Russia’s second dangerous weapon against Ukraine Cyberattacks


Just before noon, the attack started.

First the websites of Ukraine’s Defense Ministry and army went dark. Then customers of the country’s two largest state-owned banks couldn’t access their accounts — or, worse, saw their balances suddenly drained to zero. Fake SMS messages from Estonian, Austrian and Polish numbers were sent to their mobile phones, warning them about an ATM failure.

“Then the snowball started to roll,” said intelligence officer Yuri Shchigol, as the massive Feb. 15 online assault engulfed Ukraine’s central bank, the president’s office, the Foreign Ministry, the security service and a raft of other state portals, disabling their websites for hours.

The disruption was almost over by the morning of the next day. The disruption did not cause any damage. Even people whose accounts had shown zero, their funds were unaffected. But for Shchigol and others in Ukraine’s cybersecurity corps, it was yet another onslaught in an eight-year war that — unlike its real-life counterpart — has never quieted down.

A number of banks were also hit by another attack on Wednesday. Russian President Vladimir Putin made it clear that he was going to launch a military operation against Ukraine in the early hours of Thursday. Ukrainians woke up to the sounds of explosions in what Putin referred to as the “demilitarization” of Ukraine, demanding that the Ukrainian military stand down.

As for the cyberattacks, Ukraine has no doubt who’s behind the mischief: Russia, known worldwide for its legions of hackers and online subterfuge, including a disinformation campaign aimed at disrupting the 2016 U.S. presidential election. And regardless of what Putin does with as many as 190,000 troops assembled around Ukraine’s borders in coming days — whether he launches an all-out invasion of Ukraine or a more limited ground assault — as far as Shchigol is concerned, the two countries were already locked in combat.

“For most people, the start of this war is the crossing of Ukraine’s borders,” said Shchigol, who heads Ukraine’s technical and security intelligence service, known as the SSSCIP. “But the war in cyberspace is ongoing, and we’ve been monitoring and defending against attacks from Russia for years now.”

Still, though the incident was relatively harmless, with the spike in hostilities between Kyiv and Moscow reaching a crescendo, the fear is that these attacks are part of a so-called hybrid war — mixing conventional tactics with disinformation and cyberassaults to destabilize the Ukrainian government and ignite chaos across a society that is feeling increasingly vulnerable. The U.S., Britain, and European Union have all offered assistance or dispatched teams to assist.

But the more ominous scenario — Ukraine declared a nationwide state of emergency Wednesday — is that online attacks may be a practice run. Tim Conway is an instructor at Sans (a training institution) and said that cyberwarfare will be a strong component of any military offensive. Conway was in Kyiv for so-called grid wars exercises to assist electric companies.

“We’re talking about critical infrastructure attacks, impacting normal daily human lives as part of a conflict where that wasn’t in the playbooks before,” he said.

The attacks are becoming more severe in the interim. Last week’s incident had as its centerpiece what security officials describe as the largest attack of its kind in Ukraine’s history — a so-called distributed denial-of-service, or DDoS, attack designed to deluge servers with traffic to the point where websites they’re hosting are no longer accessible.

Although DDoS attacks are pretty routine — “we face them every day,” Shchigol said — what made the Feb. 15 assault unique was the sheer scale, not to mention the number of services it targeted.

A standard denial-of-service attack, the type first encountered as far back as the 1990s, overloads a victim’s system by sending a large number of pings, including connections, requests or other data. The point is to overwhelm the target’s bandwidth so that it can’t process genuine traffic.

Distributed denial-of service attacks do the exact same thing but are carried out by different networks or computers acting together. A DDoS attack is defined as an assault that generates gigabits of data per second. Most platforms are capable of protecting against DDoS attacks up to 450 gigabits.

The one last week “was massive,” said Yevhen Bryskin, a 29-year-old member of the SSSCIP’s emergency response team. It measured nearly four times the speed of defensive systems, at 1.7 Terabits per Second.

Bryskin’s black hoodie, pale skin and slight frame made him look more like an Army recruit than a hacker.

The UA30 Cybercenter includes both the emergency response unit, as well as other threat assessments teams. His youth is a common trait. Shchigol said that cybersecurity was only recently becoming a popular skill. All of Shchigol’s team are under 30. Shchigol, 38, has piercing blue eyes and no wrinkles. He also looks clean-shaven.

They have to do a lot of hard work. “Every quarter witnesses a 10 to 12% growth in attacks,” Shchigol said.

He stood in front of a row of rows of desks, each with two computer monitors. Then he pointed at the large screen that was on the wall to his right. The screen displayed the threat statistics for the past three months, broken down according to type of incident, targets and severity.

In the three-months to date, there were 654 incidents. More than 50% of them targeted websites from Ukraine and nearly a quarter were directed at companies in local areas.

“Usually, cyberattackers’ intention is to earn money,” Shchigol said. “But in our case, the attacks on state services certainly have another purpose…. You can’t earn money by attacking government systems.”

Instead, the aim is clearly to destabilize Ukraine’s government, Shchigol said, and the attacks are “certainly coming from one particular state.”

None of this has ever happened in Ukraine. Since 2014, when the government started battling Kremlin-supported separatists in the country’s Donbas region, it’s endured some of the world’s most spectacular cyberattacks. Sandworm in December 2015 was an attack that caused the loss of power for approximately 230,000 people.

A similar attack in 2016 knocked out a fifth of Kyiv’s electricity. NotPetya was a virus that encrypted the data of Ukrainian banks, electricity businesses, ministries, and organisations. It spread quickly to other countries including Russia, where it caused billions of dollars worth damage.

Most countries aren’t doing enough to stop cyberattacks. Conway stated that even those who invest enough are able to deal with criminal ransomware or other forms of ransomware, and not the state-funded enemies.

“Could they stop a state-funded attack? I don’t know which country could,” he said, adding that the focus is not on prevention but on limiting damage and reducing downtime.

The problem is compounded when an enemy uses a cyberattack as part of a larger strategy — especially because the enemy can anticipate the response and counter any attempts to restore networks or grids. Besides, Conway added, “even if you’ve arranged cyberdefense in a good way, managed the risk and it can’t be better, when you add a physical component, it shifts the game again.”

Fears that hackers could launch more serious attacks have sparked concerns. Microsoft provided information last month about malicious software that had targeted Ukrainian ministries. The FBI and Department of Homeland Security followed up with warnings.

In February, the Cybersecurity and Infrastructure Security Agency issued a “Shields Up” alert for American organizations, warning they should adopt a “heightened posture” ahead of any escalation by Moscow.

Leave A Reply

Your email address will not be published.