, the popular site of aggressive Russian propaganda Anna News was unavailable for about 5 days. It is an information resource aimed at spreading lies against Georgia, Ukraine and Syria. Our first video call hung on this site for more than 5 hours, and the administrators took more than 100 hours to at least partially restore the resource. At the same time, they lost much of their data forever. It was our small gift to society for the Great Feast of the Resurrection of Christ. We have shown how light easily destroys darkness. We have enough strength and will to successfully defeat the aggressor, we just need to believe and work hard for everyone to win together. And now about the victory. Kievan Rus, and then its successor Ukraine, the Cossacks of the Zaporozhian Sich and the Kholodny Yar, soldiers of the Ukrainian Insurgent Army and Ukrainians in the ranks of the Allied armies. These are our ancestors who fought with unbreakable strength of will and shed blood for their land and freedom. 70 years ago, the Ukrainian people lost about 7 million of their sons and daughters in the fight against the aggressor and the occupier. Now a new brown plague has come to our borders, disguised by the colors of striped ribbons and Russian tricolors. But no matter how strong the enemy may seem, his destiny is to be defeated and covered with shame. The Ukrainian people, their soldiers, patriots, volunteers have already proved that the indomitable will is embedded in their genetic code. Today, on the Day of Remembrance and Victory, we are giving a new gift to Ukrainian society. On this day, the entire network of information resources of the aggressor and the sites of Russian terrorists in Donbass will be paralyzed. This video message and other materials exposing the occupiers' lies will appear on many enemy websites. We won then, we will win now. To the glory of ancestors, to the glory of the heroes of the past and the future. Glory to Ukraine!

Operation #opMay18
On May 18, 2016, on the day of remembrance of the deportation of the Crimean Tatars in 1944, the UCA conducted Operation #opMay18. It targeted the website of the so-called chairman of council of ministers of the Republic of Crimea, Sergey Aksyonov, putting in his voice the fraudulent message: Dear citizens of Crimea, today I propose to honor the memory of those difficult days of 1944 and make every effort to prevent such tragic events again. Currently, the international situation is such that in 2017, Russians can be deported from the Crimea. In conclusion, I want to say that I am very glad that the Crimean Tatar singer Jamala won the Eurovision-2016 contest, and I look forward to the successful holding of Eurovision-2017 in Ukraine, namely in the Crimea.

Channel One hacking
The UCA hacked the website of Pervy Kanal (Channel One Russia), according to hacktivists, as part of a project to force Russia to deoccupy Donbass and fulfill its obligations under the Minsk agreements. Details of Pervy Kanal propagandist Serhiy Zenin's cooperation with Russian state-owned propaganda network Russia Today were also revealed, along with documentation of Zenin's salary and lavish lifestyle. In Zenin's cloud storage were found 25 videos of DNR members shooting in the settlement of Nikishine.

Operation #opDay28
In 2016, on the eve of Constitution Day, the UCA conducted operation #opDay28. 17 resources of Russian terrorists were hacked, and the hacked sites played another Lviv Metro video which purported to be from the leader of DNR, O. Zakharchenko: On June 28, Ukraine celebrates another anniversary of the adoption of the Constitution. But now this holiday is overshadowed by the conflict in Donbass, which we, inferior fools, have resolved, and caused numerous violations of the constitutional rights of normal citizens. I have to admit that despite the work done by my stupid press service and loyal sly dogs of the MDB DNR, the whole world sees that we started playing not in our sandbox, because of which the civilian population of Donbass suffers and dies. The truth is that Rashka has once again framed us and is trying to squeeze the Donbass after the Crimea with our own hands. I personally apologize to all the people of Ukraine for their idiocy and I hope that this anniversary of the Constitution of Ukraine will be a turning point in the relations of Donbass with its Motherland - Ukraine! Contrary to racist propaganda, we are cured of schizophrenia, and the Ukrainian constitutional order will prevail in the Donbass!

Hacking of the Russian Ministry of Defense
In July 2016, the UCA hacked the document management server of the Department of the Ministry of Defense of the Russian Federation, and made public defense contracts executed during 2015. The success of the operation was largely determined by the negligence of Russian Rear Admiral Vernigora Andrei Petrovich. At the end of November 2016, the UCA broke into the Ministry server a second time and obtained confidential data on the provision of the state defense order of 2015–2016. According to analysts of Inform Napalm, the documents show that Russia is developing a doctrine of air superiority in the event of full-scale hostilities with Ukraine, citing the amount allocated for maintenance, modernization and creation of new aircraft.

Operation #op256thDay
Before Programmer's Day, UCA conducted operation #op256thDay, in which more than 30 sites of Russian foreign aggression were destroyed. On many propaganda resources, the hacktivists embedded an Inform Napalm video demonstrating evidence of Russia's military aggression against Ukraine.

Operation #OpKomendant
The activists gained access to the postal addresses of 13 regional branches of the "military commandant's office" of the DNR in operation #OpKomendant. For six months, the data from the boxes was passed for analysis by Inform Napalm volunteers, employees of the Peacemaker Center, the Security Service of Ukraine and the Special Operations Forces of Ukraine.

Hacking of Aleksey Mozgovoy
In October 2016, UCA obtained 240 pages of e-mail correspondence of the leader of Prizrak Brigade, Aleksey Mozgovoy. Judging by the correspondence, Mozghovyi was completely under the control of an unknown agent with the codename "Diva".

Hacking of Arsen Pavlov
The UCA obtained data from the gadgets of Arsen "Motorola" Pavlov, leader of the Sparta Battalion, and his wife Olena Pavlova (Kolienkina). In the weeks leading up to his death, Pavlov was alarmed by the conflict with Russian curators.

SurkovLeaks operation
In October 2016, the UCA accessed the mailboxes of Vladislav Surkov, Vladimir Putin's political adviser on relations with Ukraine. Acquired emails were published by Inform Napalm in late October and early November (SurkovLeaks). The emails revealed plans to destabilize and federalize Ukraine, and with other materials demonstrated high-level Russian involvement from the start of the war in eastern Ukraine. A US official told NBC News that the emails corroborated information that the US had previously provided. The authenticity of the emails was confirmed by Atlantic Council and Bellingcat, and published by numerous Western news sources. In the aftermath of the leaks, Surkov's chief of staff resigned. Additional emails belonging to people from Surkov's environs were published in early November, detailing Russia's financing of the "soft federalization" of Ukraine, recruiting in the Odesa region, and evidence of funding election campaigns in the Kharkiv region. The emails stated that Yuriy Rabotin, the head of the Odesa branch of the Union of Journalists of Ukraine, received payment from the Kremlin for his anti-Ukrainian activities. On April 19, 2018, the British newspaper The Times published an article stating that the SurkovLeaks documents exposed Russia's use of misinformation about the downing of Malaysia Airlines Flight 17 in order to accuse Ukraine.

Hacking of the DNR Ministry of Coal and Energy
In November 2016, the UCA obtained emails from the DNR's "Ministry of Coal and Energy", including a certificate prepared by the Ministry of Energy of the Russian Federation in January 2016, which detail the plans of the occupiers for the Donbass coal industry.

FrolovLeaks
Operation FrolovLeaks was conducted in December 2016, and produced correspondence of Kyrylo Frolov, the Deputy Director of the CIS Institute (Commonwealth of Independent States) and Press Secretary of the Union of Orthodox Citizens, for the period 1997–2016. The correspondence contains evidence of Russia's preparation for aggression against Ukraine (long before 2014). It also revealed Frolov's close ties with Sergey Glazyev, the Russian president's adviser on regional economic integration, Moscow Patriarch Vladimir Gundyaev, and Konstantin Zatulin, a member of the Foreign and Defense Policy Council, an illegitimate member of the Russian State Duma and director of the CIS Institute. The letters mention hundreds of others connected with the subversive activities of Russia's fifth column organizations in Ukraine.

Hacking of Luhansk intelligence chief
For some time, UCA activists monitored the computer of the Chief of Intelligence 2 AK (Luhansk, Ukraine) of the Russian Armed Forces. This officer sent reports with intelligence obtained with the help of regular Russian unmanned aerial vehicles (UAVs) – Orlan, Forpost and Takhion – which were also used to adjust fire artillery. Documents have also been published proving the existence of the Russian ground reconnaissance station PSNR-8 "Credo-M1" (1L120) in the occupied territory. In July 2017, on the basis of the obtained data, additional reconnaissance was conducted on social networks and the service of the Russian UAV Takhion (servicemen of the 138th OMSBR of the RF Armed Forces Private Laptev Denis Alexandrovich and Corporal Angalev Artem Ivanovich). The surveillance provided evidence of troop movements to the Ukraine border in August 2014. A list of these soldiers, their personal numbers, ranks, exact job titles, and information on awards for military service in peacetime were published. The operation also determined the timeline of the invasion of the Russian artillery unit of the 136th OMSBR in the summer of 2014, from the moment of loading equipment to fortifying in the occupied territory of Ukraine in Novosvitlivka, Samsonivka, and Sorokine (formerly Krasnodon).

Hacking of Oleksandr Usovskyi
In February and March 2017, the UCA exposed the correspondence of Belarus citizen Alexander Usovsky, a publicist whose articles were often published on the website of Ukrainian Choice, an anti-Ukrainian NGO backed by oligarch Viktor Medvedchuk. Inform Napalm analysts conducted a study of the emails and published two articles on how the Kremlin financed anti-Ukrainian actions in Poland and other Eastern European countries. The published materials caused outrage in Poland,        the Czech Republic  and Ukraine. In an interview with Fronda.pl, Polish General Roman Polko, the founder of the Polish Special Operations Forces, stated his conviction that the anti-Ukrainian actions in Poland and the desecration of Polish monuments in Ukraine were inspired by the Kremlin. Polko said that the information war posed a threat to the whole of Europe, and that the Polish radicals were useful idiots manipulated by Russia.

Hacking of CIS Institute
An analysis of hacked emails from CIS Institute (Commonwealth of Independent States) revealed that the NGO is financed by the Russian state company Gazprom. Gazprom allocated $2 million annually to finance the anti-Ukrainian activities of the CIS Institute. The head of the institute, State Duma deputy Konstantin Zatulin, helped terrorists and former Berkut members who fled to Russia to obtain Russian passports.

Hacking of Russian Foundation for Public Diplomacy
Access to the mail of O. M. Gorchakovan, an employee of the Russian Foundation for Public Diplomacy, provided insight to the forms of Russia's foreign policy strategy. On the eve of the war, funding for a six-month propaganda plan in Ukraine reached a quarter of a million dollars. Under the guise of humanitarian projects, subversive activities were carried out in Ukraine, Serbia, Bosnia and Herzegovina, Bulgaria, Moldova, and the Baltic States.

Hacking of Oleksandr Aksinenko
UCA activists gained access to the mailbox of telephone miner Oleksandr Aksineko, a citizen of Russia and Israel. The correspondence indicates that Aksinenko's terrorist activities are supported by the Russian Federal Security Service (FSB), which advised him to "work in the same spirit". Aksinenko also sent anonymous letters to the Security Service of Ukraine (SBU) and other structures in Ukraine.

#FuckResponsibleDisclosure flashmob
At the end of 2017, the UCA and other IT specialists held a two-month action to assess the level of protection of Ukrainian public resources, to check whether officials were responsible with information security. Many vulnerabilities were uncovered in the information systems of government agencies. The activists identified reported these vulnerabilities openly to those who could influence the situation. The activists noted the effectiveness in publicly shaming government agencies. For example, it was found that the computer of the Main Directorate of the National Police in Kyiv region could be accessed without a password and found on a network drive 150 GB of information, including passwords, plans, protocols, and personal data of police officers. It was also found that the Bila Tserkva police website had been hacked for a long time, and only after the volunteers noticed did the situation improve. SCFM had not updated servers for 10 years. Activists also found that the website of the Judiciary of Ukraine kept reports of the courts in the public domain. The Kherson Regional Council has opened access to the joint disk. The CERT-UA website (Ukraine's computer emergency response team) posted a password from one of their email accounts. One of the capital's taxi services was found to keep open information about clients, including dates, phone numbers, and departure and destination addresses. Vulnerabilities were also revealed in Kropyvnytskyi's Vodokanal, Energoatom, Kyivenerhoremont, NAPC, Kropyvnytskyi Employment Center, Nikopol Pension Fund, and the Ministry of Internal Affairs (declarations of employees, including special units, were made public).

The police opened a criminal case against "Dmitry Orlov", the pseudonym of the activist who publicized the vulnerabilities in a flash mob. They also allegedly tried to hack the Orlov website, leaving a message which threatened physical violence if he continued his activities. The activist deleted the website as it had fulfilled its function.

List-1097
UCA activists obtained records of orders to provide food for servicemen of 18 separate motorized rifle brigades of the Russian Armed Forces, who were sent on combat missions during the Russian occupation of Crimea. Inform Napalm volunteers searched open sources of information for the social network profiles of servicemen named in the orders, and discovered photo evidence of their participation in the occupation of Crimea. Records also revealed how troops had been transferred to the Crimea, at Voinka.

On January 31, 2017, the central German state TV channel ARD aired a story about the cyber war between Ukraine and Russia. The story documented the repeated cyber attacks by Russian hackers on the civilian infrastructure of Ukraine and efforts to counter Russian aggression in cyberspace, in particular the Surkov leaks. Representatives of the UCA were portrayed as the heroes of the story.

Former State Duma deputy Denis Voronenkov (who received Ukrainian citizenship) made statements that Surkov was categorically against the annexation of Crimea. In response, the UCA released photos and audio recordings of the congress of the Union of Donbas Volunteers, from May 2016 in annexed Crimea and November 2016 in Moscow, at which Surkov was the guest of honor.

Volunteers of the Inform Napalm community created a film about UCA's activities called Cyberwar: a review of successful operations of the Ukrainian Cyber Alliance in 2016.

Hacking of the Trigona Ransomware Gang
On October 12th, 2023, UCA hacktivist herm1t posted screenshots of a Russian Confluence page claiming it to be a ransomware group. This ended up belonging to the Trigona ransomware gang, and the UCA exfiltrated data from the threat actor's website. This included the administrator and victim panels, their blog, their leak site, cryptocurrency hot wallets, and data from the development environment including source code and database records. UCA also managed to map out the group's entire network infrastructure. By the time Trigona noticed and attempted to change their passwords and take their public facing infrastructure offline, the data had already been exfiltrated. Following exfiltration, UCA deleted all information and defaced Trigona's public facing websites on October 17th.

Three backups of data presumed to be stolen from victims of the Trigona gang was recovered, and UCA pledged to release any decryption keys should they be discovered.