Access Management , Critical Infrastructure Security , Identity & Access Management
Ukraine Combating Cyberattacks on CNI With Security Keys
SSSCIP Goes Passwordless; Yubico Offers Tech SupportAs Ukraine continues to be bombarded with cyberattacks from Russia, the State Service of Special Communication and Information Protection of Ukraine - or SSSCIP - has shifted gears to combat this offensive against the country's critical infrastructure by going passwordless and using security keys instead of traditional multifactor authentication techniques.
See Also: OnDemand | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
In a bid to support this move, Yubico, a Palo Alto, California-based company, will donate 20,000 YubiKey 5 series hardware-based authentication devices and provide technical support to help Hideez - a Ukrainian security and data protection company - set up a security perimeter around the country's critical national infrastructure.
#Ukraine is developing @hideez and @Yubico solutions in state authorities to ensure protection against unauthorized access, which is one of the biggest threats to #cybersecurity. #russianhackers are constantly trying to gain access to accounts and use them for next #cyberattacks
— SSSCIP Ukraine (@dsszzi) May 1, 2022
Yubico and Hideez tell Information Security Media Group that the donation is a "goodwill gesture" from the California-based company. No deal was struck between them and Ukraine's government, the statement says.
Meanwhile, an SSSCIP spokesperson confirms to ISMG that the first batch of 6,000 keys has arrived in Ukraine. "6,000 pieces [security keys] that has already been delivered to Ukraine, passed the regulatory examination, has been approved by the SSSCIP administration and is being delivered to users. But this is just the initial delivery. More such keys are going to arrive soon," the spokesperson says.
The Lead-In
The SSSCIP spokesperson tells ISMG that Russian hackers are constantly trying to gain unauthorized access to Ukrainian information systems to destroy them, preventing Ukrainians from accessing public services, impeding critical infrastructure operations and spreading panic and distrust for the authorities.
He adds that the number of cyberattacks has been constantly rising since the start of the full-scale invasion. According to a report shared by SSSCIP with ISMG, attacks have tripled since the war began. "It makes protecting our information infrastructure from unauthorized access extremely important," the spokesperson says.
During a press briefing on Wednesday, SSSCIP head Yuriy Schyhol said: "Russian hackers never stop trying to steal personal data of Ukrainian civilians [by getting] access to their accounts, etc. The ultimate goal of Russian hackers is to access public registers and the entire information infrastructure of Ukraine. They are attempting to achieve that through private applications and ordinary users, among other things."
The Ukrainian authorities needed a solution to help secure endpoints and make unauthorized access to user accounts and internal networks difficult, if not impossible, the spokesperson says.
At the beginning of the war, Hideez supplied what it called a "small amount" of Hideez Key devices, which are hardware-based authentication keys, to government agencies free of charge, says Oleg Naumenko, CEO of Hideez, but more were needed. Naumenko tells ISMG that Yubico, which had previously provided assistance, was again asked for help.
"We recognized the urgent need for additional security keys and reached out to Yubico, who then provided us with 20,000 YubiKeys at no cost for us to distribute. YubiKeys have broad functionality, which allows them to be integrated with the Hideez Authentication Server and cover usage scenarios that differ from our own keys," Naumenko tells ISMG.
Hideez approached Yubico on March 4 and asked the company to consider donating keys and technical support, Stina Ehrensvärd, CEO and co-founder of Yubico, says in a blog post published on Monday.
Ehrensvärd says that within a matter of hours, Yubico provisioned a donation of 20,000 YubiKeys and 24/7 access to its technical experts to help ensure those receiving the keys had the tools and knowledge to begin implementing this cybersecurity safety measure.
The Beneficiaries
The organizations or individuals who will benefit from these security keys were not identified by the SSSCIP spokesperson, but he tells ISMG that the keys are being allocated free of charge among the security and defense sectors, while some will be provided to the public companies managing critical infrastructure.
In the blog post, Ehrensvärd says that the first set of these keys has been distributed to a dozen government agencies and companies providing critical infrastructure, including:
- SSSCIP;
- Ministry of Digital Transformation, which heads IT modernization and the next generation of government e-services;
- Government-owned energy companies and power plants;
- Ukraine's [.]UA domain managing organization, Hostmaster[.]UA.
How YubiKeys Work
Citing a Ukrainian cybersecurity executive at a major government-owned energy company, the blog post says that attempted attacks on the energy company's infrastructure rose from 21,000 events in all of 2021 to over 760,000 attempts from Feb. 24, 2022, to March 24, 2022 - an increase of 3,519%.
"The critical infrastructure company that we worked with in Ukraine required its employees to change passwords every day, which did not provide sufficient security and was time-consuming as well as an added stress to employees working in a war zone," Ehrensvärd tells ISMG.
"They required something that was not only more secure but that also worked across a range of systems and devices - a tool that worked from locations where internet and cellphone connectivity are not stable. Additionally, because of the advanced types of phishing, and man-in-the-middle attacks that were being targeted at them, they couldn't rely on legacy or mobile-based authentication."
YubiKey security key is a multipurpose and multiprotocol device, which allows users to use the same authenticator for PC login, VPN access, cloud-based productivity, email systems, ERP system and mobile applications, Ronnie Manning, chief marketing officer at Yubico, tells ISMG.
"When logging in as a smart card or for FIDO2/WebAuthn for passwordless, when prompted to login to a laptop/desktop, or by a supported application or service, you need to enter a PIN which unlocks the key, then pressing the YubiKey it completes the authentication process by exchanging and verifying user credentials to the service or application," Manning says.
He says it requires a human touch to activate the YubiKey and complete the authentication process, which protects against external attacks by not allowing a piece of code or malware to trigger the key.
An SSSCIP spokesperson tells ISMG that these devices "will allow protection of resources from unauthorized access, enable access management and reduce the risk of leakage of sensitive information from [critical] workstations."
The Distribution/Supply Chain
Although the security keys have been shipped to Hideez in Ukraine on an emergency basis, there are certain protocols in place for their adoption in critical systems. None of the resources can be directly deployed - especially if it involves critical assets are involved - without proper testing and certification. But Yuriy Ackermann, vice president of war efforts for Hideez, tells ISMG that this was done in the shortest possible time frame and on a priority basis in collaboration with SSSCIP.
"In order for YubiKeys to be used for the broader range of high-security and military applications, we worked with the SSSCIP for its certification of the YubiKey 5 Series," Ackermann says.
According to the blog post, Oleksandr Potii, deputy chief of SSSCIP, says, "In record time, only [in] a matter of weeks, we were able to expedite a normal six-month-plus certification process to get the YubiKey 5 Series validated for use across all Ukraine government and military agencies and their employees."
But certification was only a small part of the adoption process. The bigger question was the distribution of these physical security keys in the war-torn nation. Hideez, along with its supply chain network in collaboration with SSSCIP, is providing the distribution support necessary on the ground, the company tells ISMG.
"Those who receive the keys are staying within Ukraine, so we have every opportunity to deliver the packages using specialized services that operate both in peaceful times and in times of war," the SSSCIP spokesperson tells ISMG.
Potii also confirms that SSSCIP is deploying 3,000 Yubikeys for its own staff, who will use them in the electronic document management system, according to the blog post.
In addition to Hideez in Ukraine, Yubico has also provided devices to ePrinus, a partner headquartered in Poland, which is helping with the distribution of keys for military purposes to support Ukraine.
"We have also donated YubiKeys through our Secure it Forward program to support hundreds of local journalists and other humanitarian organizations that have been working tirelessly to share critical information to keep their communities safe," the blog post says.