The People’s Cyber Army (PCA), also known by other aliases such as Cyber Army of Russia Reborn, has quickly risen as a dangerous cyber actor since its emergence in March 2022. Born out of the geopolitical tension stemming from the Russian-Ukrainian conflict, the group has garnered attention for its highly organized and politically motivated cyberattacks. Initially operating as a pro-Russian collective of activists on Telegram, PCA soon evolved into a cyber threat actor targeting critical infrastructure, government agencies, and more, both within and outside of Russia.
The PCA first emerged in the Russian invasion of Ukraine, establishing its presence on Telegram in March 2022. The group’s activities have been closely tied to the Russian government’s interests, particularly in its support for Russia’s stance on the Ukraine conflict. Initially, PCA presented itself as a grassroots movement of pro-Russian cyber activists, but its rapid rise and organizational complexity suggest a more coordinated approach with ties to Russian state-sponsored cyber operations.
One of the group’s key activities was leveraging its Telegram channel to organize and mobilize large-scale Distributed Denial of Service (DDoS) attacks against Ukrainian infrastructure. The group’s leader, Yuliya Vladimirovna Pankratova, has been identified as one of the primary figures in PCA. In 2024, Pankratova, along with Denis Degtyarenko, was sanctioned by the U.S. government for their involvement in cyberattacks against U.S. infrastructure, which further confirmed her leadership role within the group.
Geographic and Sectoral Focus
Cyble Vision Threat Library (Source: Cyble Vision)
PCA’s targets span several countries and industries, with a particular focus on Ukraine, NATO countries, and entities linked to Russia’s geopolitical adversaries. The group has attacked critical infrastructure, government agencies, media outlets, and sectors such as energy, transportation, and logistics.
While the group’s attacks have been most prevalent in Ukraine, PCA has also targeted entities in the European Union, the United States, and Israel, often in collaboration with other pro-Russian hacktivist groups such as AzzaSec and CyberDragon. These collaborations help PCA broaden its impact and exploit the weaknesses of its target nations more effectively.
PCA’s Leadership and Structure
The leadership of PCA has been shrouded in secrecy, though certain key individuals have been identified. Pankratova, who is known by her online alias “Killmilk,” has been linked to various hacking operations. Another prominent figure, Valeriy Rozanov, handles the group’s public relations and strategic communications.
PCA’s leadership is believed to operate with a high degree of coordination with other pro-Russian entities such as PMC Wagner, a known Russian paramilitary group, and pro-Kremlin media outlets.
Notably, PCA’s operations appear to be closely linked with other cybercriminal and hacktivist organizations, including NoName057(16) and Z-Pentest, the latter of which was confirmed as a splinter faction of PCA in February 2025.
Notable Attacks and Publicity
PCA’s operations have drawn media attention over the last year, especially as it continues to escalate its activities against Ukrainian and Western targets. On January 14, 2025, PCA launched a series of DDoS attacks on Ukrainian government websites, temporarily disabling several online services.
These attacks are believed to have been in retaliation for Ukraine’s continued resistance to Russia’s military incursions. Additionally, PCA has been linked to defacement campaigns targeting media websites, where they have disseminated pro-Russian messaging.
Linked Groups and Alliances
PCA is part of a broader network of cybercriminal groups and hacktivist organizations that share common political goals and often collaborate on cyberattacks. These include:
- AzzaSec: A pro-Palestinian hacktivist group based in Italy, AzzaSec has frequently targeted Israel and its allies, collaborating with PCA on several operations.
- CyberDragon: Initially focused on Lithuania and Poland, CyberDragon has expanded its reach to include the EU, the US, and Ukraine. The group has worked closely with PCA and other pro-Russian hacktivists.
- HackNeT: A smaller, pro-Russian group that emerged in 2024, HackNeT has joined forces with PCA and NoName057(16), forming a loose alliance known as CARRtel.
- NoName057(16): This pro-Russian group, operating since 2022, specializes in DDoS attacks on Ukrainian, EU, NATO, and Israeli targets. It has worked with PCA to expand its operations.
These alliances highlight the strategic cooperation between pro-Russian hacktivist groups and their shared goal of destabilizing political adversaries and advancing Russian propaganda.
Advanced Techniques and Tactics
The Peoples Cyber Army of Russia has proven itself to be a highly versatile threat actor, employing a wide range of cyberattack techniques. These include Distributed Denial of Service (DDoS) attacks, defacement campaigns, and data breaches. The group’s actions are typically aligned with its political motives, such as undermining the credibility of Ukrainian government institutions, disrupting critical services, or spreading pro-Russian propaganda.
One of PCA’s primary methods of gaining access to its targets is by exploiting vulnerabilities in public-facing applications. This can involve identifying weaknesses in internet-accessible systems, such as websites, servers, databases, and network device management protocols. Once a flaw is found, PCA exploits it to breach the network. After gaining initial access, the group often escalates its access to the target’s internal systems or cloud infrastructure, allowing them to move deeper into the compromised environment.
In addition to exploiting system vulnerabilities, PCA has been known to carry out defacement attacks on targeted websites. These attacks are used to deliver political messages and to claim credit for the intrusion. By altering the visual content of websites, the group aims to undermine public trust in the targeted organization or government, while also protecting its political stance. The defaced websites often feature disturbing or offensive images designed to intensify the impact of the attack and further the group’s ideological goals.
Another tactic used by PCA is the execution of DDoS attacks. These attacks are designed to overwhelm the network bandwidth of targeted organizations, rendering crucial services such as websites, email, and online applications unavailable. PCA frequently employs large botnets to generate malicious traffic, flooding the target network and causing disruptions. These politically motivated attacks are aimed at disrupting services and drawing attention to the group’s causes.
In addition to network-wide disruptions, PCA also targets individual systems and endpoints. Through Endpoint Denial of Service (DoS) attacks, the group exhausts system resources, causing critical services to fail. These attacks are particularly effective in disrupting the operations of government institutions or critical infrastructure. By targeting specific services or systems, PCA can create operational chaos, severely disrupting day-to-day activities and hindering the ability of the target to function.
Before launching its attacks, PCA typically conducts extensive reconnaissance on its targets. This phase involves gathering valuable information, such as victim identity details (including credentials or multi-factor authentication settings) and host-specific data (such as system configurations). To collect this information, PCA employs a variety of methods, including phishing, active scanning, and social engineering. This intelligence-gathering phase helps the group prepare for future attacks, ensuring that they are well-equipped to breach their targets and achieve their political objectives.
Conclusion
The Peoples Cyber Army of Russia poses a large cybersecurity threat, driven by Russian geopolitical motives and supported by collaborations with other pro-Russian cyber groups. As global tensions rise, PCA’s influence in cyber warfare is expected to grow, making cybersecurity defenses essential.
Cyble, a leader in AI-powered threat intelligence, offers crucial protection against such threats. With real-time monitoring, advanced vulnerability management, and comprehensive cybercrime tracking, Cyble enables organizations to stay protected from adversaries like PCA.
Leveraging Cyble’s solutions, including Cyble Vision and Cyble Hawk, businesses and governments can strengthen their defenses and better mitigate politically motivated cyberattacks.
Mitigation and Defense Strategies
To counter the growing threat posed by PCA and its associated groups, organizations must prioritize cybersecurity measures. Key strategies include:
- Enhanced DDoS Protection: Organizations should implement advanced DDoS mitigation solutions to defend against volumetric attacks targeting critical services.
- Proactive Reconnaissance Detection: Monitoring for unusual activity associated with reconnaissance efforts can help detect potential breaches before they escalate.
- Zero Trust Architecture: Implementing a Zero Trust security model can minimize the impact of any initial access gained by PCA, restricting lateral movement within networks.
- Regular Patch Management: Ensuring that systems are up to date with the latest security patches reduces vulnerabilities that PCA may exploit to gain initial access.
MITRE Attack Techniques Associated with Peoples Cyber Army of Russia
Peoples Cyber Army of Russia MITRE ATT&CK (Source: Cyble Vision)
- Initial Access (TA0001) Exploit Public-Facing Application (T1190): Target vulnerabilities in internet-facing systems (e.g., web servers, databases) to gain access. Includes cloud/container risks and edge devices.
- Impact (TA0040) Defacement (T1491): Modify visual content to disrupt integrity, deliver messages, or claim credit for an intrusion.
- Network Denial of Service (T1498): Block access to resources (e.g., websites, DNS) by flooding bandwidth. Often uses DDoS with spoofed IPs or botnets.
- Endpoint Denial of Service (T1499): Target system resources to crash services, affecting availability without overloading network bandwidth.
- Reconnaissance (TA0043) Gather Victim Identity Information (T1589): Collect personal data, credentials, or MFA info via phishing or online sources for further targeting.
- Gather Victim Host Information (T1592): Obtain host details (e.g., configuration) through scanning or compromised websites to inform further attacks.
