October was the cybersecurity month in the EU countries. Experts there focused on global cyber threats, in particular Russia’s actions, which, along with its full-scale invasion of Ukraine, has unleashed, in fact, the world's first cyber war. The Russians began to attack Ukraine more intensively not only on the battlefield, but also in cyberspace of our country and the entire world. However, without much success. Ukraine has withstood, built up its resilience and successfully countered cyber threats. So far, hackers have not been able to cause critical damage to our economy and defense capabilities, and Ukrainians continue to receive high-quality digital services.

Recently, a delegation of European cybersecurity experts visited Ukraine, so Ukrinform was able to talk to Merle Maigre, a senior cybersecurity expert at the e-Governance Academy (eGA – a joint initiative of the Estonian Government, the Open Society Institute, and the United Nations Development Programme). She told us what Russian hackers most often use, how Russia's cyber war against Ukraine has affected global cybersecurity, and how the EU helps our country to counter cyber threats more effectively.

 -- Russia has been waging an active war against Ukraine not only on the battlefield but also in cyberspace. What are the most common targets for hackers, and who are their victims?

-- State institutions and organizations cooperating with the Army and those working with the critical infrastructure would be the most common  targets. The purpose of russian cyberattacks might have been vague in the very beginning of the full-scale war since there’s always classified information and "fog of war", and the comprehensive picture can hardly be clear because of that. This is also not the first thing you pay attention to with bombs, rockets and shells flying around.

Yet in retrospect, one can easily notice that russians have been long attacking Ukraine and trying to weaken it. The first attempts were recorded during the Presidential elections in 2014. Then there were cyberattacks targeting electric power stations in December 2015 and during the winter of 2016. Cyber attacks continued in January-February 2022. Of course, since the beginning of the “hot phase” on February 24, bombs and rockets have become a russian priority  as a more powerful tool used to destroy any Ukrainian infrastructure than cyberattacks.

The major reason is that preparation of clever cyberattacks is very expensive. One needs to invest significant funds and search for talents who would be capable of performing those. Yet, results of such endeavours (resources and energy used) are difficult to forecast as any cyberattack can implement a different type of impact on a site under attack – be it greater or lower than initially expected. There is also no guarantee how an attacked site would be disabled (destroyed). For example, the NotPetya virus had a greater impact than the hackers expected when they initially released it.

Though, of course, there are cases when russians combine their cyberattacks with rocket strikes. For example, on March 1, 2022 russia performed an attack against the Broadcasting, Radiocommunications & Television Concern in Kyiv while combining it with a cyberattack against this agency. Therefore, there are cases when russian hits are performed at the same time with cyberattacks.

-- Which cyberattacking strategy is currently used by russians?

-- Russia has been performing its cyberattacks in cycles repeated with different intensity. A more intense attack followed by a less intense one. Attacks come in different cycles and at multiple levels at the same time. Ukraine has been withstanding those, and quite efficiently, I admit, but you need continuous resilience and adaptations to everchanging cyberattack tactics. 

Ukraine has been continuously monitoring intensity peaks and lows. Russians have been particularly intense with their cyberattacks at the beginning of the full-scale war. Currently attacks seem to be shifted to data (information) thefts and cyber espionage.

In fact, Ukraine has the most significant component to deflect cyberattacks successfully. This is political will and understanding of the importance to prevent threats as such. This I know for sure, as I’ve been working in Ukraine since 2005, and in its cybersecurity area – since 2018.

-- How powerful is the infrastructure used by russia for its cyberattacks?

-- We know that russia has invested a lot of resources into development and improvement of its cyber weapons. This information is widely known since they’ve been doing it for quite some time. The thing is that it’s too dangerous to tell that there is no cyberwar in Ukraine at all. This might result in overinflated optimism and weaken both Ukraine and its allies. That’s why we need to detect these attacks, draw attention to them, discover their sources and respond adequately.

Ukraine has been using support and aid provided by its allies to do it. Yet we need to stay focused so not to lose this component of the great war from sight.

-- How closely do Ukrainian cybersecurity system conform to the current NATO system?

-- As an organization, NATO has been continuously improving and developing its approaches towards cybersecurity. At the same time, each NATO member state has been building its national capacity in this field.  What does NATO do about this: the first course of action for NATO would be to deny covertness by attribution. NATO should persuade its opponents that they cannot be clandestine in their cyber actions. Secondly, NATO has been accelerate setting up its Cyber Command and sharpen the Alliance responses to malicious cyber actions. Thirdly, NATO increases its cyber capacity building efforts for partner countries of strategic importance including Ukraine. This kind of cyber capacity building could include various types of support, ranging from strategic advice and cyber institution-building in defence sectors, to education and training, or advice and assistance in cyber defence.

-- How can Ukraine improve its cyberprotection?

-- In order to ensure security against russians, you need to follow the basic cyber hygiene rules and be ready for any cyberattack attempt. In fact, it’s not that difficult. You need to maintain your cyberprotection systems operable, update them on the regular basis, enhance data access control and apply multilevel verification systems for user authentication. It’s also worth designing and following cyberattack response plans, never ignore data backup and recovery systems as well as monitor information on new threats and risks. It’s useful for all, you know. I mean the Army, civic institutions and organizations.

AID FOR UKRAINE

-- Does the European Union account for the Ukrainian cyberwar experience in designing its own protection and defence strategies?

-- I strongly believe that the Ukrainian experience is of much use and importance not only for EU but all likeminded states. It can be  split into three components. Firstly, this is information on countering russian attacks in cyberspace that needs to be shared with partners. Previously, we thought we have no need to exchange these data, but the war in Ukraine proved otherwise. This is of great importance and enables boosting cyberthreat countermeasures significantly.

Secondly, this would be public-private partnership. This had been a mere slogan before the war, and now it’s introduced in real life. Microsoft, Google, Mandiant, Symantec and other private companies have been closely cooperating with the Ukrainian Government in terms of cybersecurity. This is a good case of efficient cooperation with the private sector during a cyberwar. That’s why this experience must be used in EU, NATO and other likeminded Allies.

Thirdly, this would be the Ukrainian title of cybertechnology compatibility champion. What do I mean, you might wonder? Ukraine has been lately receiving various types of aid, which also includes cybersecurity equipment. Those are different types of both military and civil technologies used to counter cyberthreats. For instance, those are Harris and Motorola radios, etc. All of them are different – some of them are advanced, and others – not so much. The question is how to use them all efficiently together. Ukrainian servicemen and servicewomen have no other choice – they just do what they have to. I think that such compatibility experience for different equipment systems in practice during a war or conflict is a very important field for further research.

-- How does EU currently help Ukraine to deflect cyberattacks?

-- In 2021, the European Union for the first time approved the European Peace Facility assistance for Ukraine with the budget of 36 million Euros, including 3 million Euros for cyber defence. This is a tool to boost EU capacity to prevent conflicts, develop peace and strengthen international security. European Peace Facility is used to provide aid for defence sectors of several EU partner states, including Ukraine, Moldova, Georgia and the Western Balkans. eGA implements the cybersecurity segment of this initiative and assists the Armed Forces of Ukraine.

-- What kind of aid do you mean?

-- eGA is responsible for cybersecurity and everything related to this specific area. We’ve been currently working under two main directions. The first direction isto train cybersecurity experts in AFU units. Hence, together with an Estonian company we recently built a cyber range in Ukraine to train Ukrainian military experts. It assists with training based on cyberattack practical simulation/modelling as well as related protection/counter measures. A cyber range as such enables Ukrainian servicemen and servicewomen to train and develop their skills .

Also, we launched a cyber class activity in October. We  procured, installed and configured respective equipment for the Armed Forces of Ukraine to have an opportunity to learn and train their skills.

The second direction would be to provide material support. We provide AFU  with both software and hardware cybersecurity tools. Those would allow boosting the Ukrainian cybersecurity capacity significantly while supporting overall cooperation in the field of security and defence.

-- What’s the global goal of e-Governance Academy?

-- The cybersecurity programme has been active in e-Governance Academy since as early as 2016. You know, we’ve been representing a strong Estonian philosophy of digital public services based on the concept that such electronic services must be trusted by people from the very start.

A responsible government would never develop any digital services unless it is confident that it is capable of guaranteeing their security and protection. The is the value of the vision we promote while working with all our partner states and governments all over the world.

We are working globally with recent projects   in Ukraine, Moldova, Georgia, all Western Balkan countries and Kyrgyzstan while providing support on development of cybersecurity infrastructure. This support comes in many fields – from legal to institutional development of related structures, their equipment, training and education for cybersecurity experts.

GLOBAL EXPERTISE

-- How has the russian cyberwar against Ukraine influenced the global cyberspace, and which global cybercriminals support the aggressor country?

-- The war in Ukraine primarily influenced cybercriminals in Eastern Europe. Due to their geographical affinity, they divided into a number of loyalty groups which support Ukraine or not. This situation resulted in some of them disappearing completely, others emerging or dissolving. Some groups have been facing internal debates and discussions. Some cybercrime groups have been closely cooperating with russian special services.

It’s currently difficult to define who or which group stands behind a specific cyberattack. A believe that the Computer Emergency Response Team of Ukraine (CERT-UA) has been performing fantastically and efficiently handling the analysis of specific russian cyberattacks.

I mean they publish information identifying vectors of russian cyberattacks and russian groups committing those cybercrimes as well as their affiliation with russian intelligence or other special services. However, it’s worth mentioning that the whole architecture of russian cyberattacks has been continuously evolving, which requires continuous tracking and timely data updates.

-- Do Belarus cybercriminals support russia?

-- That I can’t confirm. Please address the Ukrainian CERT-UA for more information about this.

-- What other states are attacked by russia except Ukraine?

-- Speaking of other states, this list is rather long. Yet, what’s more important is when information on attacks as such is disclosed, and when such attacks are publicly assigned to a specific group. This is a significant aspect since we need political will of local political parties. For example, Estonia has implemented a joint investigation with UK regarding a wide-scale cyberattack against Georgia committed in October 2019 and attributed it to russia.

UK and US have been the current leaders in detection and identification of cybercriminal groups as well as putting public blame on russia for supporting those.

-- What do we need to strengthen the global cybersecurity?

-- The most important would be to invest into cybersecurity. There’s no other option. I would compare this situation with a garden requiring care (ie investment into cybersecurity) in order to bear fruit. A garden provides you with the best fruit if watered and cared for properly. That’s how we need to consider cybersecurity, with its best fruit to be better digital services and their higher reliability.

Valentyn Marchuk, specially for Ukrinform

Photo: Nora Lorek/NPR, Tairo Lutter, Yana Polupanova

For reference: The e-Governance Academy (eGA) has been operating in Ukraine since 2012, starting with local self-government bodies, and since 2014 it has been supporting the Ukrainian government. eGA has implemented 12 e-governance projects in Ukraine, with the flagship EU-funded EU4DigitalUA and DT4UA projects. EU4DigitalUA is aimed at developing digital government infrastructure, e-services development and cybersecurity.