An Abbreviated History of Infrastructure Attacks In Ukraine

Brief Background on Ukraine's Relationship with Russia

Russia and Ukraine both originated with the medieval sate of Kyivan Rus (near modern-day Kyiv, 10th century AD). Unfortunately, Kyivan Rus was destroyed (the city razed and citizens murdered en masse) in the 13th century by Mongols from the Urals, lead by Batu Khan (grandson of Genghis Khan). The Russian version of events tells that the survivors fled to Moscow, becoming Russian. The Ukrainian version tells us that the survivors quietly survived there for the next several centuries, enduring invasions from Mongols, Poles, Turks, Tatars, and Russians.

While Ukraine has attempted to declare independence 3 times, all have been relatively unsuccessful (in the 17th century led by Ukrainian Cossacks, in a civil war following Russia's Bolshevik revolution in 1917, and after an alliance with Nazi occupiers during WWII). During WWI, millions (~3.5) of Ukrainians were conscripted to fight for Russia, later triggering a civil war between the loyalists to the Russian czar and the socialism of Lenin. Between WWI and WWII the Soviet regime created a famine in Ukraine, known as the Holodomor, which began as a need for grain from Ukraine's fertile soil and continued as a tool of control over the area. 13% of the population died during this period.

During WWII, the country broke into warring factions (those who supported Russia, those who supported Nazi Germany, and those who wanted an independent Ukraine), leading to Stalin purging the region of dissidents (roughly 1/5 of the country's population was deported to labor camps). When the Germans finally invaded, they continued this work, slaughtering millions of Jewish citizens and rounding up 2 million Ukrainians (along with millions of Russians and Poles) to be shipped to Germany for forced labor. After the Red Army counter attacked, the slaughter continued, as Germany forced Ukrainian and Russian prisoners of war to march without adequate food, water, or shelter from the winter, killing many. At the end of the war, roughly 1 in 6 Ukrainians had died (and 1 in 8 Russians).

In the post-war decades, more Ukrainians were sent to the USSR's gulags than any other nationality. After the Chernobyl disaster, Russian leaders continued to avoid warning Ukrainian citizens of the dangers of the explosion while evacuating their families far from the site of the disaster.

In 1991, with the fall of the USSR, Ukraine finally became legally independent (though they have suffered from a history of corrupt politicians and hijacked elections heavily influenced by Russia in the decades following independence). These mounting tensions have been accompanied by an increase in cyber attacks in recent years, as Russian state-sponsored actors have used a spate of former soviet countries as a test bed for new cyber-weapons.

Russia's Test Lab

Both Estonia and Georgia faced some of the first experiments. In 2007, when Estonia decided to relocate a Soviet-era statue from the capital city's center, the country's Russian speaking minority (roughly 25% of the population) protested in the streets. As protests outside increased, massive cyberattacks began, flooding the country's government agencies', banks', and media's sites with malicious traffic. Essentially the country faced a massive DDOS attack. Eventually, the Estonian responders blocked all international traffic as a way to temporarily halt the attack, but cut one of the most internet connected nations off from the rest of the world. The attacks were later attributed to Russian state actors.

Similarly, in Georgia, in 2008, as Russian tanks invaded the country, their cyber teams took down most of Georgia's limited internet, with the same tactics they had used so effectively against Estonia. In this case, accompanied as it was with armed soldiers and guns (and lacking Estonia's reliance on the internet), the tactics were not as heavily felt. However, it was clear that this idea of 'digital blitzkrieg' was becoming a popular one. Knocking out the internet of a country as you invaded prevented the inhabitants from controlling the narrative, and added to the atmosphere of fear created by the invasion. Similar tactics were used years later during the invasion and occupation of the Crimean peninsula.

Cyber Attacks in the Ukraine

In the Ukraine, in 2013, under pressure from Russia, trade negotiations with the EU fell apart and sparked widespread protests. These protests were accompanied by digital meddling in the form of an onslaught of calls and SMS messages, which severely strained mobile networks. In a similar vein, during the 2014 elections, a group calling itself 'CyberBerkut' attacked the country's central election committee repeatedly, attempting to take down their servers and prevent a legitimate election from occurring. These attacks were attributed to a Russian group called Fancy Bear (the same group associated with attacks on US election infrastructure in the 2016 election (DNC hacks).

Over the same period, an entirely different group, called Sandworm, (first publicly recognized in 2014 by several security firms and the US ICS-CERT), had been conducting a 5 year long campaign (beginning in 2009), which had successfully penetrated several critical infrastructure organizations, though without doing damage (including both US, Polish, and Ukrainian targets). Sandworm, also known as ELECTRUM, Telebots, IRON VIKING, Black Energy Group, VOODOO Bear, and Quedagh, is a group believed to be affiliated with the GRU in Russia. The name Sandworm is a reference to Frank Herbert's Dune, after several phishing lures attributed to the group were found to have references to the book.

Roughly a year later, in December 2015, the group re-appeared in an attack on several Ukrainian targets (the country's biggest railway company, Kyiv's main airport, several media companies, and quite a few other critical infrastructure providers). The attack quickly spread through the victim's networks and wiped the devices it touched, taking out sections of the power grid and causing blackouts. It used a version of BlackEnergy for access and recon (the same malware as the above campaign), and malware called KillDisk for data destruction. Upon investigation, it became apparent that the group had penetrated many of the victim's networks more than 6 months before the attack was deployed.

In December 2016, another blackout-inducing cyberattack occurred, attributed to the same group. Incident responders looking through logs after the incident noted that the malware had the capability to do significant (permanent) damage to infrastructure, though the operators hadn't deployed it.

While this incident was the first time it was made public that a nation state had deployed this type of damaging malware onto another country's civilian infrastructure (the US and Israel had deployed a cyber weapon called Stuxnet onto Iran's nuclear facilities years earlier), the theoretical possibility had been there since at least 2007. The Aurora experiment, in March 2007, was a laboratory test carried out in the United States where researchers hacked into a $300,000 generator, and used a few lines of code to destroy it.

Also in 2016, Russian hackers, hiding behind the moniker of 'Shadow Brokers', accessed offensive tools created by the NSA and leaked them over a series of months, offering hackers around the world the chance to use a series of 'zero-days' (bugs in software which are unknown to the software vendor) developed by the top team at the NSA. These included a Microsoft exploit called 'EternalBlue', which was later used as a spreading mechanism for WannaCry, the ransomware variant attributed to North Korean hackers, which spread wildly in 2017, knocking out hundreds of thousands of computers in more than 150 countries worldwide. It was highly destructive, lacked a valid payment method, and did billions of dollars worth of damage.

However, this was only a preview of the leaked tools' potential for damage. Later that year, EternalBlue and a password stealing tool called Mimikatz were combined to create malware, called NotPetya which spread even more rapidly. The attack appeared to be aimed at Ukrainian targets, as it spread via a supply chain compromise of a Ukrainian accounting software called ME Doc. The malware was spread via the company's legitimate software update channel to large swaths of Ukraine, and eventually throughout the world. The company's networks had been penetrated as early as Nov 2015, in preparation for the attack's launch. The attack is estimated to have cost around $10 billion in damages worldwide.

A similar tactic was used in the 2020 compromise of a number of US national security agencies, when Russian-affiliated hackers penetrated a network monitoring software called Orion and sold by a company called SolarWinds. The investigation is currently ongoing, but it is believed that the attackers were able to compromise SolarWinds' code pipeline, and leverage their legitimate update servers to distribute a sophisticated piece of malware to a number of targets.

Attribution in Cyber Attacks

In February of 2018 the US and UK governments publicly confirmed that they had attributed NotPetya to Russian state-sponsored hackers.

However, these attributions did not appear to have any impact on the hackers. In fact, in 2018, the same attackers appeared to have launched an attack on the Seoul Olympics. The attack hit during the opening ceremony, with a piece of malware later called Olympic Destroyer. Luckily, the security team was able to rebuild their systems and reset access that night, preventing any further disruption to the games. The malware had been cleverly engineered to look as though it could have come from a number of state sponsored adversaries.

Attribution is extremely difficult in cyber attacks, and can often be difficult to definitively tie back to a specific actor, particularly when the actor has taken steps to hide their presence. For example, after the attacks on the DNC and Hilary Clinton's campaign (in 2016), there were a number of 'cover stories' created ranging from a fake hacker named 'Gucifer 2.0' to a supposed whistle blower who leaked the documents through a site allegedly set up to protect whistleblowers.

Similarly, after North Korean hackers had breached Sony Pictures in 2016, they pretended to be a group called 'Guardians of Peace'. After the Olympics attack, the actors took several steps to hide their true attribution, including using malware previously used by North Korean groups and other malware attributed to Chinese hackers. Eventually, analysts were able to dig through layers of deception to attribute the attack to Russian actors, but it seemed as though the attack was designed to highlight the problems attribution presents in cyberwar.

Looking to the Future

Russian actors are far from the only actors to use cyber as a form of warfare. Iranian actors have been linked to attacks on Saudi Arabia's Aramco, major US banks, a Las Vegas Casino, and other targets. US actors have been implicated in a number of espionage attempts or attacks, including the first cyber weapon, Stuxnet, while North Korean hackers have been linked to attacks on Sony, and the world-wide devastation wrought by WannaCry. Similarly, Chinese actors were linked to the Marriott breach, a breach of US government personnel (OPM), as well as breaches at Equifax, Anthem, United Airlines, American Airlines, and Sabre.

These attacks will undoubtedly continue to escalate in future years, as the cyber arms race continues. There's no real technical solution to these types of attacks - the internet was not created to be secure (nor was it ever intended to be used in as many ways as it is now). Security measures are often a band-aid on top of insecure protocols and ineffectively secured machines. Further, the increasing automation of critical infrastructure (and, in countries like the US, often without the analog backups common in countries like the Ukraine) presents a tempting target for nation states. It’s a matter of when, not if, critical infrastructure targets are taken down in western nations and they’re forced to confront firsthand the dangers they’ve seen in countries like Ukraine.

Great security at a top financial institution or tech giant is fine - and might even prevent intrusion, but if your employees lose power at home, your remote workers have no wifi, their electric cars don’t run, and credit cards and ATMs are no longer functioning - does it actually matter? While such a scenario is unlikely, it’s far from impossible - it’s already occurred in the Ukraine. It’s not a matter of technical power, but political will to accept the consequences of such actions. If countries feel they have little left to lose they may not hold back from targeting critical infrastructure.

Adopting a new Geneva Convention - one which addresses cyber war - is crucial, but unlikely to occur. No country wants to give up its own offensive abilities (the US intelligence agencies in particular have been quite vocal about this issue in past negotiations) and don’t seem to view the issue with enough urgency (possibly because the most damaging attacks have hit countries far from home). Unfortunately, the US lives in “the glassiest of glass houses” given our increasing reliance on automation of critical infrastructure and our inability to secure it. While the US’ power grid may be harder to take down than Ukraine’s, it would likely be significantly easier to keep down for an extended period, with a population significantly less used to existing without modern conveniences like credit cards, internet, and cell service.

Sources/Further Reading:

Show Comments
As seen in: