Weeks before the first tanks rolled over the border, Russia’s war with Ukraine had already begun in cyberspace.
Victor Zhora, a former businessman, found himself on the front line fending off attacks on his country’s infrastructure and the general population. He had only been the chief digital transformation officer of the government’s cybersecurity agency, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), for 13 months when fighting erupted.
Ukraine managed to defend itself from cyberattacks in the first year of the war, but concerns have escalated in recent months that Russia is preparing to launch a new online offensive. There has already been an escalation in attacks on countries allied to Ukraine, such as Poland and the Baltic states.
The UK government recently sanctioned seven Russian nationals for cybercriminal activities estimated to have extracted £27m from 149 Britain-based organisations but, as Ukraine’s top cybersecurity official notes, there are still no international mechanisms for prosecuting cyber-warfare. Ukraine has called for a global approach to the problem by proposing a “cyber United Nations”. This week, the Ukrainian president Volodymyr Zelensky visits the UK for discussions with Prime Minister Rishi Sunak, including military aid for Ukraine.
Zhora recently spoke to New Statesman Spotlight about the long-term impact of the conflict on cybersecurity. The conversation has been edited for length and clarity.
What cybersecurity challenges is Ukraine facing now? And how well prepared were you at the start of the war?
Russia’s invasion of Ukraine in cyberspace started on 14 January. What can be rightfully called the world’s first cyberwar started on that date, when Russian hackers attacked Ukrainian government and information sites, such as the Ministry of Education and Ministry of Foreign Affairs.
When it comes to fears, the main one probably was that we would not have enough resilience to confront the enemy. Firstly, before 24 February 2022 [when Russia invaded Ukraine] Russia had succeeded in creating and maintaining the image of the powerful “war machine”, “the world’s second army”, which, to an extent, was also true for Russian military hackers and hacker groups controlled by the Russian government. Secondly, we have seen complex and powerful attacks on our public and private systems since 2014, so we knew what to expect.
Our team’s work at the SSSCIP during the years since 2014 [when the Russian-backed war in the Donbas region started, and Russia annexed Crimea] was aimed at enhancing our ability to defend ourselves: training, engaging the best professionals, establishing durable and efficient relations with the civil sector, businesses and international partners. It had an effect. We are now stronger than we were, say, two years ago; we have better capacities. We are perfectly aware of the fact that the enemy might have hidden [something] in our systems and be waiting for the right moment to attack, so, we keep working to detect the enemy and improve our capability to identify and fend off attacks.
To date, our Computer Emergency Response Team of Ukraine [CERT-UA] is tracking the malicious activities of more than 85 hacking groups, most of them associated with the Russian Federation. According to our observations, about 90 per cent of Russian hacking groups belong to uniformed services, such as the military or security services, and are either coordinated by or coordinate with Russian military command. The cyberwar component has become a major part of the ongoing hybrid war against Ukraine. Cyberattacks complement both the enemy’s ground offensives and psychological operations [psy ops].
Since the beginning of 2023, we have detected a decrease in the total number of cyberattacks waged by pro-Russian hacktivist groups compared with the previous quarter, with 549 cyber-incidents and cyberattacks processed by CERT-UA between January and April this year. But the complexity, systematic nature and intensity of such attacks remains high.
A certain decline in the number of attacks may also indicate that technology sanctions against Russia and the global community’s efforts to reduce Russia’s cyberattack potential might be effective. Resources are needed to prepare cyber-operations, to purchase specialised tools to engage freelance and “black” hackers from the outside, to build attacking infrastructure inside the country or on external hosting services, the latter being quite complicated lately because all the intelligence services around the world are closely monitoring such things, including activities on the dark net.
No one can build an infrastructure for cyberattacks out of nothing. So, I do want to believe that it’s a sign that sanctions are working and a signal for us and the global community to keep enhancing them.
[See also: Is North Korea hacking your hospital?]
What type of attacks have you seen, and at what scale?
Most cyberattacks against Ukraine are waged from the Russian Federation and the Republic of Belarus. Our country has been among the few primary targets for Russian hackers for the last eight years. The key difference we are observing at the moment is that our partners in other countries focus their own efforts mostly on countering ransomware, ie a type of malware that encrypts data and demands a ransom to be paid off. Perpetrators rarely use this type of malware against us. Instead, they mostly use “wipers” that do the same without demanding a ransom, but are intended for data deletion and destruction of information infrastructure.
Among other methods are website hacking to disseminate propaganda and fake news which is considered a subversive activity, psy ops against Ukraine, disruption of data transmission and telecommunication operators, media interference and TV and radio broadcasting signal interception. We are talking about disrupting the sustainable operation of public electronic services, network-hacking attempts aimed at accessing databases containing people’s personal data or other sensitive information, attacks against the financial sector to steal money or block the operation of the financial system, distributed denial of service [DDoS] attacks on essential web services and web resources, malware dissemination, phishing attacks against specific officials and public figures, and supply chain attacks on the energy sector and other critical infrastructure.
How have the tactics of the attackers changed since the war began?
Early cyberattacks focused on the media and telecommunications, since the Russian authorities expected a swift victory and hoped to influence Ukrainians through the mass media, to scare us. Later on, both the Russian army and hackers shifted their focus towards the energy sector.
We have been at the full-scale cyberwar with Russia since 14 January 2022. Before that, Russia had spent years trying to attack our energy sector, election system, businesses and public information resources. Its present-day purpose is obvious – to destroy all the critical information infrastructure while its army has been doing the same in the physical space since 24 February 2022.
What cybersecurity support would you like to see from Ukraine’s allies?
The whole civilised world is now trying to help us. We are especially supported by the partners that supported us way before the full-scale invasion: the United Kingdom, countries of the European Union, the US, Canada and others. Right now, we are focusing not merely on partnership in a broad sense, but on building equal relationships with various countries, on creating joint actions to oppose cyber-aggression, and the advanced training of personnel.
Speaking about specific needs, we have a number of projects that should strengthen our capability to fend off cyber-threats. Those include the need for mobile data processing centres, the need for powerful and advanced tools for investigating cyberattacks; we also need to arrange regional cyber-training grounds, to enhance sectoral security operations centres [SOCs] and sensor infrastructure for SOCs. We need more joint trainings.
What other support would be feasible? A full ban on any technology transfer to Russia. The aggressor should go back to the Stone Age and use mechanical calculators at best instead of advanced computers. The aggressor should have no software licences, no high-tech server equipment to wage their cyberattacks, and no money to fund military and cyber-aggression. Anything that makes the aggressor weaker is a benefit for all of us. Of course, it’s hard to compare the efficiency of technology sanctions with an oil or gas embargo. But I guess a full IT embargo against Russia would be of great help if there was a way to impose it.
What is the war’s legacy for cybersecurity?
The key lesson is that the enemy is insidious and well prepared; Ukraine keeps fending off attacks as efficiently as it can, but it is impossible to confront such an enemy alone – we really need help. Plus, realising that the cyberwar is going on at a global scale, we are ready to share our experience and cooperate with partners.
Government-sponsored terrorism is a key threat to the global democratic community. The global community possesses a mechanism of designating a country as a state sponsor of terrorism in response to its aggression. But we have no effective mechanisms of punishment for cyber-aggression. There is no way to designate a country as a cyberterrorist.
This is why the issue of cyberterrorist governments should also be addressed at the international and global levels. It is not just about economic sanctions or export restrictions for new technologies. It is about physical restriction of access to knowledge, conferences and research, about a complete exclusion from both exchange of knowledge and policymaking in cyberspace. It is about tightening control over the spread of licensed software, as well as strengthening the response to unlicensed software distribution. It is about responsibility for cybercrimes. About a tribunal for cybercriminals. A permanent tribunal.