Cyberattacks Undermine Ukraine’s Security
Analysts highlight key weakness in hybrid war, alongside military build-ups and disinformation.
Cyberattacks Undermine Ukraine’s Security
Analysts highlight key weakness in hybrid war, alongside military build-ups and disinformation.
A major attack by unidentified hackers has highlighted Ukraine’s cybersecurity vulnerability, with experts warning that Soviet-style bureaucracy still paralyses the administration’s response to such threats.
President Volodymyr Zelensky has made clear his intention to prioritise the country’s digitalisation, with the budget to modernise the system solid and supported by international donors. Nonetheless, a series of cyber-attacks in recent years has wrought havoc on state entities and private companies alike.
Most recently, on January 13, thousands of Ukrainians were met with a sinister message when they tried to log into the internet sites of about 70 governmental, non-profit and IT organisations, including the country’s security and defence council.
"All information about you has become public, be afraid and expect the worst,” read the message, in Polish, Russian and Ukrainian. “This is for your past, present and future."
The strike also paralysed Diia, the e-civil register providing people with official personal documents, including vaccination certificates. Launched in late 2019, the website and mobile app is used by one citizen in four - and many panicked at the threat of leaked personal data.
“There have been at least three possible attack vectors,” Andriy Baranovitch, a leading Ukrainian cybersecurity expert, told IWPR. “A CMS - content management system - on which many official websites have been built, had a vulnerability. Some governmental computers have been likely penetrated by malware. The hackers also broke into the web resources of a company that has developed some governmental portals, including Diia, and use its access. That company's website is still under restoration.”
Ukraine's SBU state security service and ministry of digital transformation stated that the cyber trail led to Russia’s intelligence services, with possible assistance from Belarus. In a statement, the ministry said that “Moscow continues to wage a hybrid war and is actively building up its forces in the information and cyberspaces," noting that the goal of the breach was “not just to intimidate society, but to destabilise the situation in Ukraine by stopping the public sector's work and undermining Ukrainians' confidence in their government”.
On January 21, an anonymous, newly registered user of a popular IT forum posted a request of 15,000 US dollars for 13.5 million users data from Diia and offered gigabytes of samples. In several hours, the price rocketed to 80,000 dollars.
The ministry of digital transformation said that the documents were not recent and belonged to a 2019 breach. Experts, however, pointed to data from no later than December 2021 and specific scanned papers and code samples that led directly to Diia.
Officials also insisted that the mobile app itself did not store users' personal data and is unbreachable. They did not mention the website, however, and cyber security experts noted that the hackers presumably took the data from the cache of the Diia website.
Experts say that these attacks form a piece of the puzzle of Russia’s hybrid war, complementing military build-ups and attacks and an active disinformation campaign. The Kremlin denied any involvement in the cyber strike.
Russia is thought to be behind attacks on Ukraine’s power grid in 2015 and 2016, which resulted in power outages for hundreds of thousands of households, largely in the west of the country. In 2017, Ukraine was also the epicentre of a global outbreak of ransomware known as NotPetya, attributed to the Sandworm Russian hacking group. Ukraine's SBU reported that it neutralised about 1,200 cyber-attacks or incidents in just nine months last year.
NATO’s secretary general Jens Stoltenberg said on January 14 that the alliance would sign an agreement with Ukraine on enhanced cyber cooperation, which would give it access to the organisation’s malware information sharing platform.
IT experts have long warned against Ukraine’s cyber vulnerability, noting that the government’s digitalisation was weak.
"We have about 100,000 governmental and municipal bodies. Most of their employees don't even know how to put paper into a printer,” Baranovitch explained. “All the Ukrainian IT specialists are not enough to handle this entire horde. And the country’s so-called cybersecurity system is built in a way to take away responsibility from anyone as it is dispensed among various ministries and contractors."
Baranovitch is a former member of the hacker group RUH8, which used to steal and leak sensitive Russian information, including the mailbox of Russian presidential aide Vladislav Surkov. The group later expanded its activities so as to test domestic cybersecurity.
Modernisation efforts started in the mid-2000s as the government looked at the digitalisation reforms that former president Mikhail Saakashvili spearheaded in Georgia. In Ukraine, however, the process dragged on.
Zelensky has said that he wants to speed up digitalisation and the transformation of state bureaucracy, while moving away from the corruption and dysfunction of the post-Soviet era.
A close ally, Mykhailo Fedorov, has led the activities of the ad-hoc ministry of digital transformation, but experts warn that the process has not been accompanied by adequate security measures.
Red flags were raised soon after Zelensky's election in 2019, and then in 2020 when significant amounts of citizens' data were leaked first from private companies' databases, then from state entities. The government did not take any serious measures and there was much mockery on IT-specialised web fora in response to Fedorov’s statement that "the role of cybersecurity has been overestimated”.
Ukrainian hacktivists’s criticism have put them at odds with the government. In 2019, security service operatives searched the apartments of Baranovitch and other hackers, suspecting they were behind a breach of the information systems at Odessa’s airport. They denied the accusations, claiming that the accusations were intended to limit their activities both in Ukraine and in Russia, as the then newly-elected Zelensky considered a fresh approach to relations with the Kremlin.
While the state has been slow to react to warnings of potential vulnerabilities, private companies have been far more agile. In 2016, an IT specialist found a bug in a newly launched user's cabinet of Kyivstar, one of the largest Ukrainian telecom operators. The company’s cybersecurity team took measures within minutes. In 2017, the mobile provider was one of the targets of the NotPetya ransomware attack, and subsequently revised its entire cybersecurity architecture.
In a written comment to IWPR, Yuriy Prokopenko, who leads the mobile provider’s cybersecurity team, explained that there was “a regular monitoring of vulnerability management infrastructure," with both static and dynamic testing and penetrating assessment of new codes.
These measures however are beyond state resources, noted an industry veteran who spoke to IWPR on condition of anonymity.
While cyberattacks could not be prevented, it was possible to protect platforms and data from serious damage and leaks, he said, adding that more capacity was needed “so that each code could be checked by three or five other professionals.” Developers should also be paid more, he added.
The lack of a clear and agile strategy with regards to cyber security has resulted in making the digitalisation system vulnerable to attacks, experts note
"The digital ministry tries to build a Chinese mega-register on the Soviet bureaucratic system," Baranovitch said. "We have been telling them for two years that the result of the automatisation of a mess can be only an automated mess."
This publication was prepared under the "Amplify, Verify, Engage (AVE) Project" implemented with the financial support of the Ministry of Foreign Affairs, Norway.