KYIV – Dmytro Shymkiv fidgeted in a chair as his boss, Ukrainian President Petro Poroshenko, testified via video link-up from a few doors down in the Kyiv trial of his exiled predecessor, Viktor Yanukovych.
A big part of Mr. Shymkiv’s job as deputy head of the Presidential Administration is focused on the cybersecurity of the president’s office and the country. At this particular moment on February 21, his most important task was to keep the signal up and clear so Mr. Poroshenko could speak uninterrupted during the televised treason trial.
“I’m very worried about cyberattacks,” Mr. Shymkiv confessed to RFE/RL as the president delivered his testimony.
With one eye glued to a screen showing Mr. Poroshenko and the other on his constantly vibrating mobile phone, which flashed updates from his IT team, Mr. Shymkiv said he feared a distributed denial-of-service (DDoS) attack by Russian hackers that could take the video feed offline.
“It’s happened before,” said Mr. Shymkiv, who before joining the government in 2014 was general manager of Microsoft Ukraine, referring to past DDoS attacks timed to disrupt presidential appearances.
Testing ground
Before Russian hackers allegedly targeted the United States and its 2016 presidential election, they were accused of taking aim at Ukraine and even its own presidential vote in May 2014 – and with a lot more than just DDoS attacks.
For its part, Russia has denied cyberattacks against Ukraine or the United States.
But authorities here and in Washington attribute the attacks to Russia. They say they haven’t stopped and are expected to continue.
In fact, they say Russia is using Ukraine as a cyberwar testing ground, or as Wired described it in a lengthy and detailed report on the matter last year, “a laboratory for perfecting new forms of global online combat.”
Yet, for a country that is such a persistent target, Ukraine remains largely “unprepared” for cyberattacks from the likes of Russian and other skilled hackers, Mr. Shymkiv conceded.
In separate interviews, Ukraine’s chief of Cyberpolice and members of a prominent pro-government hacker team agreed; while acknowledging that the country has made some progress on the cybersecurity front, they suggested or said outright that its defenses are nowhere near where they should be as a regular target of cyberattacks. They cited poor communication among state institutions, a resistance to change, a confused policy approach to cyberdefense, and a lack of funds to recruit skilled personnel and buy much-needed equipment.
Ukraine hit ‘every day’
Ukraine has been locked in an undeclared war with Russia since 2014, when the Kremlin annexed the Crimean peninsula and fomented a shooting war in eastern Ukraine that has killed more than 10,300 people and is grinding into a fifth year. The war is being fought not only in the literal trenches but in cyberspace, through disinformation, fake news and, of course, cyberattacks.
Since 2014, suspected Russian hackers have taken aim at critical targets in Ukraine with ever-growing sophistication. Ukraine’s chief of Cyberpolice, Serhiy Demedyuk, said in an interview with RFE/RL that it was difficult to track Russian cyberattacks here because they occur “every day.”
“What we see is that Ukraine really is a [Russian] test site for malicious software,” Mr. Demedyuk said in his office on the outskirts of Kyiv on February 21.
In December 2016, President Poroshenko claimed Ukraine had been struck by 6,500 cyberattacks on 36 targets in the previous two months, most of which Kyiv attributed to Russian aggression. His government has not provided more up-to-date statistics.
While attribution can be difficult, Messrs. Demedyuk and Shymkiv said Ukraine has managed to directly link Russia to most cyberattacks, citing the characteristics of the attacks and their timing; many occur on historically significant dates in Ukraine, or just before or during holidays, thus maximizing the effect.
Two such cyberattacks targeted Ukrainian power plants ahead of holidays in December 2015 and December 2016, and left hundreds of thousands of Ukrainians without electricity for hours.
Last year, Ukraine’s Boryspil and Odesa international airports were hit by cyberattacks at the height of the tourist season, along with the Kyiv subway’s ticketing system, supermarket checkouts, bank ATMs, and the radiation-monitoring system at the defunct Chornobyl nuclear power plant. Luckily, those attacks caused more confusion than damage and potential crises were averted.
But ransomware attacks dubbed Petya, NotPetya and Bad Rabbit also ripped through the country, crippling businesses for days or weeks. NotPetya, in particular, spread to 64 countries, including Poland, Germany, Italy and Russia, and caused billions of dollars in damage.
The U.S. and U.K. governments both released extraordinary statements attributing NotPetya to the Russian military’s cyberarm. White House Press Secretary Sarah Sanders went further, calling it “part of the Kremlin’s ongoing effort to destabilize Ukraine,” which “demonstrates ever more clearly Russia’s involvement in the ongoing conflict.”
Indeed, experts say evidence in many of these cyberattacks points back to the same Kremlin-linked hackers believed to have targeted the 2016 U.S. election.
And they fear these may be only the beginning, as Russia continues to test new cyberwar methods – where else – in Ukraine.
More to come
The U.S. intelligence community “expect[s] that Russia will conduct bolder and more disruptive cyberoperations during the next year, most likely using new capabilities against Ukraine,” read a worldwide threat assessment authored by Director of National Intelligence Dan Coats and published on February 13. “The Russian government is likely to build on the wide range of operations it is already conducting, including disruption of Ukrainian energy distribution networks, hack-and-leak influence operations, distributed denial-of-service attacks and false-flag operations.”
And Mr. Coats, a former senator appointed by President Donald Trump to be the United States’ top intelligence official, said it was expected that, once Moscow perfects new tactics in Ukraine, it will turn them on Western countries.
“In the next year, Russian intelligence and security services will continue to probe U.S. and allied critical infrastructures, as well as target the United States, NATO and allies for insights into U.S. policy,” he said.
Mr. Coats reportedly told a congressional committee the same day the report was released that he had already seen evidence Russia was targeting U.S. midterm elections in November.
“Frankly, the United States is under attack,” Mr. Coats added, according to Reuters.
Many experts believe the United States and its European allies are woefully unprepared for future cyberattacks and have called for defenses to be strengthened.
Ukraine’s ‘vulnerabilities’ exposed
In boosting their own defenses, U.S. and European officials might look elsewhere for inspiration than Ukraine, which has struggled to batten down its proverbial hatches in the face of Russian cyberoperations.
In direct response to the Russian cyberthreat in recent years, Ukrainian institutions have developed special cybersecurity units: the Security Service of Ukraine (SBU) has an in-house team; the Internal Affairs Ministry and National Police created the Cyberpolice force led by Mr. Demedyuk; there is a Center for Cyberprotection within the State Service for Special Communications and Information Protection. The Defense Ministry has been slower to react but is currently discussing the creation of cyberunits for military purposes and cyberdefense, according to Mr. Shymkiv. A ministry spokesperson told RFE/RL they could not offer more specific information.
Coordinating all of Ukraine’s cybersecurity initiatives is the National Security and Defense Council (NSDC), which opened a new cyber-focused center for doing so last month.
Some state companies have also taken the initiative. For instance, Ukrainian power distributor Ukrenergo, one of the main targets of cyberattacks in the past two years, said last month that it was investing up to $20 million in a new cyberdefense system.
But many Ukrainian institutions and companies – including those who help lead cybersecurity efforts or guard highly sensitive information – fail to communicate or coordinate with one another, and remain vulnerable to cyberattacks and information leaks, according to self-described “pro-Ukrainian” hackers who spoke to RFE/RL.
One of them, “Sean Townsend,” the pseudonymous spokesman and one of the founding members of the hacktivist group Ukrainian Cyber Alliance, said that a recent flashmob organized by him and a dozen or so Ukrainian hacktivist colleagues that they promoted on social media proved cyberdefenses here remain weak.
Mr. Townsend and the Cyber Alliance usually focus on Russian targets. But worried about Ukraine’s cybersecurity, they turned their sights toward their own country in an effort to help find where it might be vulnerable and plug whatever holes exist.
Mr. Townsend was startled by what they found. “There were many cases where highly classified information was stored simply unprotected,” he said.
For instance, when Mr. Townsend probed Energoatom, the state nuclear-power-plant operator, he “found vulnerabilities that would easily allow hackers to enter the [energy] system” of one of its facilities.
Energoatom responded days after the Cyber Alliance published some of its findings online, which caused public concern about a “new Chornobyl.” The company essentially dubbed Mr. Townsend’s findings fake news and said it would be “impossible” to hack the critical energy infrastructure at its power plants.
Mr. Townsend said he was certain that what he found “could be perfectly used to penetrate power-station equipment.” As if that wasn’t enough of a concern, he added, among the power plant’s unsecured computer networks he was able to obtain countless gigabytes-worth of sensitive documents, including the building plans for the reactor and information pertaining to Westinghouse Electric Co., the U.S.-based provider of nuclear fuel to Ukraine.
The story was similar with Ukraine’s Defense Ministry. “We found several computers with classified files about Ukrainian forces” that could provide their Russian counterparts with valuable intelligence, Mr. Townsend said.
Unlike Energoatom, the ministry reacted quickly. “When we notified our military that they have computers leaking data to the Internet, they found them and shut them down,” Mr. Townsend added.
In all, Mr. Townsend said more than 200 cases of vulnerabilities were found among Ukraine’s state institutions and companies. But not all of them have been addressed. In fact, responses from companies and institutions where vulnerabilities were discovered were mixed; some thanked the Cyber Alliance and addressed the issues, while others shrugged or denied their existence.
The Kherson Oblast Administration, annoyed by the alliance’s discovery of vulnerabilities that would easily allow ill-intentioned hackers to penetrate its system, even filed a criminal complaint against the Cyber Alliance with the Cyberpolice.
Mr. Townsend, who said he cooperates closely with Mr. Demedyuk and the Cyberpolice, also claimed to have found vulnerabilities in the systems of the presidential administration and the NSDC, both of which he said reacted swiftly and fixed the issues.
Mr. Townsend placed much of the blame for the inconsistent responses to cyberthreats on poor communication among the various cybersecurity units in government institutions plus a “policies for the sake of policies” approach by the government. “Many of our leaders think we need to simply write down new rules, enforce them, and control how people are executing them, and then all will be well,” he said.
Western help
Mr. Shymkiv said the U.S. and Western European governments have helped Ukraine strengthen its cybersecurity through training and financial support, but he would like to see much more cooperation.
His “dream,” he said, was to build a U.S.-led, nongovernmental cybersecurity center in Kyiv that would act as a computer emergency-response team for the public while also focusing on training.
Mr. Shymkiv said he had discussed the idea with Washington officials who found the idea “interesting” but have indicated there are still some hang-ups preventing them from acting on the idea. “Everybody’s concerned [with] how many Russian spies we have in the government,” Mr. Shymkiv said. “That’s why I’m saying, ‘Let’s build this from scratch… on the principles and approaches defined by the U.S.’ ”
Plus, he added, with Ukraine a regular target of Russian hackers, there is a lot the United States could learn from its experience and apply at home.
The U.S. Embassy declined to discuss Mr. Shymkiv’s idea on the record, and intelligence officials in Washington could not be reached for comment.
There is some movement within the U.S. Congress to further help Ukraine in the cybersecurity sphere. On February 7, the House of Representatives overwhelmingly passed the Ukraine Cybersecurity Cooperation Act. The Senate introduced a mirror version of the bill on February 27.
The bills call for the State Department to increase cooperation with Kyiv over shared Russian cybersecurity threats by doing several things, including: providing Ukraine necessary support to increase protection on government computers, particularly systems that defend critical infrastructure; reducing Kyiv’s reliance on Russian technology; and helping Ukraine to build capacity, expand cybersecurity information sharing and cooperate on international response efforts.
That is all music to the ears of Messrs. Shymkiv, Demedyuk and Townsend, who say replacing outdated equipment will go a long way toward protecting Ukraine from cyberattacks.
Stealthier, evolving methods
But until those bills become law or similar help from elsewhere is provided, Ukraine must muddle through and remain vigilant, which Mr. Shymkiv said meant continually educating staff.
In recent months, Mr. Shymkiv said, he had noticed stealthier and more sophisticated phishing attempts aimed at the Presidential Administration by hackers he believes are working in Russia. These efforts to extract sensitive information are disguised as messages from internal systems administrators and appear carefully crafted to appeal to specific employees, himself included.
“They are extremely well done,” Mr. Shymkiv said. “[The hackers] are hacking our brains. They target people’s trust.”
But if the Russians were trying to hack the video link through which President Poroshenko was delivering his testimony while Mr. Shymkiv spoke, they failed.
As Mr. Poroshenko finished, Mr. Shymkiv breathed a sigh of relief. But he said he never lets his guard down. “Every day [Russian hackers] are trying to collect information of our people,” he said. “They are trying to get inside our systems… and to disrupt us.”
Copyright 2018, RFE/RL Inc. Reprinted with the permission of Radio Free Europe/Radio Liberty, 1201 Connecticut Ave. NW, Washington DC 20036; www.rferl.org (see https://www.rferl.org/a/ukraine-struggles-cyberdefense-russia-expands-testing-ground/29085277.html).