UKRAINE MAY BE WINNING ‘WORLD’S FIRST CYBERWAR’

by Oleksiy Sorokin

August 4, 2023

The Kyiv Independent

 

For Ukraine’s main cybersecurity agency, Russia’s full-scale war began over a month before Russian tanks rolled into Ukraine from all directions – with a large cyber attack on Jan. 14, 2022.

“It all started with an attack on state authorities, it was the largest attack in 17 years,” says Yurii Shchyhol, head of the State Special Communications Service, which is responsible for defending Ukraine’s cyberspace.

Shchyhol says over 90 government websites were targeted, about 20 of them were defaced, and some data was erased. It took Ukrainian authorities 2-3 days to get those websites back up.

“This was the first indication for us that (Russia) was planning something big,” he adds.

The month leading up to the full-scale invasion, Ukraine experienced several major cyberattacks – on Feb. 15 and Feb. 22.

By the time Russia launched its full-scale war, Ukraine was ready to face Kremlin’s cyberwarfare, taking place alongside the ground offensive.

The 7,500 employees of the Special Communications Service are now in charge of protecting Ukraine from cyberattacks, ensuring the military and political communication is secure, and conducting online operations to hamper Russia’s war effort.

The agency has also created a database of critical infrastructure, and coordinates its defense.

“There has never been such a war in history,” Shchyhol, who took charge of the agency in 2021, says. “It is the world’s first cyberwar in general, and there is no country in the world (except Ukraine) with this experience.”

He adds that Ukraine has faced around 20 cyberattacks per day since February 2022, with most of them deterred automatically, while some requiring timely intrusions by the agency.

In the 16 months since the start of the full–scale war, Shchyhol says Ukraine hasn’t lost any critical information, nor were any major systems downed.

Shchyhol says the agency is now drawing up a list of sanctions and laws required to stop Russia from being able to conduct cyberwarfare.

“Even after our victory on the ground, we understand that the cyberwar will not cease, and they will persist in attacking our systems,” Shchyhol says.

“Therefore, our international partners are currently working on creating conditions that will ultimately compel Russia to stop threatening Ukraine and the civilized world,” he adds.

“Our goal is to push them back into the intellectual and IT Middle Ages.”

Preparing for cyberwarfare

Russia launched an invasion of Ukraine in Crimea and Donbas in 2014. It soon turned to cyberwarfare to accompany its conventional attacks.

In 2017, Ukraine was struck by a series of powerful cyberattacks using the NotPetya malware that swamped banks, energy companies, government websites, and many non-governmental organizations.

NotPetya ransomware was designed to cause substantial destruction and Ukraine was the primary target of the attack.

For a brief time, Ukrainian cyberspace was left defenseless.

Shchyhol says that’s when the state began to prepare for cyberwar. Reforms soon followed.

“We created a national coordination center and a corresponding unit within the security service. This service acquired new powers,” Shchyhol says.

The agency gained complete control of Ukraine’s cyberdefense but simultaneously decentralized it, transferring some functions to different departments and allowing security specialists to perform tasks without the need to ask the leadership for permission.

The Computer Emergency Response Team of Ukraine (CERT-UA), a structural department of the Special Communications Service, employed young, tech-savvy professionals to counter future attacks.

The Ukrainian government soon issued a decree ensuring that government-employed IT specialists receive a premium for their work.

“We know that they can always find a high-earning job elsewhere, but it’s good that they are willing to help the state,” Volodymyr Kondrashov, spokesman for the State Special Communications Service, said.

Under Shchyhol, the state agency began to work hand in hand with the private sector to help prevent potential attacks on businesses.

“In two years, we managed to build a trustworthy relationship with the private sector, where they started utilizing the services we provide today,” he adds.

Shchyhol also mentions that Ukraine was able to build a relationship with white hat hackers, who helped when Russia was about to launch the full-scale invasion.

“We didn’t assume any authority, we wanted their assistance. And it was these people who on Jan. 14, during the first major attack, said, ‘we are with you,'” Shchyhol says.

However, experts say the scale to which independent IT specialists influenced Ukraine’s cyberdefense is greatly exaggerated.

Battle-hardened cyber defense

“Today, we possess the greatest competence in the world when it comes to repelling attacks,” Shchyhol says.

In 2022 alone, the CERT-UA team manually deterred 2,194 attacks. That’s over six attacks per day. The number of cyberattacks deterred automatically is approximately 20 per day, Shchyhol says.

To prevent such attacks, the State Special Communications Service works alongside cyber police, which investigates the attacks, and the National Security and Defense Council, which recommends sanctions and legislation.

“Before the full-scale war, we could hardly imagine that all these entities would work toward a common goal and collaborate,” Shchyhol says, referring to infighting to which Ukrainian state agencies were prone.

Sitting in a refurbished office in an old Soviet-built building, Shchyhol says Russia continues to methodically attempt to find holes in Ukraine’s cybersecurity.

“All the activities of their hacker groups are part of a unified plan and are coordinated with other hacker groups in Russia under state control,” Shchyhol says.

When Russia began bombarding Ukraine’s energy infrastructure in October, Shchyhol says, its cyber arm “shifted focus to attacking energy infrastructure, attempting to disrupt energy distribution networks in conjunction with their missile attacks.”

He says that one attack that would have halted Ukraine’s electricity supply was deterred last minute, adding that it’s a 24/7 job to keep Ukraine’s critical infrastructure online.

Shchyhol believes that Ukraine shouldn’t underestimate Russia’s abilities to deliver a blow.

“They will always seek out vulnerabilities to penetrate our defense system, just as they do on the battlefield.”

That’s why Shchyhol says his agency is also looking for ways to deprive Russia of the ability to continue its ongoing cyberattacks.

“They must be excluded from all international organizations and isolated from the civilized world to prevent them from accessing technologies. Only then can there become a guarantee of our future security,” Shchyhol says.

He adds that, despite Russia’s ability to bypass sanctions, a significant portion of their equipment, such as the one made by U.S. tech corporations Cisco and IBM, does not receive support or license updates.

“In six months to a year, it will reach a point where it won’t function at all, impeding their ability to launch attacks,” Shchyhol says. “Thus, time is working in our favor.”

Front-line struggles

Despite some success, Ukraine is still facing cyber issues that need to be tackled, and some of them are experienced right on the battlefield.

Soldiers who spoke with the Kyiv Independent said they had encountered problems with basic communications, sometimes having trouble reaching units stationed 100 meters away.

Shchyhol says it’s an acute issue they desperately want to solve.

“They (Russians) launched attacks on Viasat (satellites), for example, during the first night of the invasion, followed by attacks on Ukrainian providers and operators,” Shchyhol says, adding that it created chaos early into the full-scale war.

Viasat is an international satellite used by multiple countries but Ukraine suffered the most, according to Shchyhol. “At the beginning of the full-scale invasion, the backup communication lines for the Armed Forces were established through Viasat,” he says.

Shchyhol says most problems are solved now with the help of the Starlink satellite internet, with Ukraine using over 20,000 of Elon Musk’s terminals, but adds that jammed radio frequencies remain an issue.

“If we are talking about Bakhmut or any other hot spot, they employ means of electronic warfare, unfortunately. When they activate all their possible means, it affects our communication,” Shchyhol says.

“If we are referring to hot spots, it is quite effective. They utilize all their electronic warfare systems and can disrupt the stability of our communication.”

Shchyhol says Western countries substantially helped Ukraine by providing equipment to counter Russian attempts to disrupt front-line communication.

“It is (now) impossible to jam absolutely everything. Radios work in certain frequency ranges, Starlink works in other areas, Viasat works in specific locations, and other satellite devices operate elsewhere,” he says.

Enemies from within

Another major issue that Shchyhol’s agency struggles with is securing Ukraine’s critical infrastructure from Russian attacks offline.

Ukraine lacks air defense to protect all infrastructure, and until recently, it lacked a registrar of all such sites required to make a qualified assessment of what needs to be defended first and what specific gear needs to be employed.

“Our task was to create a unified register where each level of criticality corresponds to the appropriate protection measures,” Shchyhol says.

“The General Staff can determine the most effective placement of the Patriot system to cover the nuclear power plant and other critical infrastructure facilities,” Shchyhol says, pointing to the fact that a registrar helps the army make such decisions.

“Regarding anti-aircraft defense, it involves comprehensive coverage of multiple objects rather than just one. Different requirements apply to a nuclear power plant compared to a hospital, for example.”

However, one issue which Shchyhol says his agency can’t help resolve is the threat of sabotage by Russian-linked actors.

Russian-linked business people own critical infrastructure in Ukraine, which is constantly targeted by Russian missiles. Shchyhol believes they may have access to sensitive information such as the exact locations of certain infrastructure sites.

Before the full-scale war, Russia’s VS Energy, owned by Russian Kremlin-linked businessmen Yevgeni Giner and Mikhail Voevodin and Russian lawmaker Alexander Babakov owned shares in eight Ukrainian regional energy companies, Ukrainian fugitive oligarch with ties to Russian organized crime, Dmytro Firtash, owned 70% of the country’s gas distribution market, while members of the pro-Russian Opposition Platform party had shares in oil, gas and coal plants.

Some of them have ended up on sanction lists of Ukraine, the EU, and the U.S. as soon as Russian tanks crossed into Ukraine in 2022. Others haven’t.

“The Security Service is working on this matter and revokes access for such owners to these systems. This started recently, and it’s just the beginning,” Shchyhol says.

“(Those people) can have access to various systems and registrars, and it is our job to ensure that they meet the requirements set by the state. If they fail to meet these requirements, then it is necessary to hold them accountable, including depriving them of their property rights,” he goes on.

“There is currently no law on liability, but we are working on it.”

 

Oleksiy Sorokin is the co-founder and senior editor of the Kyiv Independent. He is tasked with building the organization and leading the hiring, editing, and newsletter workstreams. Oleksiy occasionally writes, with his latest articles include interviews with top Ukrainian and European officials. For his work, Oleksiy was included in the 2022 Forbes 30 Under 30 list. Oleksiy holds a BA from the University of Toronto.