Ukrainian Cyber Official Offers Update on 'IT Army'Cyber Officials on Alert as Putin Advances, Hacktivists Continue Efforts
War in Ukraine continues into its third week, and Russia is closing in on major Ukrainian cities, upping its targeting of civilian infrastructure. In the U.S., cybersecurity officials continue to urge a "Shields Up" approach - while the digital conflict has devolved deeply into the underground.
According to The Washington Post, while speaking with reporters on Tuesday, Victor Zhora, Ukrainian Deputy Chairman of The State Service of Special Communications and Information Protection, confirmed that the country's now-famous "IT Army" of volunteer cyberwarriors, perhaps 400,000-plus strong, is actively working to protect Ukrainian infrastructure from state-backed Russian hackers.
Industry watchers anticipated Russian actors being activated much earlier in the conflict, but cyber and foreign policy experts say the lack of an all-out cyber offensive could indicate the Russians did not hold great prepositioning on Ukrainian networks leading into the conflict. Others point to the immense foreign aid Ukraine received in 2015 and 2016, after its grid was taken down by the Russians.
Reuters first reported, upon the IT Army's creation, that the group was planning and executing offensive cyberattacks against Russian systems enabling the war effort.
But on Tuesday, Zhora walked back earlier beliefs that the Ukrainian government may be involved with the "offensive" campaigns.
The Washington Post reported that Zhora said: "Volunteers [with the IT Army] continue their operations, and we believe that some of these operations can be offensive and directed to military infrastructures of Russia. But … it's their own initiative, so this activity isn't coordinated by the government, and we continue focusing on protecting Ukrainian infrastructure."
According to the same report, Zhora acknowledged that the Ukrainian government continues to hire private sector cybersecurity specialists to safeguard critical sectors, and allied nations continue to offer remote assistance to protect digital assets. These specialists are also reportedly looking to assist with cyberattack attribution efforts.
This follows other recent events in the digital domain, including the international hacking collective Anonymous reportedly breaching Russia's censorship agency, Roskomnadzor, along with other Russian entities and state-run media agencies (see: Anonymous Reportedly Hacks Russian Censorship Agency).
In the Roskomnadzor breach, Anonymous reportedly released 364,000 files it says show intensified censorship around the perception of the Ukraine invasion. The files were shared with, and published by, DDoSecrets, a nonprofit whistleblower site for news leaks. The files reportedly had dates as recent as March 5.
Hacktivists believed to be operating out of Belarus also continue to target Belarusian networks, as the nation has pledged its allegiance to the Putin regime. The Belarusian Cyber-Partisans, or CP, have targeted the country's railways - reportedly encrypting servers, databases and workstations in an effort to disrupt the Russian military's movement in Belarus (see: Update: Cyber Hacktivists Target Belarus for Supporting Russia).
Foreign policy experts have long feared escalation in the conflict - anything that could trigger NATO's Article 5 agreement, a pledge for the members of the military alliance to protect sovereign borders. But the Wednesday report in The Washington Post said that China, whose President Xi Jinping has met with Russian President Vladimir Putin several times in recent months, may be active on the hacking front as well.
The Twitter handle @intrusion_truth, which has worked to relay Beijing cyber operations, wrote on Tuesday that it "now knows that Chinese hackers are conducting cyberattacks against Ukraine. We can only assume these have been ordered, or at least condoned, by the Chinese state. If they haven't, the CCP has a big problem: hackers getting ahead of CCP foreign policy."
The question remains whether Xi intends to aid Russia or if the CCP or related actors are simply doing reconnaissance.
John Hultquist, vice president of intelligence analysis at the firm Mandiant, tweeted: "I would assume this is cyberespionage, which would be expected, though still not good. … They want to know what's going on there like everyone else."
Keep Shields Up High
In the U.S., officials remain on edge, fearing potential cyberattacks on critical industries. Cybersecurity and Infrastructure Security Agency Director Jen Easterly has urged U.S. organizations to conduct basic, but critical, cyber hygiene exercises and watch for the exploitation of known vulnerabilities.
Late Tuesday, Easterly warned that Russian state-sponsored cyber actors have gained network access through exploitation of default multifactor authentication protocols and a known vulnerability.
As early as May 2021, CISA writes, Russian state-sponsored cyber actors "took advantage of a misconfigured account set to default MFA protocols at a nongovernmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network."
The alert continues: "The actors then exploited a critical Windows Print Spooler vulnerability, 'PrintNightmare' (CVE-2021-34527) to run arbitrary code with system privileges."
The officials say the cyber actors successfully exploited the vulnerability while targeting the NGO using Cisco's Duo MFA, enabling access to cloud and email accounts for document exfiltration.
They continue to warn against similar tactics.
Zelensky Briefs Congress
While some say Russia is avoiding direct, military-run cyber operations because its kinetic efforts are more effective, Chris Painter, a former top cybersecurity official during the Obama administration, told the think tank Center for Strategic and International Studies on Monday that the war is "still in the relatively early days. … It could be that Russia is holding those reserve capabilities and hasn't used them yet" (see: Top Cyber Officials Say Russians May Yet Escalate Cyberwar).
Despite the inactivity around cyber military campaigns, fears that the conflict could bleed into different geographic locales remain top of mind.
And despite heavy rounds of sanctions against the Kremlin, its oligarchs, Russian banks, the Russian oil industry and more, U.S. President Joe Biden said the nation will not send troops into Ukraine.
Ukrainian President Volodymyr Zelenskyy is asking for more.
From a bunker in Kyiv on Wednesday, Zelenskyy briefed the U.S. Congress, reiterating a need for more direct aid.
"Right now, the destiny of our country is being decided," he said. "Whether [Ukrainians] will be able to preserve their democracy. … The Russians have turned the Ukrainian skies into a source of death. … [It's] terror the world hasn't seen for 80 years."
He repeated calls for the U.S. to establish a no-fly zone over Ukraine or dramatically increase its output of powerful defense systems for the Eastern European nation.
"Ukraine is grateful to the U.S. for its overwhelming support … which helps us to pressure Russia economically," the Ukrainian president told U.S. lawmakers. "I'm grateful to President Biden for his involvement and for the defense of democracy all over the world. … However, in the darkest time for our country, for all of Europe, I call on you to do more."
He suggested the Biden administration sanction Russia "every week" until the "Russian military machine stops," sanctioning "every" Russian politician still holding office, and urged "every" U.S. company doing business in Russia to leave "immediately."
He also proposed the formation of a new alliance, which he dubbed U24 - a collection of nations "united for peace" and the "strength to prevent war." The alliance, he said, could sanction violators, provide humanitarian support and respond to others' needs in just 24 hours.
It's unclear at this stage how Zelenskyy would incorporate cyber defense into the proposed alliance.