The Ukrainian crisis – a cyber warfare battlefield


statue300The crisis in Ukraine was the largest battlefield of cyber war since Russia’s cyber-attacks on Estonia in 2007 and Georgia in 2008. Simon Tsipis, cyber warfare researcher at the INSS think tank reports.

Russia has managed to hit almost all Ukraine government websites and it was able to take control and to put on surveillance and monitoring all the Internet and telephone communications lines, before the invasion and occupation of Crimea by its military. Russian Special Forces managed to derail all important communications systems through direct physical impact on them by combined field and high-tech operation.

Cyber espionage is an integral part of military strategy and foreign policy of Russia towards the countries of the former Soviet Union. Being able to access information systems of diplomatic, government and military organizations for many years, since the USSR collapse, giving Russia a huge advantage in predicting their tactics, actions and analyzing the thinking of their neighbours.

The largest military cyber attack was the attack implemented by the Russian Military Intelligence (GRU) on the armed forces of Ukraine, as reported by BBC. According to the law enforcement agencies of Ukraine, Russian cyber attacks collapsed the communication systems of almost all Ukrainian forces that were based in Crimea that could pose danger to the invading Russian troops. Attacks of a lesser scale were directed at government websites, news and social networks. Similar handwriting and set of actions has been committed by the Russian military during the war against Georgia, a fact which suggests that the invasion operation in the Crimea has been carefully planned in advance. The Head of the Security Service of Ukraine, Valentin Nalevaychenko admitted, that mobile communication systems of members of the Ukrainian government were attacked in order to neutralize and disrupt communication between government agencies. As the Ukrainian company Ukrtelecom announced, unmarked gunmen penetrated into their infrastructure objects and the optical fiber and conductor units were knocked out, which in turn led to the collapse of all communication. Despite this, western experts say that Russian forces were relatively moderate in their actions and are able to engage much more global cyber-attacks.

Being able to access information systems of diplomatic, government and military organizations for many years, since the USSR collapse, gave Russia a huge advantage in predicting their tactics, actions and analyzing the thinking of their neighbours

According to a former senior officer of the CIA’s Special Operations department Marty Martin, the more extreme attacks will be held by the Russians in case of greater escalation of the conflict. “Sometimes it is useful to keep some lines of communication working, in order to be able to monitor and control, than completely derail them and deprive yourself from intelligence sources.” says Martin. In fact, experts say, no one in the world so far, including the CIA, is not able to assess the possibility of Russian cyber-capabilities as large-scale conflict with its participation yet haven’t been at place.

Additional obstacle to Western intelligence agencies, in the definition of “friend or foe” and who on which side, was the fact that both sides are communicating virtually on the same language, writing scripts by the similar rules and often attack each other with similar IP addresses.

A founder of U.S. cyber security consulting company “Red Branch Consulting” Paul Rozenshveyg argues that Russia is quite strong in cyber, but he warns that we should not overestimate the cyber-space as a place of major future wars, in comparison with ground operations, if the situation gets out of control. “Cyber attacks will not bring much damage,” Paul said “when the tanks will get on course.”

According to the director of the California based privet cyber-security company “CrowdStrike” Dmitri Alperovitch, there have been observed a great amount of cyber attacks and surveillance activity in Ukraine cyberspace during the crisis. Dmitry also said that despite the fact that both the Ukrainian and Russian hackers came out of the same “schools”, the difference in the capabilities of Russia and Ukraine is essential. Russia, he said, ranks among world leaders for its cyber capabilities, while Ukraine “doesn’t even come close to a third …”

Another expert in this field, the director of the initiative group “Atlantic Council on the State of Cyber-management” and former adviser on cyber-security issues of the White House, for the Bush administration, Jason Harley, argues that today we are witnessing a different approach to cyber warfare from the Russian side, rather than in the conflicts in Georgia and Estonia. Moscow, he says, applied in the Ukrainian case, higher level of “hands-on” attacks. This is, an old school Cold War tactics. Physical contact with cyber equipment in hostile territory is an old, and far not ineffectual way, the Russian security services used to work in the past. In the near future, we will see more large-scale operations by such means, he added. In the case of Ukraine, there was absolutely no difficulty for Russian special forces to penetrate any military or strategic facility in Ukraine, since the equipment and facilities were built by the same experts when the two countries were under one rule. The Russian intelligence services are possessing all the required documents and location maps of all the important objects in the territory of the former Soviet Union, as well as specialists, some of whom participated in the construction of these objects and are today reside in Russia. Thus, says Harley, any kind of intervention or sabotage in the former Soviet Union territories, can be quickly and efficiently suppressed by Russian security services, which makes such attempts almost meaningless. Today, all cyber-space mainly based on remote attacks such as denial-of-service (DDoS), while if physical penetration and chopping off or putting under control of telephone and Internet communication is possible, remote attacks lose most of its effect.

One of the techniques used by the Russians for cyber espionage was the “Snake”, also known as Ouroboros and Uroburos. It was developed in Russia at least four years ago, with some elements of software created in 2005. Its name, Urobos has been taken from Greek mythology and it is capable of inducing chaos in communication system, and this is exactly what it did in Ukraine. What’s interesting about it is the fact, that it is able to combine two in one. It is able to be used as stealthy means for network surveillance and data collection, it can also carry out a ‘warhead’ – able to physically destroy computer networks specifically targeted by its operators. The use of Urobos, along with the physical attacks against networks therefore combined both “old school” operations with modern, cyber warfare techniques to gain the desired impact.

While Russian cyber operations in Ukraine were based on the experience and lessons learned from previous attacks on Estonia and Georgia, they haven’t left ‘fingerprints’ leading to the sources. Todays cyber wars are waged in a domain that lacks rules of war, what could bring a country threatened by such all-out cyber offensive to turn to physical retaliation, in the absence of effective international legal and cyber security tools.

As for the Ukraine, some details on the use of cyber-means in the country are now been disclosed. The extents of the corruption of the Yanukovych’s government, after his overthrow, are crawling out. It became known that in December 2013, when the confrontation on Independence square (the Maydan) were gaining strength, Ukrainian hackers have posted online information about some senior members of the government that appealed to them with requests to crack Internet sites and other resources of the State Government Organizations for personal means. Thus, on the night of December 23 2013, all sites of Ukrainian government were hacked by the cyber-activists. However, hackers have published the stolen information in the public domain, admitting that they were forced to do so, as they had not been paid for hacking the databases. Furthermore, according to those hackers, First Deputy Chairman of the Verkhovna Rada of Ukraine and the former chairman of the State Customs Service of Ukraine Igor Kalyetnik addressed them, requesting access to the Unified State Register of Voters of Ukraine. He asked for “full control over more than a hundred public mailboxes of government members. In addition, hackers received a request to access the e-mail of the Chairman of the Verkhovna Rada of Ukraine Volodymir Rybak and Minister of Internal Affairs of Ukraine Vitaliy Zakharchenko. inss150It is important, that in addition to mail-boxes, Kalyetnik wished to establish control over personal mobile devices of the aforementioned officials. According to cyber criminals, there is still a lot of information at their disposal, and they intend to publish the data of the Ministry of Finance, bank account numbers and other details of the Treasury of Ukraine.

Cyber events during the Russia-Ukraine conflict

December 16, 2003: Ukrainian hackers group “KiberBerkut” direct an attack against several NATO websites, their actions were attributed to the presence of “the NATO occupiers” on Ukraine territory.

“March 7, 2014: Attacks are directed against Russian news and media websites, the Ukrainian hackers group “Kibersotnya” claimed to be responsible for the collapse of the site “Russian newspaper”. Another cyber attack has undergone news agency, administration.

March 9, 2014: Indian government confirms that a military documents concerning Indo-Russian negotiations over fighter aircraft were compromised by unknown hackers. The assumption is that someone, not necessarily Ukraine, trying to explore the possibilities of Russian Air Forces, through hacking databases with such information that are available in other country’s air-forces whose systems are much less secure than the Russia’s.

March 14, 2014: Russian armed forces were able to intercept and seize American reconnaissance and strike UAV over Crimea. The drone, an Israeli built MQ-5B ‘Hunter’, one of 18 operated by the US Army’s 66th Military Intelligence Brigade. The unit regularly stationed in Bavaria, Germany was transferred to Ukrainian Kirovograd in early March, from where the UAVs performed reconnaissance raids over Ukraine, Crimea and the Russian border regions.

March 14, 2014: Multiple Distributed Denial of Service (DDoS) attacks, allegedly by Ukrainian hackers, are directed at Russian government and commercial websites. Targets include the Mr. Putin’s presidential website, the official government website and the Central Bank of Russia, Portals of the Russian Ministry of Foreign Affairs and energy consortium Gazprom. As suggested by the FSB, all the attacks committed by Ukrainian hackers or hackers hired by Ukrainian opposition but, Russian law enforcement agencies also do not rule out the fact that in those attacks may have been involved foreign individuals or entities as well.

March 17, 2014: VTB and the Alpha bank, two of the largest Russian banks, suffer major cyber attacks damaging the on-line banking service and credit organization. An anonymous Caucasus hacker group took responsibility for those attacks.