Ukrainian Cyber Alliance

The Ukrainian Cyber Alliance (UCA, ukr. Український кіберальянс, УКА) is a community of Ukrainian cyber activists from various cities across Ukraine and around the world. The alliance was formed in the spring of 2016 through the merger of two cyber activist groups, FalconsFlame [uk] and Trinity, later joined by the group RUH8 and individual activists from the CyberHunta group.^[1] These hacktivists united to counter Russian aggression in Ukraine.

Ukrainian Cyber Alliance

Type of site	Hacktivism
URL	fb.com/UkrainianCyberAlliance

Participation in the Russian-Ukrainian cyber war

Main article: Russo-Ukrainian cyberwarfare

The hacktivists began to apply their knowledge to protect Ukraine in cyberspace in the spring of 2014.^[2] Over time, the hacktivists began to conduct joint operations. Gradually, some hacker groups united in the Ukrainian Cyber Alliance (UCA), in accordance with Art. 17 of the Constitution of Ukraine to defend the independence of their country and its territorial integrity, as is the duty of every citizen.^[3][4][5] The Ukrainian Cyber Alliance exclusively transmits extracted data for analysis, reconnaissance and publication to the international intelligence community Inform Napalm, as well as to the law enforcement agencies of Ukraine.^[6]

Notable operations

Operation #opDonbasLeaks

In the spring of 2016, the UCA conducted about one hundred successful hacks of websites and mailboxes of militants, propagandists, their curators, and terrorist organizations operating in the occupied territories. Among the targets was the mailbox of the Russian organization named "Union of Volunteers of Donbas". From this they obtained passport data and photo documents of citizens of Italy, Spain, India and Finland, fighting in the Prizrak Brigade, for which Russia grants, and, if necessary, extends visas.^[7] It was found that Russians who were wounded during the fighting in eastern Ukraine were being treated in military hospitals of the Ministry of Defence.^[8][9]

Hacking of the ANNA News site

On April 29, 2016, the Inform Napalm website, with a call to the UCA, reported on the hacking and interface of the Abkhazian Network News Agency (ANNA News) news agency.^[10] As a result of the hacking, the site did not work for more than 5 days. The hacktivists posted their first video message on the site's pages,^[11] in which they used the Lviv Metro meme. The message stated (translation):

Hi everyone. You are at the Lviv metro station. And this is a video appeal of Ukrainian hackers to our enemies and allies. If you are watching this video, then we have cleared the information space of another Russian terrorists site. Now we turn to the enemies. Today we have removed all confidential information from your resource. Your data of administrators and users were transferred to Inform Napalm volunteer intelligence, and also sent to the Ukrainian special services. Backups of your site were destroyed, they remain only with us. We give you one last chance to start from scratch and no longer use the information space for lies and terror. We turn to the allies. Friends! Georgia, Ukraine and Syria have faced vile terrorist aggression by the Russian Federation. Many of us have lost our homes, families and loved ones. But the key to victory over the aggressor is in the consolidation of society. We are ordinary programmers, engineers and volunteers. Our weapons are reason, faith and free will. Each of you can inflict losses on the enemy. Do not buy Russian goods, do not trust the Russian media. Support the Ukrainian military and patriots. Help those who need help and protection. Support each other. Together we are the force that will win the war against a vile and lying enemy. Glory to Ukraine!

— Ukrainian Cyber Alliance (UCA)

^{[excessive quote]}

Operation #OpMay9

On May 9, 2016, the UCA conducted operation #OpMay9.^[12][13] Nine sites of Donetsk People's Republic (DNR) terrorists, propagandists, and Russian private military companies (RPMCs) were hacked. The broken sites were left with the hashtags #OpMay9 and #oп9Травня and three short videos about World War II and Ukrainian contributions to the victory over Nazism – what UCA called the "serum of truth".^[14] The hacktivists also posted their new video message on the terrorist sites.^[15] The video stated:

God forbid. And we are in the Lviv metro again. After our previous video on April 29, some viewers decided we were joking. But we are not joking, we are speaking quite seriously. After our last attack, the popular site of aggressive Russian propaganda Anna News was unavailable for about 5 days. It is an information resource aimed at spreading lies against Georgia, Ukraine and Syria. Our first video call hung on this site for more than 5 hours, and the administrators took more than 100 hours to at least partially restore the resource. At the same time, they lost much of their data forever. It was our small gift to society for the Great Feast of the Resurrection of Christ. We have shown how light easily destroys darkness. We have enough strength and will to successfully defeat the aggressor, we just need to believe and work hard for everyone to win together. And now about the victory. Kievan Rus, and then its successor Ukraine, the Cossacks of the Zaporozhian Sich and the Kholodny Yar, soldiers of the Ukrainian Insurgent Army and Ukrainians in the ranks of the Allied armies. These are our ancestors who fought with unbreakable strength of will and shed blood for their land and freedom. 70 years ago, the Ukrainian people lost about 7 million of their sons and daughters in the fight against the aggressor and the occupier. Now a new brown plague has come to our borders, disguised by the colors of striped ribbons and Russian tricolors. But no matter how strong the enemy may seem, his destiny is to be defeated and covered with shame. The Ukrainian people, their soldiers, patriots, volunteers have already proved that the indomitable will is embedded in their genetic code. Today, on the Day of Remembrance and Victory, we are giving a new gift to Ukrainian society. On this day, the entire network of information resources of the aggressor and the sites of Russian terrorists in Donbass will be paralyzed. This video message and other materials exposing the occupiers' lies will appear on many enemy websites. We won then, we will win now. To the glory of ancestors, to the glory of the heroes of the past and the future. Glory to Ukraine!

— Ukrainian Cyber Alliance (UCA)

^{[excessive quote]}

Operation #opMay18

On May 18, 2016, on the day of remembrance of the deportation of the Crimean Tatars in 1944, the UCA conducted Operation #opMay18.^[16][17] It targeted the website of the so-called chairman of council of ministers of the Republic of Crimea, Sergey Aksyonov, putting in his voice the fraudulent message:^[18]

Dear citizens of Crimea, today I propose to honor the memory of those difficult days of 1944 and make every effort to prevent such tragic events again. Currently, the international situation is such that in 2017, Russians can be deported from the Crimea. In conclusion, I want to say that I am very glad that the Crimean Tatar singer Jamala won the Eurovision-2016 contest, and I look forward to the successful holding of Eurovision-2017 in Ukraine, namely in the Crimea.

— Ukrainian Cyber Alliance (UCA)

Channel One hacking

The UCA hacked the website of Pervy Kanal (Channel One Russia), according to hacktivists, as part of a project to force Russia to deoccupy Donbass and fulfill its obligations under the Minsk agreements.^[19] Details of Pervy Kanal propagandist Serhiy Zenin's cooperation with Russian state-owned propaganda network Russia Today were also revealed, along with documentation of Zenin's salary and lavish lifestyle.^[20] 25 videos of DNR members shooting in the settlement of Nikishine were found in Zenin's cloud storage.^[21]

Operation #opDay28

In 2016, on the eve of Constitution Day, the UCA conducted operation #opDay28.^[22] 17 resources of Russian terrorists were hacked, and the hacked sites played another Lviv Metro video^[23] which purported to be from the leader of DNR, O. Zakharchenko:^[24]

On June 28, Ukraine celebrates another anniversary of the adoption of the Constitution. But now this holiday is overshadowed by the conflict in Donbas which we, inferior fools, have resolved and caused numerous violations of the constitutional rights of normal citizens. I have to admit that, despite the work done by my stupid press service and loyal sly dogs of the MDB DNR, the whole world sees that we started playing not in our sandbox, because of which the civilian population of Donbass suffers and dies. The truth is that Rashka has once again framed us and is trying to squeeze the Donbass after the Crimea with our own hands. I personally apologize to all the people of Ukraine for their idiocy and I hope that this anniversary of the Constitution of Ukraine will be a turning point in the relations of Donbass with its Motherland - Ukraine! Contrary to racist propaganda, we are cured of schizophrenia, and the Ukrainian constitutional order will prevail in the Donbass!

Hacking of the Russian Ministry of Defence

In July 2016, the UCA hacked the document management server of the Department of the Ministry of Defence of the Russian Federation, and made public defence contracts executed during 2015.^[25] The success of the operation was largely determined by the negligence of Russian Rear Admiral Vernigora Andrei Petrovich.^[26] At the end of November 2016, the UCA broke into the Ministry server a second time and obtained confidential data on the provision of the state defence order of 2015–2016. According to analysts of Inform Napalm, the documents show that Russia is developing a doctrine of air superiority in the event of full-scale hostilities with Ukraine, citing the amount allocated for maintenance, modernization and creation of new aircraft.^[27]

Operation #op256thDay

Before Programmer's Day, UCA conducted operation #op256thDay, in which more than 30 sites of Russian foreign aggression were destroyed. On many propaganda resources, the hacktivists embedded an Inform Napalm video demonstrating evidence of Russia's military aggression against Ukraine.^[28][29]

Operation #OpKomendant

The activists gained access to the postal addresses of 13 regional branches of the "military commandant's office" of the DNR in operation #OpKomendant. For six months,^[30] the data from the boxes was passed for analysis by Inform Napalm volunteers, employees of the Peacemaker Center, the Security Service of Ukraine and the Special Operations Forces of Ukraine.^[31]

Hacking of Aleksey Mozgovoy

In October 2016, UCA obtained 240 pages of e-mail correspondence of the leader of Prizrak Brigade, Aleksey Mozgovoy. Judging by the correspondence, Mozgovoy was completely under the control of an unknown agent with the codename "Diva".^[32]

Hacking of Arsen Pavlov

The UCA obtained data from the gadgets of Arsen "Motorola" Pavlov, leader of the Sparta Battalion, and his wife Olena Pavlova (Kolienkina). In the weeks leading up to his death, Pavlov was alarmed by the conflict with Russian curators.^[33]

SurkovLeaks operation

Main article: Surkov leaks

In October 2016, the UCA accessed the mailboxes of Vladislav Surkov, Vladimir Putin's political adviser on relations with Ukraine. Acquired emails were published by Inform Napalm in late October and early November (SurkovLeaks).^[34][35] The emails revealed plans to destabilize and federalize Ukraine, and with other materials demonstrated high-level Russian involvement from the start of the war in eastern Ukraine. A US official told NBC News that the emails corroborated information that the US had previously provided.^[36] The authenticity of the emails was confirmed by Atlantic Council^[37][38] and Bellingcat,^[39] and published by numerous Western news sources.^{[40][41][42][43][44][45][46][47][48][49][50][51][52]} In the aftermath of the leaks, Surkov's chief of staff resigned.^[53] Additional emails belonging to people from Surkov's environs were published in early November, detailing Russia's financing of the "soft federalization" of Ukraine,^[54] recruiting in the Odesa region, and evidence of funding election campaigns in the Kharkiv region.^[55] The emails stated that Yuriy Rabotin, the head of the Odesa branch of the Union of Journalists of Ukraine, received payment from the Kremlin for his anti-Ukrainian activities.^[56] On April 19, 2018, the British newspaper The Times published an article stating that the SurkovLeaks documents exposed Russia's use of misinformation about the downing of Malaysia Airlines Flight 17 in order to accuse Ukraine.^[57]

Hacking of the DNR Ministry of Coal and Energy

In November 2016, the UCA obtained emails from the DNR's "Ministry of Coal and Energy", including a certificate prepared by the Ministry of Energy of the Russian Federation in January 2016, which detail the plans of the occupiers for the Donbass coal industry.^[58]

FrolovLeaks

Operation FrolovLeaks was conducted in December 2016,^[59] and produced correspondence of Kyrylo Frolov, the Deputy Director of the CIS Institute (Commonwealth of Independent States) and Press Secretary of the Union of Orthodox Citizens, for the period 1997–2016. The correspondence contains evidence of Russia's preparation for aggression against Ukraine (long before 2014).^[60] It also revealed Frolov's close ties with Sergey Glazyev, the Russian president's adviser on regional economic integration, Moscow Patriarch Vladimir Gundyaev, and Konstantin Zatulin, a member of the Foreign and Defense Policy Council, an illegitimate^[61] member of the Russian State Duma and director of the CIS Institute. The letters mention hundreds of others connected with the subversive activities of Russia's fifth column organizations in Ukraine.

Hacking of Luhansk intelligence chief

For some time, UCA activists monitored the computer of the Chief of Intelligence 2 AK (Luhansk, Ukraine) of the Russian Armed Forces. This officer sent reports with intelligence obtained with the help of regular Russian unmanned aerial vehicles (UAVs) – Orlan,^[62] Forpost^[63] and Takhion^[64] – which were also used to adjust fire artillery. Documents have also been published proving the existence of the Russian ground reconnaissance station PSNR-8 "Credo-M1" (1L120) in the occupied territory.^[65] In July 2017, on the basis of the obtained data, additional reconnaissance was conducted on social networks and the service of the Russian UAV Takhion (servicemen of the 138th OMSBR of the RF Armed Forces Private Laptev Denis Alexandrovich and Corporal Angalev Artem Ivanovich).^[66] The surveillance provided evidence of troop movements to the Ukraine border in August 2014.^[67] A list of these soldiers, their personal numbers, ranks, exact job titles, and information on awards for military service in peacetime were published.^[68] The operation also determined the timeline of the invasion of the Russian artillery unit of the 136th OMSBR in the summer of 2014, from the moment of loading equipment to fortifying in the occupied territory of Ukraine in Novosvitlivka, Samsonivka, and Sorokine (formerly Krasnodon).^[69]

Hacking of Oleksandr Usovskyi

In February and March 2017, the UCA exposed the correspondence of Belarus citizen Alexander Usovsky, a publicist whose articles were often published on the website of Ukrainian Choice, an anti-Ukrainian NGO backed by oligarch Viktor Medvedchuk.^[70][71] Inform Napalm analysts conducted a study of the emails and published two articles^[72][73] on how the Kremlin financed anti-Ukrainian actions in Poland and other Eastern European countries. The published materials caused outrage in Poland,^{[74][75][76][77][78][79][80][81][82]} the Czech Republic^[83][84] and Ukraine.^{[85][86][87][88]} In an interview with Fronda.pl, Polish General Roman Polko, the founder of the Polish Special Operations Forces,^[89] stated his conviction that the anti-Ukrainian actions in Poland and the desecration of Polish monuments in Ukraine were inspired by the Kremlin. Polko said that the information war posed a threat to the whole of Europe, and that the Polish radicals were useful idiots manipulated by Russia.^[90]

Hacking of CIS Institute

An analysis of hacked emails from CIS Institute (Commonwealth of Independent States) revealed that the NGO is financed by the Russian state company Gazprom. Gazprom allocated $2 million annually to finance the anti-Ukrainian activities of the CIS Institute.^[91] The head of the institute, State Duma deputy Konstantin Zatulin, helped terrorists and former Berkut members who fled to Russia to obtain Russian passports.^[92]

Hacking of Russian Foundation for Public Diplomacy

Access to the mail of O. M. Gorchakovan, an employee of the Russian Foundation for Public Diplomacy, provided insight to the forms of Russia's foreign policy strategy. On the eve of the war, funding for a six-month propaganda plan in Ukraine reached a quarter of a million dollars.^[93] Under the guise of humanitarian projects, subversive activities were carried out in Ukraine, Serbia, Bosnia and Herzegovina, Bulgaria, Moldova,^[94] and the Baltic States.^[95]

Hacking of Oleksandr Aksinenko

UCA activists gained access to the mailbox of telephone miner Oleksandr Aksineko, a citizen of Russia and Israel. The correspondence indicates that Aksinenko's terrorist activities are supported by the Russian Federal Security Service (FSB), which advised him to "work in the same spirit". Aksinenko also sent anonymous letters to the Security Service of Ukraine (SBU) and other structures in Ukraine.^[96]

#FuckResponsibleDisclosure flashmob

At the end of 2017, the UCA and other IT specialists held a two-month action to assess the level of protection of Ukrainian public resources, to check whether officials were responsible with information security.^[97] Many vulnerabilities were uncovered in the information systems of government agencies. The activists identified reported these vulnerabilities openly to those who could influence the situation. The activists noted the effectiveness in publicly shaming government agencies.^[98] For example, it was found that the computer of the Main Directorate of the National Police in Kyiv region could be accessed without a password and found on a network drive 150 GB of information, including passwords, plans, protocols, and personal data of police officers.^[99] It was also found that the Bila Tserkva police website had been hacked for a long time, and only after the volunteers noticed did the situation improve. SCFM^{[expand acronym]} had not updated servers for 10 years.^[100] Activists also found that the website of the Judiciary of Ukraine kept reports of the courts in the public domain. The Kherson Regional Council has opened access to the joint disk.^[101] The CERT-UA website (Ukraine's computer emergency response team) posted a password from one of their email accounts.^[102] One of the capital's taxi services was found to keep open information about clients, including dates, phone numbers, and departure and destination addresses.^[103] Vulnerabilities were also revealed in Kropyvnytskyi's Vodokanal, Energoatom, Kyivenerhoremont, NAPC, Kropyvnytskyi Employment Center, Nikopol Pension Fund, and the Ministry of Internal Affairs (declarations of employees, including special units, were made public).^[104]

The police opened a criminal case against "Dmitry Orlov", the pseudonym of the activist who publicized the vulnerabilities in a flash mob. They also allegedly tried to hack the Orlov website, leaving a message which threatened physical violence if he continued his activities. The activist deleted the website as it had fulfilled its function.^[105]

List-1097

UCA activists obtained records of orders to provide food for servicemen of 18 separate motorized rifle brigades of the Russian Armed Forces, who were sent on combat missions during the Russian occupation of Crimea.^[106] Inform Napalm volunteers searched open sources of information for the social network profiles of servicemen named in the orders, and discovered photo evidence of their participation in the occupation of Crimea. Records also revealed how troops had been transferred to the Crimea, at Voinka.^[107]

On January 31, 2017, the central German state TV channel ARD aired a story about the cyber war between Ukraine and Russia.^[108] The story documented the repeated cyber attacks by Russian hackers on the civilian infrastructure of Ukraine and efforts to counter Russian aggression in cyberspace, in particular the Surkov leaks. Representatives of the UCA were portrayed as the heroes of the story.

Former State Duma deputy Denis Voronenkov (who received Ukrainian citizenship) made statements that Surkov was categorically against the annexation of Crimea. In response, the UCA released photos and audio recordings of the congress of the Union of Donbas Volunteers, from May 2016 in annexed Crimea and November 2016 in Moscow, at which Surkov was the guest of honor.^[109]

Volunteers of the Inform Napalm community created a film about UCA's activities called Cyberwar: a review of successful operations of the Ukrainian Cyber Alliance in 2016.^[110][111]

Hacking of the Trigona Ransomware Gang

On October 12th, 2023, UCA hacktivist herm1t posted screenshots of a Russian Confluence page claiming it to be a ransomware group.^[112] This ended up belonging to the Trigona ransomware gang, and the UCA exfiltrated data from the threat actor's website. This included the administrator and victim panels, their blog, their leak site, cryptocurrency hot wallets, and data from the development environment including source code and database records.^[113] UCA also managed to map out the group's entire network infrastructure. By the time Trigona noticed and attempted to change their passwords and take their public facing infrastructure offline, the data had already been exfiltrated. Following exfiltration, UCA deleted all information and defaced Trigona's public facing websites on October 17th.^[114][115]

Three backups of data presumed to be stolen from victims of the Trigona gang was recovered, and UCA pledged to release any decryption keys should they be discovered.

References

1. "Український кіберальянс (Ukrainian Cyber Alliance)". InformNapalm.org (Українська) (in Ukrainian). 2016-12-06. Retrieved 2020-03-08.
2. "RUH8 про український хактивізм, кібервійну та операцію SurkovLeaks (ексклюзивне інтерв'ю)". InformNapalm.org (Українська) (in Ukrainian). 2016-10-30. Retrieved 2020-03-08.
3. Euromaidan Press (2016-11-02), "We have no need for CIA help" - Ukrainian hackers of #SurkovLeaks | Exclusive interview, retrieved 2017-07-23
4. Стек, Левко; Ребрій, Роман; Головін, Євген (17 April 2017). "Кібервійна: партизани України проти військ Росії". Радіо Свобода (in Ukrainian). Retrieved 2020-03-08.
5. "Привиди львівського метро". tyzhden.ua. 20 January 2017. Retrieved 2020-03-08.
6. "Кібервоїн Jeff: Це перша у світі кібервійна, і ми в ній воююча сторона – відео". 5 канал (in Ukrainian). Retrieved 2017-07-23.
7. "Росія відкриває візи для терору в Україні — витік паспортних даних найманців". InformNapalm.org (Українська) (in Ukrainian). 2016-04-03. Retrieved 2020-03-08.
8. "Медичні послуги для VIP-найманців Росії. Листування, документи, ідентифікація бойовиків". InformNapalm.org (Українська) (in Ukrainian). 2016-04-07. Retrieved 2020-03-08.
9. "Хакери та OSINT-аналітики розкрили подробиці гібридної історії військового ЗС Росії". InformNapalm.org (Українська) (in Ukrainian). 2016-04-08. Retrieved 2020-03-08.
10. "Хакери знищили сайт російських пропагандистів "Anna News" і розмістили відеозвернення". InformNapalm.org (Українська) (in Ukrainian). 2016-04-29. Retrieved 2020-03-08.
11. Archived at Ghostarchive and the Wayback Machine: "Обращение хакерского альянса Falcons Flame и Trinity". YouTube. 29 April 2016.
12. "9 зломів 9 травня: українські хакери успішно провели операцію #OpMay9 (ВІДЕО)". InformNapalm.org (Українська) (in Ukrainian). 2016-05-09. Retrieved 2020-03-08.
13. "Українські хакери зламали дев'ять сайтів ДНР на День перемоги". РБК-Украина (in Russian). Retrieved 2020-03-08.
14. "Українські хакери до Дня Перемоги зламали сепаратистські та російські сайти". ТСН.ua (in Ukrainian). 2016-05-10. Retrieved 2020-03-08.
15. Archived at Ghostarchive and the Wayback Machine: "[EN, RU subs] 9 взломов 9 мая: украинские хакеры успешно провели операцию #OpMay9". YouTube. 9 May 2016.
16. "Архівована копія". Archived from the original on 8 October 2017. Retrieved 23 July 2017.
17. "Hackers' #opMay18 operation: Aksyonov "deplores" Crimea deportation, "thanks" Jamala". www.unian.info. Retrieved 2020-03-08.
18. "Українські хакери провели в Криму операцію #opMay18". InformNapalm.org (Українська) (in Ukrainian). 2016-05-18. Retrieved 2020-03-08.
19. "Українські хакери зламали російський Перший канал, - Inform-napalm. ФОТО".
20. "Українські хакери зламали дані та листування пропагандиста Путіна". Апостроф (in Ukrainian). Retrieved 2020-03-08.
21. "Злом пропагандистів РФ. Частина 3: обстріл Нікішиного". InformNapalm.org (Українська) (in Ukrainian). 2016-06-16. Retrieved 2020-03-08.
22. "Хакери зломали 17 російських сайтів: Захарченко і Плотницький вибачаються перед українцями". www.ukrinform.ua (in Ukrainian). 28 June 2016. Retrieved 2020-03-08.
23. Archived at Ghostarchive and the Wayback Machine: "#opDay28". YouTube. 28 June 2016.
24. "Українські хакери провели операцію #opDay28". InformNapalm.org (Українська) (in Ukrainian). 2016-06-28. Retrieved 2020-03-08.
25. "Українські хакери зламали сервер департаменту Міноборони РФ". 5 канал (in Ukrainian). Retrieved 2020-03-08.
26. Подробнее mil.ru (in Russian)
27. Штекель, Михайло (3 December 2016). "Росія розробляє військову доктрину переваги в повітрі – українські хакери". Радіо Свобода (in Ukrainian). Retrieved 2020-03-08.
28. "Привиди львівського метро". tyzhden.ua. Retrieved 2020-03-08.
29. "Хактивісти відсвяткували День програміста ударною операцією #op256thDay". InformNapalm.org (Українська) (in Ukrainian). 2016-09-13. Retrieved 2020-03-08.
30. ^{[dead link]}https://twitter.com/16FF255/status/803524672801406976
31. Цензор.НЕТ. "Операція "Комендант": українські хакери зламали пошту "військових комендатур" російських окупантів у Донецькій області. ДОКУМЕНТИ+ВІДЕО". Цензор.НЕТ (in Ukrainian). Retrieved 2020-03-08.
32. "Як "Діва" привела бойовика Мозгового до ліквідації: листування". ФАКТИ ICTV. 2016-10-19. Retrieved 2020-03-08.
33. "Напередодні вбивства "Мотороли" з будинка, де він жив, знімали охорону". Українська правда (in Ukrainian). Retrieved 2020-03-08.
34. "Злом Суркова: хактивісти кіберальянсу передали докази злому помічника президента РФ (1 Гб даних)". InformNapalm.org (Українська) (in Ukrainian). 2016-10-25. Retrieved 2020-03-08.
35. "SurkovLeaks (part 2): хактивісти опублікували новий дамп пошти приймальні Суркова". InformNapalm.org (Українська) (in Ukrainian). 2016-11-03. Retrieved 2020-03-08.
36. "Payback? Russia gets hacked, revealing top Putin aide's secrets". NBC News. 28 October 2016. Retrieved 2020-03-08.
37. @DFRLab (2016-10-26). "Breaking Down the Surkov Leaks". Medium. Retrieved 2020-03-08.
38. @DFRLab (2016-11-03). "Putin's Email Scandal Continues". Medium. Retrieved 2020-03-08.
39. "Разбор слитой переписки Суркова". Беллингкэт (in Russian). 2016-10-26. Retrieved 2020-03-08.
40. Burridge, Tom (2016-11-03). "Ukrainian pair claim Kremlin email hack". BBC News. Retrieved 2020-03-08.
41. "Hacked Kremlin Emails Could Signal a Turn in the U.S.-Russia Cyberwar". Time. Retrieved 2020-03-08.
42. Kramer, Andrew E. (2016-10-27). "Ukrainian Hackers Release Emails Tying Top Russian Official to Uprising". The New York Times. ISSN 0362-4331. Retrieved 2020-03-08.
43. Tucker, Maxim. "Press tycoon tried to win support for Putin". The Times. ISSN 0140-0460. Retrieved 2020-03-08.
44. Tucker, Maxim Tucker. "Hackers leak Putin plan to carve up Ukraine". The Times. ISSN 0140-0460. Retrieved 2020-03-08.
45. Walker, Shaun (2016-10-26). "Kremlin puppet master's leaked emails are price of return to political frontline". The Guardian. ISSN 0261-3077. Retrieved 2020-03-08.
46. Miller, Christopher (2 November 2016). "Inside The Ukrainian 'Hacktivist' Network Cyberbattling The Kremlin". Radio Free Europe/Radio Liberty. Retrieved 2020-03-08.
47. Miller, Christopher (3 November 2016). "Hackers Release More E-Mails They Say Tie Putin Aide To Ukraine Crisis". Radio Free Europe/Radio Liberty. Retrieved 2020-03-08.
48. Miller, Nick (2016-11-03). "SurkovLeaks: new cache of emails alleges Russian plan to destabilise Ukraine". The Sydney Morning Herald. Retrieved 2020-03-08.
49. "Hackers are turning the tables on Vladimir Putin, and the fallout could be huge". The Independent. 2016-11-04. Retrieved 2020-03-08.
50. Brewster, Thomas. "Meet The Ukrainian Hackers Targeting The Kremlin's Master Manipulator". Forbes. Retrieved 2020-03-08.
51. Leonid Bershidsky (26 October 2016). "How the Kremlin Handles Hacks: Deny, Deny, Deny". Bloomberg.com. Bloomberg. Retrieved 2020-03-08.
52. EDT, Damien Sharkov On 10/27/16 at 8:07 AM (2016-10-27). "Kremlin denies Putin aide's email was hacked—'he does not use email'". Newsweek. Retrieved 2020-03-08.{{cite web}}: CS1 maint: numeric names: authors list (link)
53. "Скандальний "злам" пошти Суркова українськими хакерами призвів до відставки в Кремлі - ТСН" (in Ukrainian). 2017-01-20. Retrieved 2018-01-09.
54. "Як сепаратисти у 2014-му планували захопити Запоріжжя (ДОКУМЕНТ) – Depo.ua". www.depo.ua (in Ukrainian). Retrieved 2020-03-08.
55. "SurkovLeaks (part 3): аналіз листування першого заступника Суркова Інала Ардзінби". InformNapalm.org (Українська) (in Ukrainian). 2017-11-02. Retrieved 2020-03-08.
56. Одеська #медіаспільнота: не все то медіа, що блищить. enigma.club. Retrieved 2020-03-08.
57. "Russian leaks reveal spin on MH17 disaster - The Times". The Times. 2018-04-19. Retrieved 2018-04-24.
58. "Оцінка стану вугільної промисловості окупованих територій Донбасу". InformNapalm.org (Українська) (in Ukrainian). 2016-11-10. Retrieved 2020-03-08.
59. "FrolovLeaks Archives". InformNapalm.org (Українська) (in Ukrainian). Retrieved 2020-03-08.
60. "#FrolovLeaks: Про "Донецьку республіку" у Кремлі заговорили ще 1999 року". 5 канал (in Ukrainian). Retrieved 2020-03-08.
61. "Про Заяву Верховної Ради України "Про невизнання Україною легітимності виборів до Державної Думи Федеральних Зборів Російської Федерації сьомого скликання".
62. "Начальник розвідки 2 АК ЗС РФ під контролем UCA. Part 1: БЛА "Орлан-10"". InformNapalm.org (Українська) (in Ukrainian). 2017-01-05. Retrieved 2020-03-08.
63. "Начальник розвідки 2-го АК ЗС РФ під контролем UCA. Part 2: БЛА "Форпост"". InformNapalm.org (Українська) (in Ukrainian). 2017-01-17. Retrieved 2020-03-08.
64. "Начальник розвідки 2-го АК ЗС РФ під контролем UCA. Part 3: Де впав БЛА "Тахіон", координати". InformNapalm.org (Українська) (in Ukrainian). 2017-01-26. Retrieved 2020-03-08.
65. "Начальник розвідки 2 АК ЗС РФ під контролем UCA. Part 5: ПСНР-8". InformNapalm.org (Українська) (in Ukrainian). 2017-03-09. Retrieved 2020-03-08.
66. "Волонтери InformNapalm ідентифікували кадровиків РФ на Донбасі". 5 канал (in Ukrainian). Retrieved 2020-03-08.
67. "Гаага чекає на танкістів: волонтери знайшли докази перекидання військ РФ до України у 2014-2015 роках (фото)". www.unian.ua (in Ukrainian). Retrieved 2020-03-08.
68. "Гаага жде танкістів 136-ї бригади ЗС РФ: списки, документи, накази - OSINT+HUMINT". InformNapalm.org (Українська) (in Ukrainian). 2017-03-31. Retrieved 2020-03-08.
69. "Архівована копія". 28 July 2017. Archived from the original on 31 July 2017. Retrieved 29 July 2017.
70. "Александр Усовский - Авторы | VYBOR.UA". vybor.ua (in Russian). Archived from the original on 2017-07-11. Retrieved 2020-03-08.
71. "Хакери з'ясували, хто намагається посварити Україну та Польщу". 24 Канал. 22 February 2017. Retrieved 2020-03-08.
72. "За антиукраїнськими акціями в Польщі стоїть Кремль — аналіз викритого листування". InformNapalm.org (Українська) (in Ukrainian). 2017-02-23. Retrieved 2020-03-08.
73. "Як Кремль фінансує польських радикалів: завдання, оплата, звіт у Москву". InformNapalm.org (Українська) (in Ukrainian). 2017-03-01. Retrieved 2020-03-08.
74. "Wyborcza.pl". wyborcza.pl. Retrieved 2020-03-08.
75. Redakcja, About The Author (2017-02-24). "Rewelacje "Inform-Napalmu": bardzo dziwna sprawa – Marcin Rey". Portal Międzymorza JAGIELLONIA.ORG (in Polish). Retrieved 2020-03-08. {{cite web}}: |first= has generic name (help)
76. Redakcja, About The Author (2017-03-01). "Jak Kreml finansuje polskich radykałów – zadania, wypłaty, raport do Moskwy". Portal Międzymorza JAGIELLONIA.ORG (in Polish). Retrieved 2020-03-08. {{cite web}}: |first= has generic name (help)
77. "Zdrajcy Polski na pasku Kremla. Tak raportowali do Moskwy. NOWE FAKTY". NIEZALEZNA.PL. 2017-03-02. Retrieved 2020-03-08.
78. "Wyborcza.pl". wyborcza.pl. Retrieved 2020-03-08.
79. "Majątek za szerzenie propagandy Kremla". Gazeta Polska Codziennie. 2 March 2017. Retrieved 2020-03-08.
80. "Архівована копія". Archived from the original on 8 August 2017. Retrieved 26 July 2017.
81. Redakcja (2017-02-23). "Ukraiński portal sugeruje związki polskich polityków z "antyukraińskimi akcjami" w Polsce » Kresy". Kresy (in Polish). Archived from the original on 2017-10-06. Retrieved 2020-03-08.
82. "W "Newsweeku": Wielbiciel Hitlera, który z pieniędzy z Rosji finansował skrajną prawicę w Polsce. Kim jest Aleksander Usowski?". Newsweek.pl (in Polish). 3 April 2017. Retrieved 2020-03-08.
83. Soukup, Ondřej (2017-03-13). "Hackeři odhalili "otce" proruských akcí v Česku. Na organizaci demonstrací ve střední Evropě dostal 100 tisíc eur". Hospodářské noviny (iHNed.cz) (in Czech). Retrieved 2020-03-08.
84. Soukup, Ondřej (2017-03-15). "Rusko Ondřeje Soukupa: Pomozte Kremlu, stát vám potom odpustí". Hospodářské noviny (iHNed.cz) (in Czech). Retrieved 2020-03-08.
85. "Антиукраїнські акції в Польщі влаштовував білорус на замовлення Затуліна - ЗМІ". Українська правда (in Ukrainian). Retrieved 2020-03-08.
86. "Польські націоналісти проводили акції проти України за гроші Росії - Wyborcza". DT.ua. Retrieved 2020-03-08.
87. "Як російський олігарх Малофєєв організовував антиукраїнські акції в Чехії та Угорщині". hromadske.ua (in Ukrainian). 14 March 2017. Retrieved 2020-03-08.
88. "Як за гроші "Газпрому" Росія сварить Україну та Польщу - новини Еспресо TV | Україна". espreso.tv. Retrieved 2020-03-08.
89. "Roman Polko". Wikipedia. 2019-02-18. Retrieved 2020-03-08.
90. "Gen. Roman Polko dla Frondy: To Kreml nakręca polsko-ukraińską niechęć". www.fronda.pl (in Polish). Retrieved 2020-03-08.
91. "Активісти розкрили схему фінансування "Газпромом" дестабілізації в Україні за $ 2 млн на рік". ТСН.ua (in Ukrainian). 2017-04-19. Retrieved 2020-03-08.
92. "Депутат Держдуми РФ Затулін вирішує паспортні питання бойовиків "ДНР" (документи)". InformNapalm.org (Українська) (in Ukrainian). 2017-05-30. Retrieved 2020-03-08.
93. "Агресивна російська "soft power" в Україні на порозі війни". InformNapalm.org (Українська) (in Ukrainian). 2017-06-25. Retrieved 2020-03-08.
94. "SOFT POWER - ul rusesc în Republica Moldova şi nu numai. Partea I". Deschide.MD (in Romanian). Retrieved 2020-03-08.
95. "Агресивна російська "soft power" у Європі". InformNapalm.org (Українська) (in Ukrainian). 2017-07-30. Retrieved 2020-03-08.
96. Цензор.НЕТ. "Громадянин РФ та Ізраїлю Аксіненко "мінує" українські об'єкти під протекцією ФСБ, - InformNapalm. ФОТОрепортаж". Цензор.НЕТ (in Ukrainian). Retrieved 2020-03-08.
97. "#FuckResponsibleDisclosure – флешмоб IT-фахівців з UCA змушує українські держструктури дбати про інформаційну безпеку - InformNapalm.org (Українська)". InformNapalm.org (Українська) (in Ukrainian). 2017-11-19. Retrieved 2017-12-16.
98. "Огляд тижневиків: чи легко "хакнути" українську владу - BBC Україна". 2017-12-01. Retrieved 2017-12-16.
99. "Злом хакерами особистих даних учасників АТО: в мережі розкрили скандальні деталі - Апостроф" (in Ukrainian). 2017-11-18. Retrieved 2017-12-16.
100. "Український кіберальянс: "Держструктурам не варто лишати двері для хакерів прочиненими" - Тиждень" (in Ukrainian). 2017-12-01. Retrieved 2017-12-16.
101. "На зламаному сервері Херсонської облради знайшли заготовлені авіабілети в Ростов - Херсон.city" (in Russian). 2017-11-16. Archived from the original on 2017-12-17. Retrieved 2017-12-16.
102. Українські хакери перевірили, як захищають сайти держустанов. Zik (in Ukrainian). 2017-11-23. Archived from the original on 2017-12-16. Retrieved 2017-12-16.
103. Archived at Ghostarchive and the Wayback Machine: "Як українські служби викладають в Інтернеті стратегічні дані та вашу персональну інформацію". YouTube. 3 December 2017.
104. "Активісти підбили підсумки флешмобу #FuckResponsibleDisclosure з виявлення вразливостей державних IT-систем України - InformNapalm.org (Українська)". InformNapalm.org (Українська) (in Ukrainian). 2017-12-06. Retrieved 2017-12-16.
105. "Полиция завела уголовное дело на участника акции Украинского киберальянса - Internet.ua". Internet.ua. 2018-02-02. Retrieved 2018-02-02.
106. Волонтери розповіли деталі окупації Криму в 2014 році. Тиждень.ua. 2018-04-16. Archived from the original on 2018-04-25. Retrieved 2018-04-24.
107. Список-1097: як 18-та ОМСБр ЗС Росії окупувала Крим. InformNapalm.org. 2018-04-22. Archived from the original on 2018-04-25. Retrieved 2018-04-24.
108. "Ukraine: Cyberkrieg - Weltspiegel - ARD | das Erste".
109. "Хакери показали ціну заявам екс-депутата Держдуми Вороненкова про невинуватість Суркова (фото й аудіозапис)". InformNapalm.org (Українська) (in Ukrainian). 2017-02-18. Retrieved 2020-03-08.
110. Archived at Ghostarchive and the Wayback Machine: "CYBERWAR: огляд успішних операцій Українського кіберальянсу в 2016 році". YouTube. 2 February 2017.
111. "Кібервійна: огляд найуспішніших публічних операцій Українського Кіберальянсу в 2016 році". InformNapalm.org (Українська) (in Ukrainian). 2017-02-02. Retrieved 2020-03-08.
112. "https://twitter.com/vx_herm1t/status/1712417798738108542". X (formerly Twitter). Retrieved 2023-10-21. {{cite web}}: External link in |title= (help)
113. "Ukrainian activists hack Trigona ransomware gang, wipe servers". BleepingComputer. Retrieved 2023-10-21.
114. CONSTANTINESCU, Vlad. "Ukrainian Cyber Alliance Disrupts Trigona Ransomware Operations, Exfiltrates Key Data". Hot for Security. Retrieved 2023-10-21.
115. "https://twitter.com/vx_herm1t/status/1714426955913744684". X (formerly Twitter). Retrieved 2023-10-21. {{cite web}}: External link in |title= (help)