How Russia’s YouTube was Nuked by the IT Army of Ukraine

Russia has its own version of YouTube called RuTube. It does much the same as YouTube does except that, among the usual videos on cooking and cats, you’ll find it used as a propaganda platform for government controlled TV channels such as RT or Channel 1. RuTube is very popular and boasts over 25 million monthly users. It is one of the main sources for information on the war in Ukraine.

The main belief among Russians is that Ukraine is controlled by neo-Nazis who want to commit genocide against Russian speakers in the country. They believe the U.S. and NATO are orchestrating this attack. The Ukrainians, they believe, are bombing their own cities and blaming this on the Russians to encourage the West to give them more weapons. Here is a typical Channel 1 story which, of course is not really true.

When people in Ukraine contact their relatives in Russia to tell them about the war, they, the Ukrainians, are accused of being victims of misinformation. If nothing else, this shows how important freedom of the press is. It also shows that citizens need to have the freedom to express alternate opinions and, just as importantly, they have an obligation to seek them out.

It is difficult to get good statistics on the opinions of Russian citizens because, when approached by pollsters, they may hesitate to give opinions that do not match the current narrative of the Russian government. In any event, the following chart from the Russia-based Levada-Center gives some basic information.

Keep in mind that it is necessary to shift all of these opinions to the left of the chart. That said, we can make some general observations. The older you are, the more likely you’ll support the war. More importantly, the Russia propaganda network seems to be working. To show that the propaganda network is accomplishing its task, the same polling firm asked the following question.

It was to combat such disinformation that the IT Army of Ukraine was born. The goal of this collaboration of IT professionals, hackers, and average people wanting to make a contribution to the Ukrainian cause, is to stop the spread of Russian disinformation and propaganda by stopping their websites from operating, generally through launching DDoS attacks. Their targets change daily but they often include media sites. They have been highly successful. However, the problem with DDoS attacks is that they don’t usually last very long. The attack on RuTube on May 9th, which coincided with Russia’s celebration of its victory over Nazi Germany, was different. It lasted for more than 3 days. So, early on, people suspected this attack was more complex than a DDoS attack. Then, on May 14th, a purported member of the IT Army of Ukraine posted a video in which he explained some of the details of the attack. I will try to break down this attack and add some details which seem to be missing.

The attack apparently began on the evening of May 8th but was not discovered until 4am the next morning. When the administrator of the site, Renat Abdryazakov, tried to sign in to regain control of the network, he found that his credentials were rejected. The attacker had changed his or all the main administrator passwords.

And as Abdryazakov watched in horror, he saw file after file being deleted or exfiltrated. But it got worse. When he tried to use his passcard to leave the server room, he found that it didn’t work. He was locked in. In fact, no passcards worked. No one could get in or out of the server room. After two hours of attempting to get in with the passcards, the staff gave up and physically broke through the door. But, as the hacker states in the video, “by this tine we have already destroyed the entire infrastructure of the video platform, both internal and external.” They had also “deleted dozens of petabytes of information.” In addition they had “demolished all systems – virtualization, databases, content converter, content search systems, advertising module, load distribution systems and management of the entire infrastructure.” The hacker then claimed they would be releasing some of the stolen documents on the mega.nz site.

This attack was probably planned well in advance. Everyone knew that Russia was going to have a big celebration on May 9th and, thus, made itself a target for Ukrainian hackers. Everyone on the IT Army of Ukraine site knew that something was going to happen to undermine these celebrations, we just didn’t know the details. Although the attack has, by some, been linked to the Anonymous hacking group, in truth, it appears that this attack was only performed by two or three skilled hackers aligned with the IT Army. This can be seen by the use of the IT Army of Ukraine’s logo at the beginning of the video, which you can see at the end of this post.

In any event, it appears the hackers gained access to the site well before May 9th. They probably did this through a spearphishing email to an employee, and succeeded in getting them to install malware on their device. They used this access to move laterally through the network until they were able to access an administrator’s account. Eventually, they were in control of access credentials and, in effect, controlled the network. Then, they waited.

The actual attack likely was timed to take place on the night of May 8th-9th. It probably began with the changing of all the administrator’s passwords to prevent them from interfering in the attack. They had already identified which files they wanted to take and what processes they wanted to stop. It all happened very quickly. They brought the site down completely and probably took sensitive information. They may have taken backup files but there were enough left for RuTube to get back online in a few days.

Now, it would be quite easy for many to brush this aside as just a temporary inconvenience, but this would be a mistake. Could they have used RuTube to move into other sites connected to it, like the major media sites? Could they use subscriber’s credentials to launch other spearphishing attacks? Could they, in fact, still have access to the RuTube network and use it to post anti-Russian, pro-Ukrainian content? This is all certainly possible. That’s why I don’t think we’ve seen the end of the fallout from this particular attack. Here’s the video made by the hackers. Watch it and reach your own conclusions.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s