Confronting the Cybersecurity Threat in Ukraine

Ukraine has long been known as a "live fire" environment in cybersecurity circles, and it has already suffered a historic set of attacks in recent years, including on its power grid. But with Russian aggression intensifying, there are concerns that cyberattacks may signal the beginning of a broader conflict following a string of incidents in the last week that targeted Ukrainian government and private sector websites.

The United States Department of Homeland Security has also warned that Russia may target "US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure," in retaliation for perceived threats against it, though the threshold for such action is believed to be high.

To learn more about the cyber threat against Ukraine and how the country is preparing for it, I spoke with Viktor Zhora, Deputy Head of the State Service for Special Communication and Information Protection of Ukraine, who is responsible for digital transformation and cybersecurity. What follows is a lightly edited transcript.

Justin Hendrix:

The news we're reading in the United States out of Ukraine suggests a precarious situation– concerns are rising about how a conflict with Russia would play out in cyberspace in particular. What is your assessment of the threat landscape at present?

Viktor Zhora:

We feel constant aggression since 2014, and we believe that cyber aggression is a part of this hybrid warfare against Ukraine. And we can link all those attacks that happened earlier since the election hack, which happened in May 2014, with the later attacks like the attack on the power grid, the use of BlackEnergy malware, then attacks on some government institutions, and finally NotPetya, the most destructive attack in history.

Now we consider the recent cyber attack as part of a series of attacks against Ukrainian infrastructure. And of course, we've got a lot of signals on potential cyber operations from the end of last year, and we were aware of bad things that can happen in our networks, in our infrastructure. And now our goal is to restore current damaged infrastructure, which is basically done, and get ready for potential new attacks happening in the near future together with other things that are happening in the information sphere, borders, et cetera.

Justin Hendrix:

So let's talk a little bit about these most recent attacks. I understand on January 14th, the websites of Ukrainian government agencies were hacked, defaced. And then the following day, I understand you had a data wiping malware attack targeting systems across various agencies, but also nonprofits, IT companies in the public sector. What can you tell us about those attacks and what they presage?

Viktor Zhora:

We are confident that that was a complex cyber attack, and defacement of websites was part of this attack. It was combined with manual destruction of external IT resources, and using specially designed wiper malware in some internal network segments. And there's also a topic to discuss if any data has been leaked during this attack. So because of numerous speculations on that, and we believe this could be a part of an information operation. So to our consideration, there was a group of hackers which operated for several hours during the night from 13 to 14 January. And they use companies' infrastructure, companies that have developed a website on a single content management system called October CMS. They used this infrastructure to get into ministries and government organizations' infrastructures, and then provide further actions, mostly disruptive actions.

We suggest there were three vectors of this attack. First, which I mentioned, the supply chain attack, and then later use of different vulnerabilities. One of them in October CMS, and the other is Log4j. But now we continue the investigation, and our goal is to find out what's happened in each particular ministry or government agency. We see a lot of manual work and we see coordination, but we believe that each hacker or hacking group was responsible for a particular object of attack. And because of our timely actions and manual shut down of several terms of resources, the attack was stopped. And this allowed us to minimize the damage that they caused to infrastructures.

Justin Hendrix:

So we've seen reports that your government has assigned blame to a hacker group with ties to intelligence in Belarus, is that accurate?

Viktor Zhora:

I would continue to a previous answer regarding information from Microsoft’s blog on IT companies and nonprofit organizations. We have information only from government agencies, and we now have two agencies confirmed where this wiper malware was registered. So this was simultaneous action; it was done during the defacement phase of an attack, and now we are interested if anything else could continue to stay in network segments of government agencies or anywhere else, like you mentioned, nonprofit organizations and other businesses.

With regards to information on some APT groups and potential attribution to Belarus, I don't think we are ready to come out with a final attribution. So I would be very accurate- there are some versions, and from some effects, from some intel information from signs on tactics and techniques. So we see that this attack is similar to techniques that Russian Federation APT groups often use to attack infrastructures. So we have several versions, and each of them should be treated very carefully to provide final attribution, which should convince everybody that it was done professionally and there is no doubt that particular persons and countries are responsible for organizing and providing of an attack.

Justin Hendrix:

You mentioned that there's an information component to these attacks that have taken place in the last week or so. What is the kind of goal that you see behind that information component, or how does it cross over into concerns about disinformation from the cybersecurity lens?

Viktor Zhora:

The first hit was disinformation. So the picture which was put on the main pages of the defaced site should lead us to a conclusion that Poland could potentially stand behind this attack, but we immediately understand that it's a false flag, since there is information Poland was attacked the same day, and we have close ties with our Polish colleagues. So this wasn't successful to my opinion at all, from the hackers' plans. The second is to bring as much damage as they could. And that, to my opinion, explains the use of wiper malware and manual erasement of some servers and workstations, especially in the virtual environments. The idea was to show the strength and the potential of attackers. And this is a sign for us to get ready for more destructive actions from their side.

The other reason was to speculate around data leakage and trying to prove that government has no resources to protect personal data of Ukrainians. To our opinion then, they mixed some old data and are trying to sell it on hacker forums, just to show that it could be a commercial story, not state sponsored. And this is also a try to put a false flag.

And a final point that I would like to discuss is the whole disinformation campaign directed to seeding chaos and instability in Ukrainian society. It's combined with other unfriendly actions in the information sphere. So we believe this cyber tech was planned, was timely chosen to be combined with other actions. And this is more complex than we thought on the first day. And we continue the investigation and hopefully will come out with some new facts, technical details of this attack, which potentially could be of interest to our international colleagues, since Ukraine is one of the main targets in cyber war, but Ukraine isn't the only country which is under attack, and our partners should also be aware of what can happen in their infrastructures.

Justin Hendrix:

So I understand that Ukrainian people are fairly stoic in the face of this threat, having lived with it now for some years. But is there any effort that you have to take to prepare the population for the types of threats you're dealing with? Are you taking extra steps to do so?

Viktor Zhora:

The NotPetya attack, to my opinion, brought a lot to raising of awareness of people that cyber security is important. And now when a new huge attack happened, society is more interested in what's happening, and how the state has taken measures to counteract and to resist those attacks. That's important. At the same time, the government puts a lot of attention on protection of our IT assets, critical infrastructure. For the last eight years, and for the last year, a lot of work has been done to raise, to increase resistance of Ukraine in cyberspace. I'm far away from a thought that it is sufficient. And now we offer sets of measures, especially in the legal sphere, to protect Ukrainians' infrastructure, to hire people responsible for cybersecurity at each agency, at each critical infrastructure object; to raise the level of responsibility of these people; to find new funding for protection, for cyber protection. And a lot of other initiatives that will allow us to quickly strengthen our infrastructures and cybersecurity system.

At the same time, we constantly monitor our IT systems on suspicious activities. So we analyze the behavior and we understand all risks of potential attacks that can happen soon. And this of course is a result of measures and attention and appropriate policy that is provided by the state in the recent year or two.

Justin Hendrix:

What support do you need from your allies, particularly the US? And you've mentioned Microsoft, what role do companies play in this conflict in supporting your cybersecurity effort?

Viktor Zhora:

Our service signed an agreement with Microsoft, which is the gold government security program. So we are responsible from the Ukrainian side on acting within a framework of this agreement. And Microsoft helped us with information on the wiper malware, which was registered and which was described in their blog. So other companies are also helping us on the basis of the same memorandums that we signed with them. And we of course appreciate the help, which was immediately offered, by the US embassy and other US officials and European colleagues, from the United Kingdom– a lot of our partners offered their help, and we really appreciate this. With regards to how this help would be useful and beneficial for us, I would tell that our efforts were focused first on quickly restoring of infrastructures and putting websites and other resources into a normal mode of operation.

And the second phase was to collect evidence. To collect all logs, all dumps, all files that could be in use and could act as digital evidence to provide a comprehensive attribution. And in this point it's very important to allow foreign experts to join the team, the investigation team, to first of all, to share this experience and to bring a more broad vision of what can happen and to come out probably with a joint statement of two states or more states on a particular incident. I believe that we need to find out the particular people and potentially the state who stands behind this attack. It's important for us for further measures for understanding what's happening, and for future actions that should be taken on internal and external policy level.

Justin Hendrix:

So another headline that we've had here in the States is around the efforts of a group called Cyber Partisans, their infiltration of Belarusian rail network to disrupt the movement of Russian troops into the country. Is that type of activity helpful, hurtful to your situation? How do you regard that kind of external activity in the information sphere?

Viktor Zhora:

Of course we intently consider all this news. But to our opinion, any illegal activity and any breaches that can happen on the internet are not a sign of responsible behavior in cyberspace. While Ukraine wants to be a part of this community, and we have a long history of being a target, of resistance, of counteracting, and I'm sure that Ukraine has a lot of experience and practice which we can share with our partners and be an active participant of this community. So unfortunately I cannot comment on what happened there in Belarus, but it's important to build this broad information picture of what's happening right now, in order to align our decisions across the whole geopolitical situation and cyber operations in other countries as well.

Justin Hendrix:

Is there anything I didn't ask you that you'd like to get across?

Viktor Zhora:

Probably covered everything that we have up to the moment, but we are trying to provide transparent communication policy here at our service and on the country level. So I wish everybody to stay tuned and to use official information resources from our service and from other government agencies. And I'm sure we'll have some more interesting facts in the near future.

Justin Hendrix:

Well we will follow very closely and we wish you the absolute best in these coming weeks.

Viktor Zhora:

Thank you so much, Justin.