The other front:
How Ukraine addresses the threats of the cyberspace
What cyber threats Ukraine has faced in the past two years
In December 2015, a massive hacker attack on Western Ukrainian energy provider Pry karp a tty a ob lenergo took place. According to the company’ s representatives, it resulted in a blackout that affected 200,000 consumers. Most foreign media showed interest in the event, since it was the first time that damage of such scale was caused by malware.
"This is the first time that we have proofs and can link malware with a specific system failure," said later Kyle Wilhoit, senior researcher at Trend Micro, Japanese information security systems developer, in his comments to Reuters.
Later, it was discovered that BlackEnergy malware was used for the attack. Interestingly, this news was released by the US Department of Homeland Security, and not by the respective Ukrainian agencies. American IT company iSight Partners linked the attack to the Russian hacker group known as Sandworm.
Ukrainian Security Service, in its turn, directly accused Russia of the attack, without disclosing any details. The agency also informed that Pry karp a tty a ob len ergo was not the only victim of the attacks on energy facilities that took place in December 2015. According to the Security Bureau of Ukraine (SBU) in other cases serious damage was prevented. It was established that blackouts through hacker attacks in late 2015 also affected Kyiv and Chernivtsi oblasts.
BlackEnergy malware family has been known since 2007, and hackers still successfully use its various modifications. A specific feature of this virus is that it can stay for years in an infected device without manifesting itself. The attacker activates it only when the right time comes.
This is why it is still too early to evaluate the scale of cyber attacks against Ukrainian companies and infrastructure. Back in 2014, ESET experts reported that about a half of all computers infected with BlackEnergy virus were located in Ukraine and Poland. "Some of them belong to a number of government agencies and various enterprises, and there are other targets that we could not identify," they said in a statement. We can only guess how many malware programs are in a "standby mode" as of 2017.
After energy networks were hacked in 2015, another series of attacks took place. In January 2016, BlackEnergy virus was found on one of the workstations at Boryspil airport. The infected computer was disconnected from the aiport's electronic infrastructure, and nothing was reported on the damage caused.
After that, hackers made a series of attacks aimed at doing harm primarily in the cyberspace. In March, there was a massive attack on the website collecting signatures for e-petitions to the President. During 11 minutes, 738,000 signatures were added, primarily in support of the petition for the resignation of Mikheil Saakashvili from the post of the Chairman of Odessa Regional State Administration. On the Independence Day, unknown attackers managed to hack into social network pages of the Ministry of Defense and the National Guard. Later, similar attacks were carried out against the website of the NSDC information and analysis center and the Facebook page of ATO Headquarters' Press Center, and the list goes on. Almost always, the attackers left either messages in support for the Donetsk/Luhansk People’s Republic (DNR/LNR) terrorists or anti-Ukrainian slogans on the hacked pages.
Exactly one year after the cyber attacks on power companies, BlackEnergy virus reminded of itself. In December, the Ministry of Finance, State Treasury and National Bank fell victims to its attacks. Even though no direct evidence of Russia's involvement in these attacks has been provided so far, their character suggests just that.
First of all, attention should be paid to the timing of malware activation. Blackouts in 2015 occurred in winter, during the coldest time of the year, when the population is the most affected by the lack of heating. Attacks on the financial institutions happened just before the New Year holidays and could trigger another wave of discontent and protests due to delays in social payments. Similar tactic was employed by the Kremlin during the gas wars it waged against Ukraine. Back then, Moscow would heighten tensions and cut off fuel supplies to Europe during the coldest periods. Hackers acting independently from the state usually try to inflict economic damage on their victims (usually multinational corporations), whereas in all cases in Ukraine the attacks pursued social and political goals.
THE NEW BATTLE GROUND
Ukraine is trying to gradually put in place a system of response to the aggression in cyberspace. In March 2016, Cyber Security Strategy for Ukraine was approved by a presidential decree. Such regulatory instrument appeared for the first time since Independence. In the summer of the same year, National Cybersecurity Coordination Center at the National Security and Defense Council of Ukraine (NSDC)
UKRAINE HAS MANY SOFT SPOTS, INCLUDING THE ABSENCE OF UKRAINIAN-OWNED MOBILE OPERATORS, SOFTWARE VULNERABILITY, OUTDATED LEGAL FRAMEWORK AND A LACK OF PROFESSIONAL TRAINED EXPERTS IN THE FIELD
started its work, and the list of critical infrastructure was officially defined, along with the procedure for compiling such list.
However, since Ukraine is considerably lagging behind the leaders of cyberspace operations, it should be moving ahead at twice the speed. For example, the above-mentioned Strategy states that "the cyberspace is gradually becoming a separate battlefield, alongside the traditional ground, air, sea and space, where the respective units of the world powers' armed forces are increasingly active." The recognition of this fact at the state level is quite long due. However, in way of comparison, US President Barack Obama declared his country's digital infrastructure to be a "strategic national asset" back in 2010, and US Army Cyber Command was established that same year. In China, Strategic Support Forces, a separate branch of the Chinese Army responsible for the operations in cyberspace, was officially created in January 2016. Special cyberwarfare units have long been established in the UK and Israel. Other countries, such as Russia and Iran, constantly declare their intentions to create such units. Unofficially, they already have entire armies of hackers in the service of the authorities.
Head of Information Security Service at the NSDC Valentyn Petrov believes that Ukrainian information resources are no longer an easy prey for hackers. There have been some changes, primarily, the prob-
lem has been recognized as such. According to him, earlier the issues of cybersecurity were considered a kind of a science fiction by the state leadership. The facts of large-scale attacks on Estonia and Georgia were ignored. The authorities willingly listened to the reports and recommendations of the experts, but it all ended in talk. Besides the lack of funds, there was also the lack of political will.
According to Petrov, Ukraine also managed to ensure coordination between key cyberspace defenders: Cyber Police, State Security Service and State Special Communications and Information Protection Service (SSCIPS). Earlier, this was impossible through the agencies' competition for fame and awards. Very often they strived to be the first to report a crisis situation, interfering with its resolution. This trend began to change for the better with the establishment of the National Cybersecurity Coordination Centre, which aims to minimize the negative effects of cyber attacks. In addition, recommendations on avoiding them have already been developed.
In the meantime, Ukraine has many soft spots, including the absence of Ukrainian-owned mobile operators, software vulnerability, outdated legal framework and a lack of professional trained experts in the field. The first problem became evident at the beginning of the ATO, when, due to the lack of authorized communication means, Ukrainian unit commanders widely used mobile phones, the vulnerability of which was exploited by the enemy. Today, SSCIPS is working to create a national telecommunications network, which will include a mobile component. However, it is unknown when the work will be completed.
One of the most notorious examples of software problems are Russian accounting systems used by most businesses. Banning them today is impossible, since this would bring to a halt all financial reporting. However, the analysis of the attack on the State Treasury confirmed that most computers had Russian software products installed, which could have facilitated hacking into the system in general.
To avoid such situations, Ukraine should create the prerequesites to open its market to international software manufacturers and foster the growth of its own software firms. However, the domestic IT sector should not be supported blindly, in order not to repeat the story with the automobile industry lobbying.
A NEED FOR CYBER LITERACY
Outdated provisions of some legal instruments also significantly complicate and slow down the development process. Besides, Ukraine still has no effective mechanism of bringing people to account for violating security requirements in informational space. Public authorities' ability to investigate cybercrimes is significantly limited. According to Petrov, this drawback could be eliminated first of all by implementing the Convention on Cybercrime of the Council of Europe. The main thing here is to keep a balance between introducing the necessary restrictions and preserving freedoms in order not to follow the example of Russia with its infamous "Yarovaya's laws."
However, according to the NSDC, all servers that store information of state bodies are physically located in Ukraine, with the only exception of the public procurement system ProZorro. This means that the enemy will not be able to physically withdraw the databases of Ukraine's state bodies.
Besides the general problems to be addressed at the legislative level, HR is also a topical issue. The specific feature of BlackEnergy attacks was the use of social engineering techniques. The attackers created emails, the content of which was difficult to ignore. Emails were sent on behalf of one of the Verkhovna Rada’s departments with the text that either promised to disclose the list of separatist MPs or requested managers to provide the names of the employees that have been mobilized. The victim downloaded an attached file, whereupon the computer was infected.
Under such circumstances, computer literacy of the employees of businesses and organizations becomes a primary issue. Serious private companies remind their employees at least once a month about the basic principles of information security, violating which entails significant penalties, up to dismissal. The simplest recommendations include always logging out of accounts on all devices, using complex passwords, not sending passwords and internal website links by e-mail, etc. At the same time, Ukrainian state-owned enterprises often employ older people who only recently started using PCs and click on everything. In many cases, heads of organizations do not realize the problem. Under such conditions, there is no talking about training and increasing computer literacy. Even Ukrainian security agencies, including the State Security Service and Interior Ministry, back in 2015, at the height of the Russian aggression, were still using Russian email servers, such as mail.ru, yandex. ru, etc. The analysis of the December attacks on the State Treasury, Finance Ministry and National Bank showed that the attackers were the least successful in the case of the National Bank, where the management paid a lot of attention to cybersecurity issues.
Another dimension of issues related to human resources are the wages of public sector employees. Monthly salary of SSCIPS experts is UAH3,500, while cyber policemen earn about UAH 11,000. However, private IT companies pay their employees UAH 30,000 and more. How to get high-quality personnel work for the state and the remuneration it offers, remains an open question. Foreign partners can provide some assistance, if not with salaries, then with software programs and with training current employees. Such partners include Trust Funds established by NATO allies. Thanks to an American-run fund, a largescale program to reform military communications and control is being implemented. Another fund managed by Romania is developing technical safeguards for the SBU. This project will allow establishing a powerful monitoring center to detect suspicious activity on government information resources in the near future. Numerous training courses and internships are also available to Ukrainian specialists.
Each new attack in the cyberspace creates expertise to repel such attacks in the future. However, McAfee Virus Lab specialists and Computer Emergency Response Team of Ukraine (CERT-UA) concluded that the level of organization of the December attack on Ukraine's financial authorities was poor. Maybe it was just a reconnaissance operation, and the real battles lie ahead.