Viktor Zhora proudly showed off the new facilities at one of Ukraine’s cyber security agencies, where opposing teams stage mock battles to prepare for the real thing.
The training is paying off, said Zhora, deputy chair of the State Service of Special Communications and Information Protection, the country’s security and intelligence service. An attack last month that targeted government websites was quickly contained by his staff with the help of IT companies including Microsoft, he said.
“We need to align our activities with risk and threats that have been increasing in past years . . . We should always be ready for the worst.” Zhora said.
Ukraine said “all evidence” pointed to Russian responsibility, with officials and analysts saying this was just the tip of the iceberg.
The country has been under constant attack from Russian and Kremlin-backed hackers since Moscow’s 2014 annexation of Crimea. Cyber espionage, damage to databases and servers, disruption to power and communications and disinformation are all part of the playbook.
With Russia massing more than 100,000 troops on the Ukraine border and western powers accusing Moscow of planning a full-blown invasion, the Kyiv government and independent experts expect hostile cyber activity to increase in an effort to destabilise the country before or during any attack.
“We register more and more attacks on our system and we see some are successful, unfortunately”, said Zhora, a former private-sector cyber security executive. “Something more serious can be expected for us, but we don’t know when.”
Andrei Soldatov, a Russian security expert and senior fellow at the Center for European Policy Analysis, said Russian hackers were “getting ever more skilful”.
“They’ve had eight years of experience since 2014, and Ukraine is often where they try out things first,” he said.
Russian cyber attackers accessed Ukraine’s vote-counting system on the eve of general elections in 2014, destroying electronic records and leaving ballots to be counted by hand. The following year, a cyber attack caused blackouts lasting several hours in western Ukraine and part of Kyiv. The disruption, attributed to a group linked with Russian military intelligence, was the first known power outage caused by a cyber attack.
The NotPetya malware attack by the same group in 2017 infected 10 per cent of all Ukrainian computer systems before spreading across the globe. It was one of the most destructive cyber attacks in history, costing companies worldwide $10bn, according to a US estimate.
Last week, Microsoft said a group it called Actinium, which the Ukrainian government has linked to Russia’s security services, had targeted Ukrainian government and military offices with the “purpose of intelligence collection” since October 2021.
“There are bound to have been many many, more attacks over the years that we don’t know about and that have left malware embedded in systems ready to be activated,” said V S Subrahmanian, professor of computer science at Northwestern University in the US. “It’s a bit like a bomb being planted in your house — it’s benign until someone sets it off.”
Russia has fewer financial resources to invest in cyber capabilities than the US or China. But evidence suggests it boosts its capacity by using proxy groups such as Cozy Bear and Fancy Bear that it can deny knowledge of, said Subrahmanian. They carry out attacks without big consequences for the Russian state but are believed by western officials and cyber experts to act for Moscow, Subrahmanian said.
Ukraine, meanwhile, suffers from a deficit of public-sector cyber security expertise, weak regulation, limited response capability and a lack of co-ordination between various agencies, all of which Kyiv is trying to fix, say officials.
A particular vulnerability is the prevalence of older, unlicensed software that gives hackers a lot of holes to access. Zhora acknowledged the situation was “rather dangerous” but said the problem was no longer as bad as in the mid-2000s.
A priority for his agency was raising awareness among operators of critical infrastructure and connecting them to cyber information centres, so that attacks could be quickly analysed and countered, he said.
Subrahmanian said there were “always vulnerabilities in every system and attackers always have the advantage,” adding that the Ukrainian efforts to patch the holes, “doesn’t mean they’ve managed to find them all”.
The US has sent experts and funds to shore up Ukrainian cyber defences, but the administration sees it as a long-term effort. “Significant achievements don’t happen in weeks so we’re realistic,” Anne Neuberger, deputy US national security adviser for cyber, said on a recent visit to Europe.
It is unclear how far Russia would go in using cyber attacks against Ukraine’s military. Greg Austin, senior fellow at the International Institute for Strategic Studies, pointed out that Russia had never deployed a military-level cyber attack to disable an enemy’s command and control systems — as Israel did in 2007.
In Operation Orchard, the Israelis disabled Syria’s air defence systems and fed it false radar information, allowing its fighter jets to bomb their Syrian targets and return to base undetected.
“An attack on a military system is very different from an attack on civilian infrastructure,” said Austin. He continued: “Past evidence supports the idea that Russia will not launch a wide-ranging cyber sabotage attack on Ukraine as part of any invasion . . . Fear of retaliation is likely one reason.”
Indeed US president Joe Biden last month warned of consequences for Russia over its ongoing cyber attacks, saying that “if they continue to use cyber efforts, well, we can respond the same way.”