Ukraine's Cyber Defense: Wipers Remain 'Biggest Challenge'Victor Zhora, Deputy Head of Ukraine's Cyber Agency, Shares Lessons Learned
As the Russia-Ukraine war continues, "Russian attackers continue to combine cyberattacks with kinetic operations, and … they can be coordinated with kinetic to amplify the overall psychological effect from these attacks," says Victor Zhora, the deputy head of Ukraine's State Service of Special Communications and Information Protection, or SSSCIP.
The scale of cyberattacks unleashed during the conflict is immense. Since the beginning of the year, Ukraine's national computer emergency response team, CERT-UA, has tracked "more than 1,600 major cyber incidents," he says. According to the CyberPeace Institute, 51 different nation-state, collective and cybercriminal groups have launched attacks and operations across 29 countries since January.
As one of the government officials who helps lead Ukraine's cyber defense, Zhora says one of the biggest cybersecurity surprises so far during the conflict has been the widespread use and impact of wiper malware, which is designed to destroy the hard drives of systems it infects.
From a cybersecurity standpoint, "wipers continue to be the biggest challenge, together with exfiltration of data or sowing chaos and subversion with the use of cyberattacks," he says. "We've identified more than 10 different types of wipers used during the war, and it seems to me that that is not the limit."
In a video interview with Information Security Media Group, Zhora discusses:
- How partnerships with technology and cybersecurity firms, the EU, U.S., NATO and others help Ukraine improve its defenses, disaster recovery and incident response;
- Lessons learned from countering Russia's cyberattack strategies;
- Ukraine's approach and goals for attributing cyberattacks and cyber operations.
Zhora is the deputy chairman and chief digital transformation officer at the SSSCIP, where he oversees digital transformation and cybersecurity projects, as well as CERT-UA and the state cyber protection center. He is the author of nearly 50 scientific publications in information security and has more than 20 years of practical experience as an architect and project manager, CEO and co-founder of leading cybersecurity companies in Ukraine. Since 2012, Zhora has been a member of the organizing committees of Ukraine's UISGCON and BSides Kyiv conferences.
Mathew Schwartz: Hi, I'm Mathew Schwartz with information Security Media Group. And it's my pleasure to welcome Victor Zhora, deputy head of Ukraine's defensive cybersecurity agency, to our studios. Victor, thank you very much for taking the time to be here with us.
Victor Zhora: Thank you for inviting me.
Mathew Schwartz: So, Ukraine's gotten kudos for being very, very good at cyber defense and also incident response. I know that the country has been working closely with NATO and other organizations. You've also had eight years at least of attacks, to repel, to learn from. And I know, too, you've been working with a number of Western technology firms, Microsoft, for example, springs to mind to protect data to track attackers and attack types, and to better defend your systems. Is there more that your allies or partners can be doing on the cybersecurity front to help?
Victor Zhora: First of all, I would like to thank all of our partners who support Ukraine in these challenging times, and who help us get ready to [repel] this cyber aggression. We had a number of international technical system projects initiated by the European Union and the United States. And these projects were very helpful, and made us able to get prepared to this aggression and prepare our workforce and build capacities. So this is very useful, and this assistance is priceless. So we appreciate it very much. With regards to the current situation, we are working closely with our partner agencies, with governments, with commercial companies who continue supporting us, and based on our experience - how we counter cyber threats - we identify new areas of cooperation, and we continue developing all of them. And perhaps there will be some new opportunities for us to extend our partnerships.
Mathew Schwartz: Are there any tools that you're able to discuss that you've found to be most valuable, as you're dealing with the challenges? I'd like to touch on the attacks that you've been seeing as well. But are there any tools or any defensive lessons that you might share with others? Because today, Ukraine, in the future, I think we're going to see more conflicts of this nature.
Victor Zhora: Well, we got a lot of assistance with hardware and software required for cyber defense, as well as some cloud infrastructures where we can host our backups and ... all IT infrastructures that are necessary for [the] delivering of electronic services to our citizens. We can store backups, and we can use these cloud infrastructures for other services, as well. And this is very important for us to have these disaster recovery capacities and additional resources for storing critical information for our country. At the same time, we continue getting a lot of consultancy support in cybersecurity as well as threat intelligence, which is very important for timely identifying of threats, providing incident response and for the threat mitigation.
Mathew Schwartz: Speaking of threats, I know there was an attack in April that attempted to disrupt an electric utility in Ukraine. I believe threat intelligence helped you avert or mitigate this attack?
Victor Zhora: For sure. We have very close ties with our partners from cyber intelligence companies, cybersecurity companies. And they help us with getting tips on what's happening in Ukrainian networks, on endpoints, being great providers of telemetry and visibility into Ukrainian networks. They're helping CERT-UA and the cyber protection center to receive timely tips. And it helps us in reaching out to victims and even preventing some major cyber incidents - in the way it happened in the beginning of April with regards to the power grid and energy distribution company for a certain region. And that was exactly a tip which was used to identify threats and timely response to this potentially disastrous cyber incident which could affect up to 2 million people in the region, and repeat the success that Russian state-sponsored military hackers had in 2015 and 2016.
Mathew Schwartz 05:46
In the dead of winter, yes, very, very poor timing for the civilians in particular. Another question I have Victor is, at the beginning of the war, you called the Russia-Ukraine war the world's first hybrid war. Has your thinking changed, about the way that Russian forces so far have been or have not been using cyberattacks or cyber operations?
Victor Zhora: Russian attackers continue to combine cyberattacks with kinetic operations, and in a very serious percentage, they can be coordinated with kinetic to amplify the overall psychological effect from these attacks. Some cyber operations continue being separate from their military activity. So this is a very diverse activity. And it seems to me that in the last several months, we don't have - we do not observe - some particular strategy. The adversary continued to seek for gaps and vulnerabilities in Ukrainian networks, trying to gain access to provide persistence in these networks, to exfiltrate data, to seek for opportunities for direct impact and destruction to these networks. And it seems to me that decisions made accordingly to opportunities that get found in our infrastructures, and then perhaps, they will choose best scenario, according to current circumstances - perhaps in consideration of potential kinetic, conventional opportunities they have on battlefields, or simply providing information psychological effects on the Ukrainian media sphere.
Mathew Schwartz: So not one overarching strategy, but it sounds more opportunistic, as you were saying. Look at what could be done and then attempting to pursue those paths instead.
Victor Zhora: Absolutely. Opportunistic and rather chaotic. But every day, we are waiting for new attacks, and we monitor our networks, critical information infrastructure, state information resources, every 24 hours expecting new strikes in the cyber role from Russian side.
Mathew Schwartz: Are you able to ascertain the ... speaking of chaos - and chaotic attacks - are you able to ascertain the impact that hacking collectives have had? Is it useful to even look at groups like Killnet, compared to, for example, military nation-state hacking groups, or hacking collectives having an impact? Do you think are they more of a nuisance? Or is it is it not worthwhile to even differentiate?
Victor Zhora: It seems to me that serious cyber operations are organized in a covert style and are not indicated in these Telegram groups like Killnet does or HackNet team does. So this is an indication of their intentions, and perhaps, in order to attract more people to join these cyber aggressive units, especially when it goes about DDoS attacks. But when we're talking about serious and well-planned operations that require a lot of human resources and technically advanced tools and financial resources, obviously they will be organized in stealth mode in order to gain as much effect and impact on our infrastructure as possible.
Mathew Schwartz: In terms of the malware that you've been seeing, talking about things that require a lot of planning, effort, investment, what have been some of the most innovative or surprising forms of malware that you've seen employed against Ukraine?
Victor Zhora: The biggest surprise for us was a variety of wipers that we continue observing from the beginning of war. So this is a certain type of malware that doesn't require a ransom to decrypt infrastructures. So these wipers are used only for destructive impact on IT infrastructures. And this is the kind of very serious effect cyber operations can provide on the infrastructure of a country which has been no object of aggression. And this is totally different to a ransomware, which continues to be one of the major threats for democracies in the western world. But in particular, particularly with regards to Ukraine, wipers continue to be the biggest challenge. Together with exfiltration of data or sowing chaos and subversion with the use of the cyberattacks. We've identified more than 10 different types of wipers used during the war, and it seems to me that that is not the limit.
Mathew Schwartz: Who knows what will happen next, especially with malware and some of the other attacks. Speaking of attacks, there are efforts to track what's going on. For example, the CyberPeace Institute, a nongovernmental organization based in Geneva, has been tracking attacks, and I think to date, it's seen more than 338 attacks tied to the broader conflict. Now, these aren't all necessarily the serious attacks you're talking about; the most serious, I should say. Some are more of the phishing element, for example. But one of the interesting findings from CyberPeace Institute is attacks tied to this conflict have hit 27 different nations, and it says these attacks have been attributed by experts to 51 different attack groups. Diving into that just a little bit: Do these numbers, I mean, the more than 338 different attacks. Does that seem accurate to you? Or are you tracking perhaps even more attacks than that?
Victor Zhora: Well, first of all, we are grateful to all investigative institutions who continue researching this first world cyber war with regards to incidents not only in Ukraine, but in our allied countries. And again, this indicates that cybersecurity continues to be a global task and we have a common threat. Ukraine is not alone. And we can look deeper into messages from different Russian hacking groups. Some of them, at least more than 10 countries that they will continue targeting. And this is a good sign for all of us to be united and to improve our coordination. Since, again, I would repeat: cybersecurity is a global task, and we should create the kind of cyber coalition to effectively counter these threats. We have our own statistics, and it's based on our national cyber incident register, which CERT-UA leads and according to CERT-UA statistics, we have more than 1,600 major cyber incidents from the beginning of this year. In addition, we have a security operation center, which has a network of telemetry sensors and we've got millions of suspicious events. And some of them can get together into critical incidents and then pass to CERT-UA to be included in these statistics. So this is a very interesting field of research. And I think that after Ukraine's victory, all these statistics will be combined. And we have some conclusions will be made on the nature of these incidents, techniques and tactics used to target to Ukrainian organizations and as well as organizations in other countries.
Mathew Schwartz: Certainly, I know one of the goals with CyberPeace Institute and some of the other organizations that are tracking the attacks is to eventually attribute them. Experts have said that there is massive civilian impact with these attacks that goes far and beyond anything that is acceptable from a military standpoint. So I know that there is obviously an ongoing effort, and there will be an effort in the future, to try to attribute who's doing what and what they've impacted, because it's obviously so egregious in the conflict.
Victor Zhora: Attribution is one of the most complicated parts of investigation. And this is a very serious step. We should convince everybody who's reading these reports that a particular threat actor stood behind this attack. And we consider attribution as one of the key objectives of our activity here in SSSCIP and CERT-UA. And I hope that it will be easier for us to continue doing this attribution after 27 countries named Russia as the cyber aggressor state after indicating its responsibility [for the] Viasat hack, which happened in the first hours of war and effected an infrastructure of a U.S.-based company, and some clients that were located in Western Europe, NATO countries. This very important fact and which was confirmed by 27 states, hopefully, will make our task not with the progress directly to attribution, but indicating that a certain threat actor, military hackers from an aggressor state are responsible for this attack. That is a very important fact, for future investigations.
Mathew Schwartz: You've talked about working closely with others. And it would seem to me that on the collective defense front, what Ukraine is doing is going to be a model for how we collectively - because we're stronger when we work together - how we collectively work together in the future. I know Ukraine has been working with NATO, the EU, you touched on a number of Western technology companies and other governments. I don't know if I even have a question here except to say that it looks like you're very well invested in the cooperative aspect, and I hope it continues to pay dividends.
Victor Zhora: First of all, since a lot of partners helped Ukraine to get prepared for this aggression, and we have this rich experience of being resistant in this cyber aggression over the last eight years, going through major cyber incidents in the history - for instance, NotPetya, the most destructive attack in history - Ukraine wants to bring our experience from this war, from getting prepared, from continuing being resilient, to our partners, to contribute to the global cybersecurity ecosystem.
Mathew Schwartz: Well, Victor, I very much appreciate the time and the insights that you've shared with us today. Thank you so much.
Victor Zhora: Thank you so much, Mathew. Thank you for your wonderful questions.
Mathew Schwartz: It's my pleasure. I hope we can do it again soon.
Victor Zhora: For sure. Thank you.
Mathew Schwartz: It's been my pleasure to speak with Victor Zhora, deputy head of Ukraine's defensive cybersecurity agency. I'm Mathew Schwartz with ISMG. Thank you for joining us.