Ukraine’s digital defences hold out in cyber war with Russian hackers

As Russia’s missiles strike Ukraine for a fifth bloody month and the two nations’ armies vie for the plains and shattered cities of the Donbas region, other unseen battles are being fought every day on a different front.

The people who defend Ukraine in cyberspace trace the first blows in Russia’s all-out invasion not to February 24th — when tanks and troops crossed the border — but to an online attack six weeks earlier, while recognising that the current onslaught is actually the latest phase in a full-spectrum war that Russia has waged against its neighbour since 2014.

Russian hackers have tried to cripple Ukraine’s military communications, cause blackouts, disrupt its banking, media and other sectors and crash government websites, to undermine its defences and its people’s faith in their state at a time of extreme crisis.

Yet Ukraine has shown cyber resilience to match its surprising strength on the conventional battlefield, thanks to experience gained during eight years in Russia’s crosshairs, co-operation between state agencies and the private sector, and help from western allies and volunteers at home and abroad.

Mikhail Baryshnikov: ‘I know the other side of the coin. I was the son of an occupier’

---

Russian strike on eastern Ukraine kills five and wounds dozens in Dnipro

---

Kremlin-friendly Hungary urges Ukraine to seek ceasefire with Russia

---

“If we consider that a hybrid war has two components, then we should understand that it actually started on January 14th and then the conventional component began on February 24th,” says Victor Zhora, deputy chairman of Ukraine’s state service of special communications and information protection.

On January 14th, as Russia massed troops near its neighbour while denying plans for an all-out invasion, scores of websites belonging to state agencies and other organisations in Ukraine were brought down by hackers who left an on-screen message telling Ukrainians that their personal data had been stolen and to “be afraid and expect worse”.

Most of the websites were soon restored, but Microsoft security experts said they believed the incident could have been cover for a much more serious attack using malware “which is designed to look like ransomware but ... is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom”.

During a ransomware attack — such as the one on Ireland’s health service last year — hackers encrypt data and demand a ransom to decrypt it, but the malware used against Ukraine wiped data in way Microsoft saw as “inconsistent with ... ransomware activity”.

As Serhiy Demedyuk, deputy secretary of Ukraine’s national security and defence council said at the time: “The defacement of the sites was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.”

Other attacks on websites of Ukrainian state agencies and private firms followed — sometimes vandalising them, sometimes blocking them, sometimes encrypting or wiping data — in the weeks leading up to Russian president Vladimir Putin’s order to invade.

Communications networks

Before dawn in Kyiv on February 24th, as Russia’s forces rolled over the border and its warplanes and missiles struck Ukrainian cities, a cyberattack disabled tens of thousands of modems linked to US firm Viasat’s KA-SAT satellite, affecting a vast range of systems including communication networks used by Ukraine’s military.

The US, UK and European Union concluded later that Russia was indeed behind an outage that took place just one hour before it launched the “kinetic” element of its invasion, combining cyber and physical attacks in a way that it would repeat in the coming months.

Moscow appears to have expected Kyiv to fall within days and the rest of Ukraine in a few weeks, and Zhora says most of its cyberattacks early in the war were “chaotic” and had little lasting effect.

“They thought there was no need to plan longer-term cyber operations. But when Ukraine showed unexpected resistance to aggression, they changed tactics and prepared more sophisticated attacks that took place at the end of March and early April,” he recalls.

The targets ranged from the ministry of foreign affairs and a government contact centre, to major internet provider Ukrtelekom and a regional energy producer that supplies power to more than 1.5 million people.

“Sometimes we weren’t in time and responded reactively ... but it’s not easy to always prevent attacks. It’s much more important to show resilience — how quickly you can restore infrastructure and services,” Zhora says.

“In the case of Ukrtelekom most connections were restored to customers within 24 hours, the government contact centre restored most services in three or four days, and with regional energy firm we were able to quickly identify and mitigate the attack at the very first phase, preventing a blackout on territory where 1.5 million to two million people live.”

Ukraine’s power grid was attacked at least twice before, in 2015 and 2016, and the second of those incidents plunged about a fifth of Kyiv into darkness for about an hour.

They were attributed to a hacker group dubbed Sandworm — thought to be Unit 74455 of Russia’s GRU military intelligence — which in the 2016 and April attacks deployed variants of so-called Industroyer malware, which is designed to disrupt the control systems of electrical substations.

The group is also blamed for infecting business software in Ukraine in 2017 with a computer “worm” dubbed NotPetya, which then tunnelled through networks around the world, causing chaos at several major companies and billions of euro in damage in what technology magazine Wired called “the most devastating cyberattack in history”.

It was an example of how attacks on one country can quickly spiral out through cyberspace and have global consequences, whether intended or not.

“Russia has an operation in Ukraine but can easily switch any of its cyberattacking groups to another country, targeting democracies, elections, critical infrastructure. And this can be done much more easily than rearranging conventional troops,” says Zhora, noting how Russian hackers attacked Lithuanian websites during a recent row over sanctions.

Zhora says Ukraine is now “the main theatre of conventional and cyber warfare”, making it a place that the US and other western powers cannot only offer support but learn vital lessons in how to combat threats from Russia and other potential adversaries.

“We have seen the Russians having an integrated approach to using physical and cyberattacks ... to achieve their brutal objectives in Ukraine,” said senior White House cybersecurity official Anne Neuberger.

As well as the operation against Viasat modems as Russia was launching its all-out invasion, Zhora says shelling of Odesa region coincided with a cyberattack on a local telecoms firm and missiles hit Lviv at the same time as hackers struck its regional administration.

“These can be supportive operations to provide a bigger psychological effect, perhaps to demonstrate [Russia’s] supposed supremacy in both cyberspace and in the conventional sphere,” he explains.

Internet traffic

The Kremlin’s desire to control information and communications in Ukraine has been shown clearly in occupied areas: after Moscow’s troops seized much of the Kherson region, its internet traffic was rerouted through Russia’s system, where data can be monitored and blocked; in the ruins of Mariupol, where few districts have basics such as power or water, Russia quickly parked large mobile screens in public spaces to broadcast state propaganda.

“Russia wants to cut people’s access to Ukrainian and international information resources, to limit their ability to obtain truthful news and to speak to relatives in Ukraine and abroad, and of course they also want to control the internet traffic,” Zhora says.

Just as many Ukrainians rushed to join the military and local territorial defence forces recent months, and thousands of foreigners travelled to the country to fight, so volunteers at home and abroad have helped stiffen the country’s cyber protection.

Individual hackers and collectives such as Anonymous pledged to help Kyiv by attacking the online resources of Russia and its ally Belarus, and volunteers co-ordinate operations via a Telegram account called IT Army of Ukraine which has 248,000 subscribers.

Zhora explains that no Ukrainian agency has the official role of conducting cyberattacks, “but operations are organised and executed by an army of volunteers. They select their targets. We are grateful to all those people who are helping us to resist.”

When asked recently what Washington had done digitally to help Ukraine, Gen Paul Nakasone, the head of the US national security agency and the country’s cyber command, said: “We’ve conducted a series of operations across the full spectrum; offensive, defensive, information operations.”

“One of the things that I certainly have learned is these partnerships are really powerful,” he told Sky News of US co-operation in digital security with Kyiv and other capitals.

“You look at and you see how the Ukrainians have been able to maintain an open internet during this time of crisis and conflict, [and that is] really a great tribute to them.”

Zhora calls the effort to preserve and protect Ukraine’s connectivity “a real public-private partnership” that unites Kyiv’s state agencies, western backing, eager “hacktivists” and tech firms including Elon Musk’s SpaceX, which provided thousands of Starlink satellite internet dishes to the embattled nation.

“I believe everybody has been surprised by Ukraine’s ability to resist in cyberspace,” says Zhora. “And hopefully it was the biggest surprise for the Russians.”