A YouTube influencer with hundreds of thousands of subscribers is encouraging followers to conduct cyber warfare against Russia.
In a plea made this week on his channel, the YouTuber demonstrated how viewers could download a free pen-testing (DDoS) tool called Liberator and “stop that Russian propaganda machine.”
Albeit the cause might seem worthwhile and appealing, how legal is DDoS, and can users get in trouble?
YouTuber: ‘I NEED YOUR HELP!’
In a YouTube video streamed Thursday, April 28th, a vlogger, Boxmining—who has over 268,000 subscribers, sought everyone’s help in stopping Russian propaganda, amid the Kremlin’s ongoing invasion of Ukraine.
The YouTube video in question has thus far generated over 86,000 views and counting at the time of writing.
“I need your help to support Ukraine! For the past few weeks, there have been numerous disinformation campaigns and fake news from the Russian government,” says the YouTuber.
“These fake news flooded the media and had different effects around the globe.”
“Very rarely do I ask people for help, but this is a situation where you can join the cyber warfare against Russia to stop that Russian propaganda machine,” continued Boxmining.
Without wasting time, Boxmining quickly demonstrates how can you download an offensive security tool called ‘Liberator’ and partake in conducting cyber warfare against Russia using nothing other than your own computers and a VPN connection.
Created by the hacktivist group, ‘disBalancer,’ the Liberator app works by using your computer to attack Russian websites that spread misinformation related to current events.
Liberator DDoS app by Disbalancer
Liberator conducts what is referred to as a Distributed Denial of Service (DDoS) attack.
A DDoS attack works by several machines (bots) repeatedly flooding servers of a website with excessive requests in a short span of time, such that the servers run out of their allotted bandwidth, and become unresponsive.
A test run of Liberator is shown below on a macOS device. As soon as the tool runs, it starts “searching for the Kremlin’s target to defeat….”
The list of the websites that the tool starts to attack is curated by the disBalancer team.
Liberator DDoS tool in action on macOS (disBalancer)
Of all cyberattacks, DDoS can be fairly easy to conduct as it involves no “hacking” or breaching the target—merely flooding the servers with repeated web requests (packets) can cause them to “freeze” for some time and cease serving webpages.
This is probably why, both hacktivist groups and threat actors including ransomware and extortion gangs, have leveraged DDoS attacks against their targets at some point.
More recently, Russian hacktivist group “Killnet” has launched DDoS attacks on Romanian government sites.
YouTube’s policies generally prohibit content that demonstrates how to use computers and IT equipment to conduct hacking, but the policy appears to more specifically apply to instructions on stealing credentials, compromising personal data, and causing “serious harm to others,” by hacking their social media accounts.
And, that makes DDoS videos a gray area—at least on YouTube.
The legality of it all: are you at risk?
Russia’s ongoing invasion of Ukraine has now lasted well over two months and the war is having devastating consequences on the Ukrainian people and their families.
A report published as recently as today shows injured civilians some with “wounds rotting with gangrene.” These civilians have sought refuge in the Azovstal steel plant located in the Ukranian city of Mariupol.
While 25 of these civilians have been evacuated, unfortunately, up to 1,000 are purported to still be living underneath the plant.
The very sight of such distressing facts and footages may genuinely prompt netizens, even those based outside the Russo-Ukrainian region, to take action.
However, when conducting cyber warfare, how much are you legally in the clear, and could it backfire?
The YouTuber behind the video says he’s spoken to one of disBalancer’s advisors, Dyma Budorin, and explains:
“This is nothing related to anything malicious that’s being done on the app but rather because of the actions of what the bot is gonna do it will start attacking Russian websites so yeah it gets flagged,” Boxmining articulates his understanding of Liberator, but we are not quite sure of this claim.
Conducting DDoS attacks is a criminal offense in most jurisdictions.
Under the U.S. Computer Fraud and Abuse Act (CFAA), those found guilty of engaging in DDoS can face up to 10 years in prison. UK’s Computer Misuse Act of 1990 outlaws DDoS attacks as well. And, Dutch law includes similar legislation.
Even the use of “booter services and stressers” violates these acts.
These words are not taken lightly, as the US Department of Justice has sentenced numerous people for conducting DDoS attacks in the past, including attacks against gamers, using IoT devices to conduct attacks, and for running DDoS services.
No encryption: your identity may be at risk
While the video has been praised by many, who appreciated the effort, some have raised concerns that this could be a “dangerous use” of the YouTuber’s audience reach and put viewers in jeopardy.
A user points out the risks of the approach (YouTube)
And it seems, the YouTube user Junk, may actually be right.
Last month, cyber security researchers at Avast Threat Labs warned against joining DDoS attacks against Russia as compelling as the cause may seem, and specifically looked at disBalancer’s app:
“The first thing this program does is register the user, including personal information like location (derived from the IP address) and username. When the user starts the attack, this registration runs in the background without their knowledge,” explains Michal Salát, Avast’s threat intel director and malware analyst.
“This information runs over the unencrypted HTTP protocol to the C&C server, which means it can be easily intercepted. Additionally, there’s no way to know what site you’re attacking, so you have to trust the author about the sites they claim to target.”
A worst-case scenario surmised by Avast Threat Labs is, should the C&C server be compromised, everyone taking part in the DDoS attack could be identified by their username and location.
“That not only would put them in danger, but they could also be tricked into attacking a different target,” further explain Avast’s researchers.
Radware’s director of threat intelligence, Pascal Geenens also weighed in on the matter.
“Hacktivists have been anonymously promoting and educating members on how to use DDoS attack tools in the darker corners of YouTube, but an influencer with over 250k subscribers posting a professionally edited video is bringing hacktivism into a new era,” Geenens told BleepingComputer in an email.
“People around the globe are volunteering their systems to be turned it into a mass DDoS weapon of destruction leveraged in a cyber conflict between nations.”
“I’m sympathizing with the people who oppose war propaganda, but I’m concerned how this will evolve beyond the current conflict.”
“Rules are being rewritten. Is DDoS a crime? A word of caution. Depending on the perspective, DDoS will be considered and prosecuted as a crime.”
Therefore, prior to engaging in risky activities online, including hacktivism, users are advised to conduct their own research to ensure they are not violating any laws and not exposing themselves to other risks.