Russia’s other dangerous weapon against Ukraine? Cyberattacks

The attack began just before noon.

First the websites of Ukraine’s Defense Ministry and army went dark. Then customers of the country’s two largest state-owned banks couldn’t access their accounts — or, worse, saw their balances suddenly drained to zero. Fake text messages from Polish, Austrian and Estonian numbers popped up on their phones, warning them that ATMs were down.

“Then the snowball started to roll,” said intelligence officer Yuri Shchigol, as the massive Feb. 15 online assault engulfed Ukraine’s central bank, the president’s office, the Foreign Ministry, the security service and a raft of other state portals, disabling their websites for hours.

By early the following morning, the disruption was largely over. It left little damage: Even those whose bank accounts showed zero found their money untouched. But for Shchigol and others in Ukraine’s cybersecurity corps, it was yet another onslaught in an eight-year war that — unlike its real-life counterpart — has never quieted down.

Another attack Wednesday hit a number of banks as well as the national parliament, the Cabinet of Ministers and Foreign Ministry websites. Early Thursday, Russian President Vladimir Putin announced that he would proceed with a military operation in Ukraine. Ukrainians woke up to the sounds of explosions in what Putin referred to as the “demilitarization” of Ukraine, demanding that the Ukrainian military stand down.

As for the cyberattacks, Ukraine has no doubt who’s behind the mischief: Russia, known worldwide for its legions of hackers and online subterfuge, including a disinformation campaign aimed at disrupting the 2016 U.S. presidential election. And regardless of what Putin does with as many as 190,000 troops assembled around Ukraine’s borders in coming days — whether he launches an all-out invasion of Ukraine or a more limited ground assault — as far as Shchigol is concerned, the two countries were already locked in combat.

Politics

Full coverage: Russian troops advance toward Ukraine capital of Kyiv

Russia pressed ahead with its assault on neighboring Ukraine on Thursday, with explosions resounding in cities across the country, airstrikes crippling its defenses and reports of troops crossing the border by land and sea.Map: Tracking the invasion of Ukraine | How to help: California organizations supporting Ukraine | What our foreign correspondents are seeing in Ukraine | Photos: Invasion of Ukraine begins

Feb. 24, 2022

“For most people, the start of this war is the crossing of Ukraine’s borders,” said Shchigol, who heads Ukraine’s technical and security intelligence service, known as the SSSCIP. “But the war in cyberspace is ongoing, and we’ve been monitoring and defending against attacks from Russia for years now.”

Still, though the incident was relatively harmless, with the spike in hostilities between Kyiv and Moscow reaching a crescendo, the fear is that these attacks are part of a so-called hybrid war — mixing conventional tactics with disinformation and cyberassaults to destabilize the Ukrainian government and ignite chaos across a society that is feeling increasingly vulnerable. That has spurred the U.S., Britain and the European Union to dispatch teams or offer other assistance.

But the more ominous scenario — Ukraine declared a nationwide state of emergency Wednesday — is that online attacks may be a practice run. Cyberwarfare would certainly be a powerful component in any military offensive, said Tim Conway, an instructor at Sans, a training institute. In December, Conway visited Kyiv to run so-called grid wars exercises for electric companies.

“We’re talking about critical infrastructure attacks, impacting normal daily human lives as part of a conflict where that wasn’t in the playbooks before,” he said.

In the meantime, the severity of the attacks is escalating. Last week’s incident had as its centerpiece what security officials describe as the largest attack of its kind in Ukraine’s history — a so-called distributed denial-of-service, or DDoS, attack designed to deluge servers with traffic to the point where websites they’re hosting are no longer accessible.

Although DDoS attacks are pretty routine — “we face them every day,” Shchigol said — what made the Feb. 15 assault unique was the sheer scale, not to mention the number of services it targeted.

A standard denial-of-service attack, the type first encountered as far back as the 1990s, overloads a victim’s system by sending a large number of pings, including connections, requests or other data. The point is to overwhelm the target’s bandwidth so that it can’t process genuine traffic.

A distributed denial-of-service attack does the same but from different computers or networks acting in concert. The severity of a DDoS assault is measured in gigabits per second, with most platforms designed to protect against attacks as large as 450 gigabits per second.

The one last week “was massive,” said Yevhen Bryskin, a 29-year-old member of the SSSCIP’s emergency response team. He added that it measured a whopping 1.7 terabits per second, almost four times what defensive systems could handle.

With his black hoodie, slight frame and pale skin, Bryskin looked more hacker than army recruit, which is what he had been before joining the SSSCIP.

His relative youth is par for the course at the UA30 Cybercenter, which includes the emergency response unit as well as other threat-assessment teams. Since cybersecurity came into its own as a skill set fairly recently, Shchigol explained, that means specialists in the field skew young; all of his team is under 30. Shchigol is 38, with piercing eyes, no wrinkles and a cleanshaven face.

And they have a lot of work. “Every quarter witnesses a 10 to 12% growth in attacks,” Shchigol said.

Standing before a bank of desks arranged in rows, with a pair of computer monitors on each one, he pointed to a large screen on the opposite wall. It showed the image from a workstation displaying threat statistics from the last three months broken down by type of incidents, their targets and severity.

The tally of the last three months was some 654 attacks, more than half targeting Ukrainian government websites and almost a quarter aimed at local companies.

“Usually, cyberattackers’ intention is to earn money,” Shchigol said. “But in our case, the attacks on state services certainly have another purpose.... You can’t earn money by attacking government systems.”

Instead, the aim is clearly to destabilize Ukraine’s government, Shchigol said, and the attacks are “certainly coming from one particular state.”

For Ukraine, none of this is new. Since 2014, when the government started battling Kremlin-supported separatists in the country’s Donbas region, it’s endured some of the world’s most spectacular cyberattacks. In December 2015, there was Sandworm, a hack that shut down the power grid for about 230,000 people.

A similar attack in 2016 knocked out a fifth of Kyiv’s electricity. A year later came NotPetya, a computer virus that encrypted data at Ukrainian banks, electricity firms, government ministries and organizations; by the time it was done, it had spread to at least eight other countries, including Russia, causing billions of dollars in damage.

Most countries aren’t doing enough to stop cyberattacks. Even those that are invest only enough to handle criminal or so-called ransomware networks, not state-funded adversaries, Conway said.

“Could they stop a state-funded attack? I don’t know which country could,” he said, adding that the focus is not on prevention but on limiting damage and reducing downtime.

The problem is compounded when an enemy uses a cyberattack as part of a larger strategy — especially because the enemy can anticipate the response and counter any attempts to restore networks or grids. Besides, Conway added, “even if you’ve arranged cyberdefense in a good way, managed the risk and it can’t be better, when you add a physical component, it shifts the game again.”

In the meantime, the specter of higher-grade cyberattacks has sparked fears that the fallout could hit well beyond Ukraine. Last month, Microsoft shared information on malware that targeted Ukrainian ministries. Then came warnings from the Department of Homeland Security and the FBI.

In February, the Cybersecurity and Infrastructure Security Agency issued a “Shields Up” alert for American organizations, warning they should adopt a “heightened posture” ahead of any escalation by Moscow.