Ukraine is not yet ready for cyberwar

Украина пока не готова к кибервойне

The original Czech portal

The war in Eastern Ukraine no longer limited to only the Donetsk and Lugansk regions and not solely the form of armed clashes. The conflict between Russia and Ukraine also takes place in cyberspace. December 23, 2015 around 17:00 energy company “Prykarpattyaoblenergo” announced the failure in the supply of electricity in Ivano-Frankivsk region. Later it became known that this was a massive cyber attack that disabled the 30 substations and 80 thousand people from electricity. Until that time, cyber war in Ukraine was very limited and was often described as the war that never was. Changed as the attack on the electrical grid, cyberwar in Ukraine? Is cyber war a real threat?

Before the Ukrainian revolution of 2013 cyberspace in Ukraine was no different from the rest in Eastern Europe. The cases were typical of cybercrime: phishing campaign, malicious programs that block user access to computer and demanding ransom, industrial espionage, and hacking and cybervandalism in the form of DDoS attacks or defaces (replacing the web page to another) against state institutions. However, immediately after the revolution of cyberspace has changed.

Related news: the AP said that are regularly subject to cyber attacks by Russian hackers

According to the Ukrainian head of CERT – UA Nikolay Koval, during the revolution changed the level and sophistication of cyber attacks and viruses used. The head of the Kiev office of the international company for IT security ISACA and the boy Makarenko added that after the events on Maidan for two weeks continuously carried out DDoS-attack. The political context, goals, timing and level of technological attacks led to the idea that stands behind them very well-funded team made up of experienced staff with an obvious political interest, namely in attacks on the Ukrainian state goals.

One of the most recent and major cyber attacks in Ukraine was held on 21 March 2014, when a group of “Cyberberkut” during the presidential election attacked the pages of the Central election Commission (CEC), where online published the results of the vote. For 20 hours the site remained inaccessible, and then it has information about the victory of the leader of the radical “Right sector” Dmitry Yarosh. It was well thought out and well prepared attack.

For attacks on the CEC “Cybermarket” allegedly took advantage of a vulnerability zero-day that, as a rule, is the prerogative of the States, or at least government-funded groups, because a zero-day vulnerability roads and less accessible to non-state actors. Zero-day vulnerabilities are software errors that can occur when it is created. After discovering hackers they turn into the strongest of their weapons.

This incident is very accurately conveys the nature of cibertec in Ukraine is purely political, informational, and inextricably linked with the overall approach of cyberspace. Russia speaks exclusively about information, not cyber-security, and use of information as a weapon. This approach in the context of Russian propaganda and manipulation of information is not surprising. But the attack on news sites and news groups, of course, are not one-sided and against Pro-Western against Pro-Russian sites of news agencies in Ukraine there have been several attacks.

Related news: Poroshenko approved the cybersecurity Strategy of the country

To those who are behind cybercommunity in Ukraine are Ourobros and Sandworm group, known as APT 29 and behind the attack on the company “Prykarpattyaoblenergo”. The most notable group, however, is APT 28, which acts, in addition to Ukraine, Turkey, Poland, Hungary, the Baltic States, the Caucasus, in Norway and in organizations such as NATO and the OSCE. This is one of the most significant and sophisticated Russian cybergroup. APT 28 used to attack a zero-day vulnerability of Adobe and Windows received from the notorious organisation Hacking Team, which develops spyware and other cyberinsurance for States around the world. For their attacks APT 29 repeatedly used the so-called back door, which opens unlimited and full access to the desired computer. The group built a “backdoor” in an innovative way through the pages of Twitter and GitHub, which allowed her to upload the necessary data on the hosting servers, which the hackers had access.

APT 29 were able to hide itself in lots of online transactions conducted by the victims during the working day. Both groups use social engineering and phishing campaign to gain access to the systems of their victims. As in the case of APT 28, the activities of this group for several reasons attributed to Russia. APT 29 goals fully correspond to the geopolitical interests of the Russian Federation, and the high technological level of its attacks speaks of significant financial and human resources. These organizations operate exclusively during business hours in the time zone of Moscow, and their work is suspended during Russian national holidays and weekends.

During the attack on the Ukrainian power plant, the hackers infiltrated the system through stolen data access to the IT system of the company, which has been using simple phishing campaign using malicious programs BlackEnergy3 hidden in Word and Excel documents. But it was much more sophisticated access to the industrial system, which allowed hackers to disconnect from electricity 80 thousand people. For half a year before the attack, the hackers collected information, monitored information structure of the network and its security, but, above all, sought ways to access the virtual servers on the internal network of the company through which they were able to enter the physical means of grid management.

Related news: Ukraine’s Cyberspace has become another battlefield for independence.

The hackers managed to implement in the connectors between the regular Internet and a serial connection at the physical switch of electricity at the substations specially designed KillDisk virus, which has disabled them and erased all data. Thus, it was a very time consuming operation. That was the first massive attack on critical infrastructure of this type. According to members of the us ICS-CERT, which worked with the Ukrainians in the investigation of the incident, a similar attack you can make against anyone.

So to establish whether such an attack with all power grids? The leadership of the Slovak centre CSIRT, like many other experts, believes this attack is mediocre. Given that the hackers had access to the system for six months and was remotely connected to physical means of grid management, the problem could solve any program designed to monitor the security of IT systems that can easily download on the Internet and which would reveal any such activity. BlackEnergy attack, as it was called, rather revealed the weakness of cyber-security in Ukraine. This is confirmed by the fact that during the attack, the hackers made a DDoS attack on call centre energy companies, thus making impossible the communication of customers with the firm. All this revealed the incompetence of the company in the field of security.

Thus, this attack can be considered rather an exception and a complete failure of the Ukrainian side. Because cyber attacks in the Ukraine are purely informational, while BlackEnergy was the first attack occasioning real physical consequences. Instead of destructive cyber attacks on the military power of Ukraine in the war in the East hacking campaign focus solely on the obtaining of information or theft of sensitive data, or military intelligence documents. The ability for Russian hackers to redirect the GPS signal through its own network was not used for attacks — it was used exclusively to obtain information.

One of the largest cyber campaigns was operation “Armageddon” — large-scale espionage campaign against the Ukrainian administration, the army and secret service, which was launched in 2013 and during which the hackers used fake software updates, Internet Explorer, Adobe Flash Player and Google Chrome to hide the theft of information and other actions within the systems of victims.

The actions of groups such as APT28 and APT29, focused primarily on getting information, instead of large attacks, indicating Russia’s approach to cyberspace, based on the concept of information warfare and information security. The events in Ukraine suggests that the concept of cyber warfare, rather, should be understood as an information war. Cyber warfare can have strategic, rather than purely military effect. Thus, attacks can only be supplementary to the traditional kinetic conflict.

However, and this represents a great danger, such as the use of cyberspace has obvious psychological effect through the influence on public opinion, undermining the legitimacy of state authorities and creating an atmosphere of fear and chaos. From a military point of view, it is about manipulation of data, software and information.

Attack with serious consequences, require large financial and technological support, wouldn’t fit into the official discourse of contemporary Russia, which claims that is not involved in the war in Ukraine. In case of open war, of course, things can change. However in Ukraine a physical assault was easier and yielded much more tangible results.

Related news: Ukrainian cyber police dismantled a botnet that was managed by spammers from Russia

One of the first buildings employed in the capture of the Crimea by the Russian green men without insignia had an office Internet Exchange Point: thus, the Russians immediately took control of the Internet in the Crimea — and without the need for the cyber attack. Similarly the Ukrainian right-wing extremists just blew power lines connecting substations with the Ukrainian Crimea. That is, wire breakage is still the easiest and fastest method of fighting.

Before the incident with the electrical network in Ivano-Frankivsk region, none of the cyber attacks in Ukraine have not resulted in physical assault. So Russia has confirmed that the cyberspace provides a great opportunity for hybrid war primarily through the use of the grey areas of international law and the lack of technical capacity to assume responsibility for a cyber attack from a legal point of view on anyone. Given that the attack on the Ukrainian electricity network was only mediocre and is easily overcome by the incident, by itself cyberwar does not bear a direct threat.

But the threat of war information, and the fact that the Ministry of defence of several European countries-members of NATO does not specifically deal with the concepts of cyber and information security, in light of the events in Ukraine, of course, is of great concern.

Peter Bohacek

Translation InoSMI

The editors may not agree with the opinion of the author. If you want to write in the heading “Opinion”, read the publications and write on [email protected]