19 September 2022

Ukraine’s Cyberwar Chief Sounds Like He’s Winning


The head of the Derzhspetszviazok, Ukraine’s version of the US Cybersecurity and Infrastructure Security Agency, can be forgiven for working speedily. His country is under attack—and with it, the world order. “This is the first time ever in history that we’ve had such a full-fledged cyberwar happening right now in Ukraine,” says Shchyhol, who’s tasked with keeping Ukraine’s cyber territory safe in the same way president Volodymyr Zelensky oversees the country’s physical armed forces.

Skirmishes on the internet against Russian hackers weren’t new to Shchyhol, nor to the people he oversees as part of of the Derzhspetszviazok, also known as the State Service of Special Communications and Information Protection. Before invading Ukraine on February 24, Russia had been testing the defenses of Ukraine’s cybersecurity. Mostly it was persistent, low-level attacks, but one larger attack was launched on January 14, when Russia targeted more than 20 Ukrainian government institutions. The attack, designed to disrupt government-linked websites, leeched out into the wider Ukrainian internet. “We also identified that around 90 websites were not accessible as a result of that attack,” says Shchyhol. “The goal of the Russian hackers was to sow panic among the Ukrainian population, and to demonstrate to the outside world that Ukraine is a weak state that couldn’t handle the attacks,” he says. This is why the Derzhspetszviazok rushed to relaunch the sites affected. “The longest it took us for one site was close to one week,” he says. “No data was lost, and the outcome of this attack was more psychological warfare.”

When Russian soldiers began intruding into Ukraine’s physical territory, the attacks in cyberspace stepped up. For a full month, Russia targeted communications nodes, media, logistics, and railways, says Shchyhol. “At that time, there were lots of civilians—noncombatant Ukrainians fleeing to safer places,” he adds. “That’s why the goal of those attacks was to disrupt the work of communications lines, and railways in particular.”

We’re now in the third stage of Russia’s cyberwar against Ukraine, says Shchyhol—one that’s ongoing and perpetrated “mostly against civilian infrastructure: utilities and companies that render services to civilians, since they failed to destroy in the second phase our communication lines and our ability to keep people abreast of what’s going on.” Russia’s digital war playbook is similar to its physical warfare strategy, says the cybersecurity chief. “Our attitude remains the same,” he says. “We treat them as criminals trying to destroy our country, invading it on the land but also trying to disrupt and destroy our lifestyle in cyberspace. And our job is to help defend our country.”

Ukraine’s defense of its cyber assets has surprised some, who feared Russia’s much-hyped hacker army could quickly wipe out the country digitally—just as many in the international community worried Russia’s ground invasion was a foregone conclusion. But Vladimir Putin has already played his hand when it comes to cyberattacks, says Shchyhol, and Ukraine learned lessons. A 2017 attack launched by Russia using the NotPetya virus decimated the country—and broke out into the wider world, causing chaos wherever it spread. “Afterward, there was a couple of years when they were quiet,” says Shchyhol. “We recognized that’s because they were getting themselves prepared for more active attacks against our country, so we used that pause time to get ourselves prepared for the potential attacks.” Ukraine’s success in repelling the worst of Russia’s cyberattacks in 2022 demonstrates well how much the country analyzed and learned from previous skirmishes, says the cyber chief.

One thing that helped Ukraine learn Russia’s cyber MO was creating a database of attributed Russian attacks that were specified to particular hacker groups. Shchyhol says the Derzhspetszviazok learned that most groups were sponsored by either Russia’s intelligence service—the FSB, Russia’s post-Soviet successor to the KGB—or the Russian army. Shchyhol refutes the term “hacktivist” when used in relation to Russia. “A hacktivist is a person who does it from the generosity of his heart, free of charge,” he says. “These guys are sponsored by the state and receive a mandate to perpetrate crimes.” Knowing who was behind the attacks helped, Shchyhol says. “By virtue of realizing who is attacking us, it allowed us to be better and more successfully get prepared to repel those attacks,” he says.

The database Shchyhol and his institution developed helped Ukraine repel an attack against a Ukrainian energy-generating company Russia launched earlier this year. “They used the same virus for that that they used back in 2017,” he says. Back then, Russia used the Industroyer virus; the country deployed an updated version, called Industroyer 2, earlier this year. “Since we were ready for this type of attack, we were successful in repelling it, and thus prevented damage being caused to this company,” Shchyhol says. This prevented power blackouts for 2 million people, he adds.

Ukraine’s cybersecurity lead admits that at least one Ukrainian database has been wiped as a result of Russia’s reported widespread use of wiper malware: the government’s motor insurance policy bureau, responsible for issuing coverage for Ukrainian drivers. “For two weeks, this bureau wasn’t able to issue the insurance policies to their clients,” says Shchyhol. But the bureau—like many in Ukraine—was warned about the risks and had a backup that enabled it to return to normal operations relatively quickly.

“The efficiency of any cyber combat efforts should be judged not by the fact that we make it impossible for the attackers to attack us,” says Shchyhol. “The real test of how well we perform is the [speed] with which services can be relaunched, and the fact no important data is stolen by perpetrators.”

Ukraine’s defenses have also been bolstered by covering fire in the cyberwarfare field by pro-Ukraine hacktivists—here, he’s more willing to use the term. “I’m talking not only about the Ukrainian IT Army,” a Telegram group set up at the start of the invasion that had at its peak more than 300,000 subscribers, “but other hacktivists worldwide that joined the effort at the beginning of the invasion.” Shchyhol says that those hacktivists have provided much-needed help—even if there’s little proof that the hacktivist army made any meaningful impact. Indeed, one recent academic analysis compared their work to breaking into a disused shopping center in a small city and spray-painting “Putin sux” on the walls.

“Being a military person, I believe anything that weakens our enemy is good for us,” he says. But Shchyhol is keen to make it clear that’s his personal opinion—wanting to avoid any suggestion of collusion or organization by the Ukrainian state. “They are a self-organized community, operating by setting their own goals,” he says. “There is no coordination of their activities coming from the government of Ukraine, and no sponsoring of their activities. We, as the government of Ukraine, are not giving them any direct order to target, for instance, infrastructure.” Even if they were to do so, Shchyhol says, Russia and its infrastructure would be lawful targets because of “all the crimes they perpetrated here.”

But rather than targeting key infrastructure for offensive attacks from hacktivists, Shchyhol suggests that targeted moves by IT businesses can cause as much damage. In July, he called for international companies servicing Russia to withdraw from the country. “Our enemy currently employs tactics like hordes did back in the Middle Ages,” he says. “Trying to attack territory and modify countries to how they want them to look using blunt force. In order for them to continue using this blunt force, they rely on continuous access to modern technologies.”

Without that access, Shchyhol says, “they will be thrown back to the Middle Ages. Any technology that comes into Russian hands, they’ll immediately try to use it for military purposes.” He estimates that 95 percent of tech companies his agency, Ukraine’s vice-president, and other government officials have approached have already withdrawn from the Russian market. Those that have include Cisco, HP, IBM, and Dell.

As for companies that haven’t, Shchyhol has a simple message. “The whole civilized world needs to recognize that the threat goes beyond Ukraine,” he says. “Cyberspace has no boundaries. If there’s any attack perpetrated against the cyberspace of one country, by default it’s affecting and attacking other countries as well.”

No comments: