The attacks on Kyivstar’s systems have been one of the most successful operations launched by Russians against Ukraine. This case has once again demonstrated that, in addition to conventional operations on the battlefield, there is an ongoing war in cyberspace that began in 2014. Several aspects of this war have affected many Ukrainians, such as cyberattacks on Ukrainian energy companies or the Petya.A virus.
On January 14, 2022, just a little over a month before the full-scale Russian invasion began, numerous Ukrainian government resources were hit by a powerful cyberattack. This attack that took place in January was one of the most significant ones in the past two years. However, it is important to note that the lack of visible consequences from cyberattacks or information about them does not necessarily imply that they did not occur.
Deputy Head of State Special Communications Oleksandr Potiy and experts participating in the “IT Meets: Cybersecurity” conference explain what is happening on the digital battlefields and what Ukrainians should expect in the future.
***
Statistics of Ukrainian Cyber Warfare
The Special Government Response Team for Computer Emergencies of Ukraine, operating within the State Special Communications and Information Protection Service of Ukraine, CERT-UA, is a structure defending Ukraine in cyberspace. For the past two years, this group has been documenting cyber attacks on organisations in Ukraine. According to their latest report, the number of reported cyber incidents rose by 46% in the third quarter of 2023. In total, since the beginning of the war, the number of cyber attacks has increased by 250%. The data suggests that Ukrainian experts are frequently targeted by cyber attacks. However, such attacks are not a recent phenomenon. Experts have commented that 50% of the techniques employed by malicious actors were developed one to two years before their actual implementation.
Although Ukraine has gained significant knowledge during the war and cyber warfare against Russia, the situation with cybersecurity still poses many challenges. Despite improvements since 2014, experts at “IT Meets: Cybersecurity” have highlighted that cyber attacks have become more widespread. Previously, such attacks mainly targeted ministries and government agencies. However, hackers can now target structures of rural communities or small businesses.
There is a significant problem with the security of state websites, as many domains under GOV.UA are not configured for security, and their contacts (Admin-c and tech-c) may still use Russian mail servers.
Key Trends in Cyber Warfare
One significant change that experts have observed since the start of a full-scale invasion is the rise in the frequency of cyber attacks. Several hacker groups linked to Russia have surfaced, as well as others that appear to be independent. The nature of the attacks has become more complex, necessitating quicker and more adaptable responses.
According to experts, preparations for a cyber attack in conjunction with the start of a conventional war began as early as September 2021. Some IT systems already had backdoors as early as July of that year, which contained “time bombs” that were programmed to activate only after Russia attacked.
On January 14, 2022, there were well-known attacks that experts considered to be reconnaissance in force. On February 23, 2022, a massive cyber attack began at 6:00 PM. Its objective was to disrupt all communications and connectivity, as well as prevent the state from governing in an attempt to demoralise the population.
One manifestation of the cyber attacks was the assault on Viasat, a satellite communication provider, in February 2022. This was followed by another attack on Ukrtelecom in late March 2022.
Victims of Cyber Attacks
Experts note that cyber attacks can target a broad spectrum of organisations, structures, and industries. Nowadays, not only small businesses, local communities, and educational institutions are vulnerable, but also various other sectors.
The primary targets of attacks are governmental institutions. IT integrators and mobile operators, internet service providers, energy companies, water utilities, logistics and insurance companies, and even hotels are also at a very high risk of being attacked. During the war, attacks on the media have intensified, with unclear destructive consequences beyond the apparent image effect.
Another interesting detail is that it has been common for cyber warfare attacks to target the same agencies repeatedly.
Ukraine’s Energy Sector is One of Russia’s Primary Victims
At the “IT Meets: Cybersecurity” conference, Farid Safarov, the Deputy Minister of Energy of Ukraine for Digital Development and Digital Transformations, announced that since the start of the war, more than 1,5 million cyber attacks have been recorded on the energy sector as of the beginning of August 2023.
It has been observed that cyber attacks on energy infrastructure were often followed by missile attack. The attackers aimed to undermine the same targets that missiles were destroying. Moreover, hackers also tried to gain manual control over energy transmission stations. It is worth noting that transmission facilities were the primary targets of these attacks, with 80-90% of them focused on these facilities to maximise their impact in conjunction with the shelling.
This was particularly evident in October-November 2022: websites of relevant ministries, power distribution and transmission systems operators, and even their user accounts were targeted. The goal was to create maximum chaos following the power outages.
The overarching objective of cyber attacks on the power grid was to disconnect energy transmission remotely and block the possibility of reconnection. Hackers orchestrated attacks on modems (communication devices), followed by the destruction of employees’ computers and servers.
How Cyber Attacks Are Carried Out
As for the attack vectors, i.e., the methods of breaches, nothing new has been observed in this sector of cyber warfare. Criminals exploit already known vulnerabilities (unpatched ones, i.e., those for which updates that target the issues have not been installed yet). They also search for and use compromised accounts, utilising zero-day vulnerabilities (those for which updates do not yet exist). The classical phishing methods are another common way to compromise the system; attacks on the supply chain, where hackers breach a system by targeting the software of a supplier used by the victim, are also prevalent.
What Should We Expect in the Future?
“After the active phase of the war, cyber warfare will continue,” was the forecast made at “IT Meets: Cybersecurity.” The reason for the perpetuation of cyber warfare is not solely due to the prolonged war in Ukraine. Two factors that have contributed to its longevity are the availability and ease of use of tools for orchestrating attacks, as well as the advancements in artificial intelligence technology. These two factors work in tandem, transforming cyber warfare into a prolonged and seemingly never-ending process.
Artificial intelligence appears to be capable of generating almost perfect phishing emails. This means that cyber attackers can easily organise large-scale phishing attacks and overwhelm the victim with thousands of infected emails instead of just a few. Consequently, the likelihood of the victim responding to at least one of these emails increases significantly, making such attacks more efficient.
Deputy Head of State Special Communications: “Do not underestimate Russia’s ability to carry out complex cyber operations”
Deputy Head of State Special Communications, Oleksandr Potiy, answered questions from The Ukrainian Week/Tyzhden regarding cyber warfare, defence, and interactions with Russian hackers.
— What has been the most challenging and easiest aspect of cyber defence for the state during the past two years of a full-scale war?
— I can only say with certainty that there are no easy tasks. We could have easily given up and accepted our defeat, but instead, we chose a different path. Ukraine was the first country to face such massive challenges, where the cyber component became an integral part of the war. Therefore, the main challenge for the state in cyberspace was to prevent the destruction of information systems, particularly critical infrastructure objects, maintain the integrity of state data, and ensure citizens’ access to the services provided by the country.
Adapting defence systems to the challenges of war is a difficult task, especially when it needs to be done quickly and in a constantly changing environment. This experience is new to everyone, so there are no established patterns, instructions, or approaches to follow. It is essential to react quickly in response to the challenges that arise.
It is crucial to be vigilant, especially knowing that nobody is able to tell when the active phase of Ruissian aggression, particularly in cyberspace, will end.
— What was your institution unprepared for?
— Even before the full-scale invasion, we heard multiple times that Russian hackers are a powerful force in cyberspace. There were numerous statements that Ukrainian systems would not withstand attacks and would be destroyed. However, despite some successful attacks, they have not had any critical consequences for the country and its citizens. It wouldn’t be correct to say that large Ukrainian businesses are unprepared regarding cybersecurity. In fact, they are constantly improving their cybersecurity systems by investing significant resources into them. In 2017, the law “On the Basic Principles of Cybersecurity of Ukraine” was passed, which led to establishing a system of bodies responsible for cybersecurity in the country. Additionally, many necessary laws and regulatory acts have been implemented to strengthen the cybersecurity infrastructure.
It is important to highlight that there is still room for improvement in the current system, especially after the attacks that happened on January 14th, 2022. However, the priority measures for improvement developed by the National Security and Defence Council are still in the form of draft laws at the moment. It is essential to understand that regulatory acts only form a foundation and do not provide protection on their own. With the help of individuals working together and receiving training, as well as the tremendous support from our Western partners and Ukrainian volunteers, we persevered. Ukraine has extensively researched and will continue to study its opponents, including their techniques and tactics in cyberspace. Our experts have already been sharing their experiences with partners worldwide. However, there are no perfectly secure information systems, as any can be breached. The question is only a matter of time and means. We consistently emphasise that the capabilities of Russians to conduct high-quality and sophisticated cyber operations should not be underestimated. Therefore, there is a need to further enhance cyber resilience both for individual entities and the country as a whole. Cyber resilience is not only about resisting cyber attacks but also about the ability to recover quickly after them.
— Did the Russian hackers live up to their formidable reputation?
— During the first two years of the full-scale war, it became apparent that the potential of Russian hackers had been overestimated. Contrary to recent propaganda, Russia is not as powerful as it was believed to be. Despite initial massive cyber attacks in mid-January and the full-scale invasion of Russian forces into Ukraine, we expected to see a significantly larger number of sophisticated attacks.
However, it is essential to understand that we should not entertain false hopes that our opponent is feeble, as mentioned earlier. It is evident that the adversary is highly skilled and dangerous, with significant resources at their disposal. The hackers from Russia who have direct links with Russian authorities will keep on their activities until the Russian military apparatus is deactivated.
— What should we expect in 2024?
— We do not doubt that Russian hackers will continue their cyber attacks on Ukraine. They will target both critical information infrastructure objects and private businesses that may have contractual relations with companies or government institutions owning such objects. They will also continue to carry out mass phishing campaigns to identify individuals with access to various objects and use them for further attacks. Therefore, we urge all Ukrainians to remain vigilant and follow cyber hygiene rules. Institutions and companies should also continue to strengthen their protection and recovery systems.
After closely monitoring activity in Russian Telegram channels, we realised that the adversary is targeting young people, providing them with educational materials and hacking tools. This is concerning as it seems that they are preparing a new generation of motivated hackers who may easily become involved in cybercrime in the future.
On the other hand, we study various threats and develop protection strategies to enhance the security level of potential targets. However, there are still many challenges and problems ahead, which we aim to overcome. We pay particular attention to safeguarding critical infrastructure objects as the State Special Communications Service is responsible for coordinating their protection. We also understand the full range of possible threats, including those in cyberspace.
The Russian military doctrine includes cyber aggression, as demonstrated by the war in Ukraine. This poses a growing threat to Ukraine and its partners in the future.
