The other front:

How Ukraine ad­dresses the threats of the cy­berspace

The Ukrainian Week - - CONTENTS - Yuriy La­payev, An­driy Holub

What cy­ber threats Ukraine has faced in the past two years

In De­cem­ber 2015, a mas­sive hacker at­tack on Western Ukrainian en­ergy provider Pry karp a tty a ob lenergo took place. Ac­cord­ing to the com­pany’ s rep­re­sen­ta­tives, it re­sulted in a black­out that af­fected 200,000 con­sumers. Most for­eign me­dia showed in­ter­est in the event, since it was the first time that dam­age of such scale was caused by mal­ware.

"This is the first time that we have proofs and can link mal­ware with a spe­cific sys­tem fail­ure," said later Kyle Wil­hoit, se­nior re­searcher at Trend Mi­cro, Ja­panese in­for­ma­tion se­cu­rity sys­tems devel­oper, in his com­ments to Reuters.


Later, it was dis­cov­ered that Black­En­ergy mal­ware was used for the at­tack. In­ter­est­ingly, this news was re­leased by the US De­part­ment of Home­land Se­cu­rity, and not by the re­spec­tive Ukrainian agen­cies. Amer­i­can IT com­pany iSight Part­ners linked the at­tack to the Rus­sian hacker group known as Sand­worm.

Ukrainian Se­cu­rity Ser­vice, in its turn, di­rectly ac­cused Rus­sia of the at­tack, with­out dis­clos­ing any de­tails. The agency also in­formed that Pry karp a tty a ob len ergo was not the only vic­tim of the at­tacks on en­ergy fa­cil­i­ties that took place in De­cem­ber 2015. Ac­cord­ing to the Se­cu­rity Bureau of Ukraine (SBU) in other cases se­ri­ous dam­age was pre­vented. It was es­tab­lished that black­outs through hacker at­tacks in late 2015 also af­fected Kyiv and Ch­er­nivtsi oblasts.

Black­En­ergy mal­ware fam­ily has been known since 2007, and hack­ers still suc­cess­fully use its var­i­ous mod­i­fi­ca­tions. A spe­cific fea­ture of this virus is that it can stay for years in an in­fected de­vice with­out man­i­fest­ing it­self. The at­tacker ac­ti­vates it only when the right time comes.

This is why it is still too early to eval­u­ate the scale of cy­ber at­tacks against Ukrainian com­pa­nies and in­fra­struc­ture. Back in 2014, ESET ex­perts re­ported that about a half of all com­put­ers in­fected with Black­En­ergy virus were lo­cated in Ukraine and Poland. "Some of them be­long to a num­ber of gov­ern­ment agen­cies and var­i­ous en­ter­prises, and there are other tar­gets that we could not iden­tify," they said in a state­ment. We can only guess how many mal­ware pro­grams are in a "standby mode" as of 2017.

Af­ter en­ergy net­works were hacked in 2015, another se­ries of at­tacks took place. In Jan­uary 2016, Black­En­ergy virus was found on one of the work­sta­tions at Bo­ryspil air­port. The in­fected com­puter was dis­con­nected from the aiport's elec­tronic in­fra­struc­ture, and noth­ing was re­ported on the dam­age caused.

Af­ter that, hack­ers made a se­ries of at­tacks aimed at do­ing harm pri­mar­ily in the cy­berspace. In March, there was a mas­sive at­tack on the web­site col­lect­ing sig­na­tures for e-pe­ti­tions to the Pres­i­dent. Dur­ing 11 min­utes, 738,000 sig­na­tures were added, pri­mar­ily in sup­port of the pe­ti­tion for the res­ig­na­tion of Mikheil Saakashvili from the post of the Chair­man of Odessa Re­gional State Ad­min­is­tra­tion. On the In­de­pen­dence Day, un­known at­tack­ers man­aged to hack into so­cial net­work pages of the Min­istry of De­fense and the Na­tional Guard. Later, sim­i­lar at­tacks were car­ried out against the web­site of the NSDC in­for­ma­tion and anal­y­sis cen­ter and the Facebook page of ATO Head­quar­ters' Press Cen­ter, and the list goes on. Al­most al­ways, the at­tack­ers left ei­ther mes­sages in sup­port for the Donetsk/Luhansk Peo­ple’s Repub­lic (DNR/LNR) ter­ror­ists or anti-Ukrainian slo­gans on the hacked pages.

Ex­actly one year af­ter the cy­ber at­tacks on power com­pa­nies, Black­En­ergy virus re­minded of it­self. In De­cem­ber, the Min­istry of Fi­nance, State Trea­sury and Na­tional Bank fell vic­tims to its at­tacks. Even though no di­rect ev­i­dence of Rus­sia's in­volve­ment in these at­tacks has been provided so far, their char­ac­ter sug­gests just that.

First of all, at­ten­tion should be paid to the tim­ing of mal­ware ac­ti­va­tion. Black­outs in 2015 oc­curred in win­ter, dur­ing the cold­est time of the year, when the pop­u­la­tion is the most af­fected by the lack of heat­ing. At­tacks on the fi­nan­cial in­sti­tu­tions hap­pened just be­fore the New Year hol­i­days and could trig­ger another wave of dis­con­tent and protests due to de­lays in so­cial pay­ments. Sim­i­lar tac­tic was em­ployed by the Krem­lin dur­ing the gas wars it waged against Ukraine. Back then, Moscow would heighten ten­sions and cut off fuel sup­plies to Europe dur­ing the cold­est pe­ri­ods. Hack­ers act­ing in­de­pen­dently from the state usu­ally try to in­flict eco­nomic dam­age on their vic­tims (usu­ally multi­na­tional cor­po­ra­tions), whereas in all cases in Ukraine the at­tacks pur­sued so­cial and po­lit­i­cal goals.


Ukraine is try­ing to grad­u­ally put in place a sys­tem of re­sponse to the ag­gres­sion in cy­berspace. In March 2016, Cy­ber Se­cu­rity Strat­egy for Ukraine was ap­proved by a pres­i­den­tial de­cree. Such reg­u­la­tory in­stru­ment ap­peared for the first time since In­de­pen­dence. In the sum­mer of the same year, Na­tional Cy­ber­se­cu­rity Co­or­di­na­tion Cen­ter at the Na­tional Se­cu­rity and De­fense Coun­cil of Ukraine (NSDC)


started its work, and the list of crit­i­cal in­fra­struc­ture was of­fi­cially de­fined, along with the pro­ce­dure for com­pil­ing such list.

How­ever, since Ukraine is con­sid­er­ably lag­ging be­hind the lead­ers of cy­berspace op­er­a­tions, it should be mov­ing ahead at twice the speed. For ex­am­ple, the above-men­tioned Strat­egy states that "the cy­berspace is grad­u­ally be­com­ing a sep­a­rate bat­tle­field, along­side the tra­di­tional ground, air, sea and space, where the re­spec­tive units of the world pow­ers' armed forces are in­creas­ingly ac­tive." The recog­ni­tion of this fact at the state level is quite long due. How­ever, in way of com­par­i­son, US Pres­i­dent Barack Obama de­clared his coun­try's dig­i­tal in­fra­struc­ture to be a "strate­gic na­tional as­set" back in 2010, and US Army Cy­ber Com­mand was es­tab­lished that same year. In China, Strate­gic Sup­port Forces, a sep­a­rate branch of the Chi­nese Army re­spon­si­ble for the op­er­a­tions in cy­berspace, was of­fi­cially cre­ated in Jan­uary 2016. Spe­cial cy­ber­war­fare units have long been es­tab­lished in the UK and Is­rael. Other coun­tries, such as Rus­sia and Iran, con­stantly de­clare their in­ten­tions to cre­ate such units. Un­of­fi­cially, they al­ready have en­tire armies of hack­ers in the ser­vice of the au­thor­i­ties.

Head of In­for­ma­tion Se­cu­rity Ser­vice at the NSDC Va­len­tyn Petrov be­lieves that Ukrainian in­for­ma­tion re­sources are no longer an easy prey for hack­ers. There have been some changes, pri­mar­ily, the prob-

lem has been rec­og­nized as such. Ac­cord­ing to him, ear­lier the is­sues of cy­ber­se­cu­rity were con­sid­ered a kind of a sci­ence fic­tion by the state lead­er­ship. The facts of large-scale at­tacks on Es­to­nia and Ge­or­gia were ig­nored. The au­thor­i­ties will­ingly lis­tened to the re­ports and rec­om­men­da­tions of the ex­perts, but it all ended in talk. Be­sides the lack of funds, there was also the lack of po­lit­i­cal will.

Ac­cord­ing to Petrov, Ukraine also man­aged to en­sure co­or­di­na­tion between key cy­berspace de­fend­ers: Cy­ber Po­lice, State Se­cu­rity Ser­vice and State Spe­cial Com­mu­ni­ca­tions and In­for­ma­tion Pro­tec­tion Ser­vice (SSCIPS). Ear­lier, this was im­pos­si­ble through the agen­cies' com­pe­ti­tion for fame and awards. Very of­ten they strived to be the first to re­port a cri­sis sit­u­a­tion, in­ter­fer­ing with its res­o­lu­tion. This trend be­gan to change for the bet­ter with the es­tab­lish­ment of the Na­tional Cy­ber­se­cu­rity Co­or­di­na­tion Cen­tre, which aims to min­i­mize the neg­a­tive ef­fects of cy­ber at­tacks. In ad­di­tion, rec­om­men­da­tions on avoid­ing them have al­ready been de­vel­oped.

In the mean­time, Ukraine has many soft spots, in­clud­ing the ab­sence of Ukrainian-owned mobile op­er­a­tors, soft­ware vul­ner­a­bil­ity, out­dated le­gal frame­work and a lack of pro­fes­sional trained ex­perts in the field. The first prob­lem be­came ev­i­dent at the be­gin­ning of the ATO, when, due to the lack of au­tho­rized com­mu­ni­ca­tion means, Ukrainian unit com­man­ders widely used mobile phones, the vul­ner­a­bil­ity of which was ex­ploited by the en­emy. To­day, SSCIPS is work­ing to cre­ate a na­tional telecom­mu­ni­ca­tions net­work, which will in­clude a mobile com­po­nent. How­ever, it is un­known when the work will be com­pleted.

One of the most no­to­ri­ous ex­am­ples of soft­ware prob­lems are Rus­sian ac­count­ing sys­tems used by most busi­nesses. Ban­ning them to­day is im­pos­si­ble, since this would bring to a halt all fi­nan­cial re­port­ing. How­ever, the anal­y­sis of the at­tack on the State Trea­sury con­firmed that most com­put­ers had Rus­sian soft­ware prod­ucts in­stalled, which could have fa­cil­i­tated hack­ing into the sys­tem in gen­eral.

To avoid such sit­u­a­tions, Ukraine should cre­ate the pre­reque­sites to open its mar­ket to in­ter­na­tional soft­ware man­u­fac­tur­ers and foster the growth of its own soft­ware firms. How­ever, the do­mes­tic IT sec­tor should not be sup­ported blindly, in or­der not to re­peat the story with the au­to­mo­bile in­dus­try lob­by­ing.


Out­dated pro­vi­sions of some le­gal in­stru­ments also sig­nif­i­cantly com­pli­cate and slow down the devel­op­ment process. Be­sides, Ukraine still has no ef­fec­tive mech­a­nism of bring­ing peo­ple to ac­count for vi­o­lat­ing se­cu­rity re­quire­ments in in­for­ma­tional space. Pub­lic au­thor­i­ties' abil­ity to in­ves­ti­gate cy­ber­crimes is sig­nif­i­cantly lim­ited. Ac­cord­ing to Petrov, this draw­back could be elim­i­nated first of all by im­ple­ment­ing the Con­ven­tion on Cy­ber­crime of the Coun­cil of Europe. The main thing here is to keep a bal­ance between in­tro­duc­ing the nec­es­sary re­stric­tions and pre­serv­ing free­doms in or­der not to fol­low the ex­am­ple of Rus­sia with its in­fa­mous "Yarovaya's laws."

How­ever, ac­cord­ing to the NSDC, all servers that store in­for­ma­tion of state bod­ies are phys­i­cally lo­cated in Ukraine, with the only ex­cep­tion of the pub­lic pro­cure­ment sys­tem ProZorro. This means that the en­emy will not be able to phys­i­cally with­draw the data­bases of Ukraine's state bod­ies.

Be­sides the gen­eral prob­lems to be ad­dressed at the leg­isla­tive level, HR is also a top­i­cal is­sue. The spe­cific fea­ture of Black­En­ergy at­tacks was the use of so­cial en­gi­neer­ing tech­niques. The at­tack­ers cre­ated emails, the con­tent of which was dif­fi­cult to ig­nore. Emails were sent on be­half of one of the Verkhovna Rada’s de­part­ments with the text that ei­ther promised to dis­close the list of sep­a­ratist MPs or re­quested man­agers to pro­vide the names of the em­ploy­ees that have been mo­bi­lized. The vic­tim down­loaded an at­tached file, where­upon the com­puter was in­fected.

Un­der such cir­cum­stances, com­puter lit­er­acy of the em­ploy­ees of busi­nesses and or­ga­ni­za­tions be­comes a pri­mary is­sue. Se­ri­ous pri­vate com­pa­nies re­mind their em­ploy­ees at least once a month about the ba­sic prin­ci­ples of in­for­ma­tion se­cu­rity, vi­o­lat­ing which en­tails sig­nif­i­cant penal­ties, up to dis­missal. The sim­plest rec­om­men­da­tions in­clude al­ways log­ging out of ac­counts on all de­vices, us­ing com­plex pass­words, not send­ing pass­words and in­ter­nal web­site links by e-mail, etc. At the same time, Ukrainian state-owned en­ter­prises of­ten em­ploy older peo­ple who only re­cently started us­ing PCs and click on ev­ery­thing. In many cases, heads of or­ga­ni­za­tions do not re­al­ize the prob­lem. Un­der such con­di­tions, there is no talk­ing about train­ing and in­creas­ing com­puter lit­er­acy. Even Ukrainian se­cu­rity agen­cies, in­clud­ing the State Se­cu­rity Ser­vice and Interior Min­istry, back in 2015, at the height of the Rus­sian ag­gres­sion, were still us­ing Rus­sian email servers, such as, yan­dex. ru, etc. The anal­y­sis of the De­cem­ber at­tacks on the State Trea­sury, Fi­nance Min­istry and Na­tional Bank showed that the at­tack­ers were the least suc­cess­ful in the case of the Na­tional Bank, where the man­age­ment paid a lot of at­ten­tion to cy­ber­se­cu­rity is­sues.

Another di­men­sion of is­sues re­lated to hu­man re­sources are the wages of pub­lic sec­tor em­ploy­ees. Monthly salary of SSCIPS ex­perts is UAH3,500, while cy­ber po­lice­men earn about UAH 11,000. How­ever, pri­vate IT com­pa­nies pay their em­ploy­ees UAH 30,000 and more. How to get high-qual­ity per­son­nel work for the state and the re­mu­ner­a­tion it of­fers, re­mains an open ques­tion. For­eign part­ners can pro­vide some as­sis­tance, if not with salar­ies, then with soft­ware pro­grams and with train­ing cur­rent em­ploy­ees. Such part­ners in­clude Trust Funds es­tab­lished by NATO al­lies. Thanks to an Amer­i­can-run fund, a largescale pro­gram to re­form military com­mu­ni­ca­tions and con­trol is be­ing im­ple­mented. Another fund man­aged by Ro­ma­nia is de­vel­op­ing tech­ni­cal safe­guards for the SBU. This project will al­low es­tab­lish­ing a pow­er­ful mon­i­tor­ing cen­ter to de­tect sus­pi­cious ac­tiv­ity on gov­ern­ment in­for­ma­tion re­sources in the near fu­ture. Nu­mer­ous train­ing cour­ses and in­tern­ships are also avail­able to Ukrainian spe­cial­ists.

Each new at­tack in the cy­berspace cre­ates ex­per­tise to re­pel such at­tacks in the fu­ture. How­ever, McAfee Virus Lab spe­cial­ists and Com­puter Emer­gency Re­sponse Team of Ukraine (CERT-UA) con­cluded that the level of or­ga­ni­za­tion of the De­cem­ber at­tack on Ukraine's fi­nan­cial au­thor­i­ties was poor. Maybe it was just a re­con­nais­sance op­er­a­tion, and the real bat­tles lie ahead.

Newspapers in English

Newspapers from Ukraine

© PressReader. All rights reserved.