Cyber war in Ukraine

The war in eastern Ukraine has not for a long time been limited to the Donetsk and Luhansk region, nor to the form of armed conflict. The conflict between Russia and Ukraine takes place in cyberspace as well.

On December 23, 2015 around 17:00, the energy company Prykarpattyaoblenergo reported a power failure in Ivano-Frankivsk region. It was discovered later that it was a massive cyber attack that disconnected 30 substations and 80 thousand people. Until this day, the cyber war in Ukraine was very limited and often described as a war that never was. How the attack on the power grid changed the cyber war in Ukraine? Is cyber war now a real threat?

Before the Ukrainian revolution in 2013, cyberspace in Ukraine was no different from cyberspace in rest of Eastern Europe. Cases of cyber crime included typical problems such as phishing campaigns, ransomware (a software that locks the user's device and requests a payment for making it accessible again), business intelligence, but also hacktivism and cyber vandalism in the form of DDoS attacks and website defacements (uploading one's own content to a targeted site) of public institutions. Cyber ​​environment has changed immediately after the revolution. According to Nikolay Koval, the head of Ukraine's CERT, the level and sophistication of cyber attacks and used malware already shifted during the revolution. Chief of the Kyiv Chapter of the international company for IT security ISACA, Glib Pakharenko, added that the events in Maidan were followed by two weeks of continuous DDoS attacks. Political context, objectives, timing and high technological advancement of the attacks suggested that behind them is a very well-funded team full of experienced professionals with clear political goals focusing on the targets in the Ukrainian government.

One of the biggest cyber attacks in Ukraine before that happened on May 21, 2014 when a group known as CyberBerkut attacked during the presidential election the site of the Central Election Commission (CEC) that conveying live election results. Website have been inaccessible for about 20 hours and later it later showed the leader Dimitry Yarosh as the winner of the election of the radical Right Sector. It was a sophisticated and long-planned attack. CyberBerkut reportedly used a zero day vulnerability for the attack on the CEC, which is usually the prerogative of states or at least state-funded groups, because zero-day vulnerabilities are expensive and much harder to get for non-state actors. Zero-day vulnerabilities are software bugs that may emerge during its creation and their knowledge immediately becomes one of the biggest weapons of hackers. This incident precisely depicted the nature of cyber attacks in Ukraine, because its nature was purely political and informational and it also goes hand in hand with the general approach of Russia to cyberspace. Russia speaks only about information security, not the cyber one, and about the concept of using information as a weapon. In the context of Russian propaganda and manipulation of information, it is an approach that is not surprising. But attacks on news websites and media groups are certainly not one-sided issues, and both pro-Western and pro-Russian intelligence agencies were targeted by several attacks in Ukraine.

Among the actors behind the cyber campaigns in Ukraine are Ourobros group and Sandworm group, known as APT29, which was behind the attack on the company Prykarpattyaoblenergo. However, the most peculiar is APT28 group, which is active outside Ukraine – in Turkey, Poland, Hungary, the Baltic States, the Caucasus, in Norway and in organizations such as NATO and the OSCE. This is one of the most important and most capable Russian cyber groups. APT28 used programs Adobe and Windows for their zero-day vulnerability attacks obtained from the infamous organization Hacking Team that provides spy software and other cyber tools for countries across the world. APT29 used for the attacks several times so-called backdoors that allow it the unlimited access to the targeted computer. The group installed it in an innovative way via the websites of Twitter and GitHub by uploading the required data on the Internet storage, to which the hackers had access to. APT29 managed to hide its activities in the amount of Internet traffic during working hours of the victims. Both groups use social engineering and phishing campaigns to gain access to the systems of their victims. As in the case of ATP28, their activities are for several reasons attributed to Russia. Their objectives are completely consistent with the geopolitical interests of the Russian Federation and the high technical level of their attacks points to the considerable financial and human resources. These organizations operate exclusively during working hours in the Moscow time zone and their activity stops during the Russian national holidays and weekends.

During the attack on the Ukrainian power plant, the hackers infiltrated the system due to stolen access data into the IT system of the company. They got these by a simple phishing campaign using BlackEnergy 3 malware hidden in Word and Excel documents. But gaining access to the industrial system was trickier, which enabled them to cut off the electricity of 80,000 people. The attacks were preceded by six months of gathering information, monitoring security and information network architecture, but mostly gaining access to servers of virtual private network of the company through which they could access the physical control of power lines. The hackers then installed on the connectors between the regular internet and the serial connection at the physical switches at the substations specifically modified KillDisk malware that disconnected them and erased all their data. Therefore it was a very sophisticated attack and particularly the first mass attack on the critical infrastructure of this kind. According to members of the US-CERT, who worked together with the Ukrainians on the investigation of the incident, such an attack can happen to anyone.

Is such an attack threatening all electrical networks? Heads of the Slovak CSIRT consider such an attack absolutely normal, similarly to most experts. Considering that the attackers were in the system for six months and were remotely accessing physical controls of power lines, the whole issue could be solved by any program providing IT system security monitoring, even any freeware one downloadable from the Internet, that could detect all these activities. The BlackEnergy attack, as it is called, points to the weakness of cyber defense in Ukraine. It was also emphasized by the fact that during the attack the hackers launched a DDoS attack on the call center of the energy company which made communication between customers and the company impossible, and especially pointed to the incompetence of Ukrainian companies in the security areas.

Therefore, we can consider this attack rather an exception and complete failure on the Ukrainian side. Attacks on Ukraine have purely informational nature and the BlackEnergy attack was the first one with a real physical impact. Instead of destructive cyber attacks on military capacities of Ukraine in the framework of the war in the east of the country, hacking campaigns are aimed solely at obtaining information or stealing secret government, military or intelligence documents. The ability of Russian hackers to redirect GPS signal through their own networks has not been used for kinetic attacks but only to gain information. One of the biggest cyber campaigns was the operation Armageddon, a massive spying campaign directed on Ukrainian bureaus, military and intelligence services existing since 2013. During the operation the attackers used fake software updates of Internet Explorer, Adobe Flash Player or Google Chrome to hide the theft of information and other activities in the systems of victims.

Activities of groups like APT28 and 29 are concentrated mainly on gathering information, not on large kinetic attacks, which is pointing to Russia's access to cyberspace that is based on concepts of information war and information security. The events in Ukraine show that the concept of cyber war should be understood more as an information war. Cyber war may have strategic – but not purely military – effect. The attacks have only a supporting nature for traditional kinetic conflict. However, even that poses a great danger because such a use of cyberspace has a clear psychological effect on influencing public opinion, undermining the legitimacy of state authorities and creating confusion or fear. From a military point of view, it is a manipulation of data and software and acquisition of important information. An attack with a large kinetic impact that requires considerable financial or technological support would not fit into current official discourse of Russia that, as I say, is not involved in the war in Ukraine in any way. In the case of open war, everything could be different of course. However, a simple physical attack has always proved to be much easier and more efficient in Ukraine. During the occupation of Crimea, one of the first buildings occupied by unidentified Russian "little green men" was the building of the Internet Exchange Point by which the Russians immediately gained control over the Crimean Internet without the need for a cyber attack. Similarly, Ukrainian right-wing extremists simply cut off the power line connecting the Crimea to the Ukrainian power grid. Cutting of the wire is easier and faster.

Before the power grid incident in Ivano-Frankivsk region, no cyber attack in Ukraine exceeded the line of physical attack. Russia thus confirmed that cyberspace offers a great tool for hybrid war, especially through the use of gray sphere of international law and the technical impossibility to attribute the cyber attack to any actor with legal certainty. Considering that the attack on the Ukrainian electricity network was a common and easily stopped attack, the cyber war itself is not a direct threat. The threat is the information war together with the fact that Ministries of Defense of some European NATO member states do not pay special attention to concepts of cyber and information security – in the shadow of the events in Ukraine, this is definitely disturbing.

About author: Petr Boháček


Tento web používá k analýze návštěvnosti soubory cookie. Používáním tohoto webu s tím souhlasíte. Další informace