Ukraine bolsters cyber defence in readiness for Russian attack

Kyiv expects rise in hostile cyber activity to destabilise it before or during any invasion

Staff at the cybersecurity centre in Kyiv: In 2015, a cyberattack caused blackouts lasting several hours in western Ukraine and part of Kyiv. Photograph: Hennadii Minchenko/ Ukrinform/Barcroft Media
Staff at the cybersecurity centre in Kyiv: In 2015, a cyberattack caused blackouts lasting several hours in western Ukraine and part of Kyiv. Photograph: Hennadii Minchenko/ Ukrinform/Barcroft Media

Viktor Zhora proudly showed off the new facilities at one of Ukraine's cybersecurity agencies, where opposing teams stage mock battles to prepare for the real thing.

The training is paying off, said Zhora, deputy chair of the State Service of Special Communications and Information Protection, the country's security and intelligence service. An attack last month that targeted government websites was quickly contained by his staff with the help of IT companies including Microsoft, he said.

“We need to align our activities with risk and threats that have been increasing in past years . . . We should always be ready for the worst,” Zhora said.

Ukraine said "all evidence" pointed to Russian responsibility, with officials and analysts saying this was just the tip of the iceberg.

READ MORE

The country has been under constant attack from Russian and Kremlin-backed hackers since Moscow’s 2014 annexation of Crimea. Cyber espionage, damage to databases and servers, disruption to power and communications, and disinformation are all part of the playbook.

With Russia massing more than 100,000 troops on the Ukraine border and western powers accusing Moscow of planning a full-blown invasion, the Kyiv government and independent experts expect hostile cyber activity to increase in an effort to destabilise the country before or during any attack.

“We register more and more attacks on our system and we see some are successful, unfortunately,” said Zhora, a former private sector cybersecurity executive. “Something more serious can be expected for us, but we don’t know when.”

Vote-counting system

Andrei Soldatov, a Russian security expert and senior fellow at the Washington-based Centre for European Policy Analysis, said Russian hackers were "getting ever more skilful".

“They’ve had eight years of experience since 2014, and Ukraine is often where they try out things first,” he said.

Russian cyberattackers accessed Ukraine’s vote-counting system on the eve of general elections in 2014, destroying electronic records and leaving ballots to be counted by hand. The following year, a cyberattack caused blackouts lasting several hours in western Ukraine and part of Kyiv. The disruption, attributed to a group linked with Russian military intelligence, was the first known power outage caused by a cyberattack.

The NotPetya malware attack by the same group in 2017 infected 10 per cent of all Ukrainian computer systems before spreading across the globe. It was one of the most destructive cyberattacks in history, costing companies worldwide $10 billion, according to a US estimate.

Last week, Microsoft said a group it called Actinium, which the Ukrainian government had linked to Russia’s security services, had targeted Ukrainian government and military offices with the “purpose of intelligence collection” since October 2021.

“There are bound to have been many, many, more attacks over the years that we don’t know about and that have left malware embedded in systems ready to be activated,” said VS Subrahmanian, professor of computer science at Northwestern University in the US. “It’s a bit like a bomb being planted in your house – it’s benign until someone sets it off.”

Kremlin proxies

Russia has fewer financial resources to invest in cyber capabilities than the US or China. But evidence suggests it boosts its capacity by using proxy groups such as Cozy Bear and Fancy Bear that it can deny knowledge of, said Subrahmanian. They carry out attacks without big consequences for the Russian state but are believed by western officials and cyber experts to act for Moscow, Subrahmanian said.

Ukraine, meanwhile, suffers from a deficit of public-sector cybersecurity expertise, weak regulation, limited response capability and a lack of co-ordination between various agencies, all of which Kyiv is trying to fix, say officials.

A particular vulnerability is the prevalence of older, unlicensed software that gives hackers a lot of holes to access. Zhora acknowledged the situation was “rather dangerous” but said the problem was no longer as bad as in the mid-2000s.

A priority for his agency was raising awareness among operators of critical infrastructure and connecting them to cyber information centres, so that attacks could be quickly analysed and countered, he said.

Subrahmanian said there were “always vulnerabilities in every system and attackers always have the advantage”, adding that the Ukrainian efforts to patch the holes “doesn’t mean they’ve managed to find them all”.

Israeli operation

The US has sent experts and funds to shore up Ukrainian cyber defences, but the administration sees it as a long-term effort. "Significant achievements don't happen in weeks so we're realistic," Anne Neuberger, deputy US national security adviser for cyber, said on a recent visit to Europe.

It is unclear how far Russia would go in using cyberattacks against Ukraine's military. Greg Austin, senior fellow at the International Institute for Strategic Studies, pointed out that Russia had never deployed a military-level cyberattack to disable an enemy's command and control systems – as Israel did in 2007.

In Operation Orchard, the Israelis disabled Syria’s air defence systems and fed it false radar information, allowing its fighter jets to bomb their Syrian targets and return to base undetected.

“An attack on a military system is very different from an attack on civilian infrastructure,” said Austin. He continued: “Past evidence supports the idea that Russia will not launch a wide-ranging cyber sabotage attack on Ukraine as part of any invasion . . . Fear of retaliation is likely one reason.”

US president Joe Biden last month warned of consequences for Russia over its ongoing cyberattacks, saying that "if they continue to use cyber efforts, well, we can respond the same way". – Copyright The Financial Times Limited 2022