How Telegram became Ukraine's biggest digital ally in the war

Telegram logo appearing on a smartphone
(Image credit: Getty Images)

Researchers have observed rapid growth of Ukrainian groups turning to various Telegram channels with the purpose of organising various offensive efforts against Russia.

The highly publicised ‘IT Army of Ukraine’ group, set up by Oleksandr Bornyakov, Ukraine’s deputy minister for digital transformation, is among the most populated with more than 277,000 members as of Thursday morning.

The group has experienced steady growth in membership every day since the war began, as have other groups. Check Point Research said “user volume grew a hundred folds daily” generally on the Telegram platform, peaking at 200,000 users per group.

There are thoughts Russia may attempt to shut down the country’s internet if it is able to install an incumbent government, and this has led to the increased reliance on platforms like Telegram for Ukrainians, should its own official channels be taken offline.

There is precedent for such a strategy; Russia attacked the country’s internet and telecommunication services in 2014 as Russia seized control of Crimea. Estonia’s 10-day internet outage in 2007 is also thought to be linked with Russian-backed cyber attacks.

Check Point saw six times the number of Telegram groups related to the conflict on the day of the invasion compared to the day before, broadly grouped into three main categories: those encouraging retaliatory cyber attacks against Russia; fundraising groups for Ukraine, of doubtful authenticity; and news feed groups bypassing mainstream media (MSM).

Anti-Russia hacking groups

The ‘IT Army of Ukraine’ group is the largest of its kind, though researchers said around 23% of all groups are related to the encouragement of anti-Russia cyber attacks. Searching the platform reveals similar groups set up for different languages, for example.

In recent days, numerous groups such as ‘IT Army of Ukraine’ and ‘Anna’ have been posting various websites with Russian domains as target lists for vigilante attackers to strike.

Screenshot of Telegram group rallying hackers to target various domains

(Image credit: IT Pro)

Attacks are mainly focused on distributed denial of service (DDoS), but also include SMS and call-based attacks, according to the research. In some groups, links for attack tools such as bots and SMS bombers are posted with instructions on how to use them.

Observations of such groups also reveal recruitment drives from group administrators. The ‘IT Army of Ukraine’ recently advertised the need for specialists in React Native, and various DevOps frameworks, in addition to information security specialists in AWS Shield and managed DDoS protection.

On Thursday, the group posted its “top priority” targets, which included GLONASS, Russia’s space-based satellite navigation system; the Belarusian railway, which hacktivists previously targeted prior to the conflict; Russian telecoms providers; the National Bank of Russia, and ATM processors.

Suspicious fundraising groups

Around 4% of all conflict-related Telegram groups are aimed at raising donations for a side of the conflict, “many of which are suspicious,” said Check Point.

“Times of distress and crisis always motivate criminals and fraudsters,” it added. “Spotting their activity since the war started looks to be a growing phenomenon in the form of Telegram groups, requesting to raise funds for Ukraine and its population. Our investigations show that many of such requests and groups are highly suspected to be fraudulent.”

Posts on related channels appear to rally kind benefactors into donating funds, but the purpose of the donations, or information regarding what the money will be used for, is not revealed in most cases.

The posts generally encourage donations in cryptocurrency, either Bitcoin, Ethereum, or Tether, and come with messages of endearment with a sympathetic tone. The researchers say such groups have amassed members exceeding 20,000 and should be treated with caution.

Official donations can be made through a variety of channels and charities through the clear web and using fiat currency. Charities such as Red Cross, Unicef, and Save the Children - among many others - are all collecting for their causes.

News feed groups

By far the most popular type of Telegram group were ones relaying news and messages directly from the front line of the conflict - 71% of all conflict-related groups are thought to be related to news.

The posts to such groups persist regularly across all 24 hours of the day, often sharing news, images, and other footage MSM will often refrain from broadcasting, Check Point said.

Screenshot of Telegram news group sharing news of the takedown of a Russian aircraft

(Image credit: IT Pro)

The news posted to these groups is naturally unverified so the authenticity of the information posted must be questioned in each case.

There are some reports suggesting social media posts, such as those capturing Russian soldiers, have been taken from previous conflicts, but these groups will also serve as ways for the Ukrainian people to keep up to date should Russia cut access to the independent press.

There is also potential for phishing attacks to take place in groups like this, so researchers recommend that users do not click through on any links that they cannot verify to be safe or authentic.

Doubts over Telegram security

For how long Ukraine will continue to be allowed to rely on Telegram remains unclear. The platform’s founder, Pavel Durov, said on Sunday that Telegram will consider restricting the operation of some channels should the conflict deepen, Reuters reported.


Secure hybrid cloud for dummies

Accelerate transformation with hybrid cloud


He said the platform was being used increasingly to spread unverified information and that he did not want such activity to worsen the situation.

There has also been criticism in the past, resurfacing in recent weeks, that the platform falsely claims to be a fully encrypted instant messaging service.

Moxie Marlinspike, founder of rival secure messaging app Signal, said last week that Telegram “is by default a cloud database with a plaintext copy of every message everyone has ever sent or received”.

Fully encrypted usually entails end-to-end encryption – a technology that prevents anyone other than the sender and receiver, including the app itself and its developers, from viewing their correspondence without physical access to the devices they use.

Telegram is just encrypted, meaning the company owns the keys to chats and can open these at any time. It does have an end to-end encryption feature, but this needs to be turned on manually by the user.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.