Six Cybersecurity Insights From Ukraine

As our readers are likely aware, Ukraine and Russia have been in an active conflict over a disputed border since at least 2014, and this has recently escalated into a full scale military invasion of Ukraine in which Russian leaders have stated that their objective is to replace the Ukrainian government and prevent any notions of a western alliance from materializing.  The situation in Ukraine is complex and deadly, and the intermingling of technology with warfare has piqued the interest of our colleagues.

It has been fascinating to read the insights of financial, business, and military analysts.  From a technical perspective, some have asked what we are learning as we watch this situation unfold.  Here are six things we have noticed, as humble technologists watching from afar:

1. The Rise of Wiperware As A Cyberweapon

“Wiperware” seems to be on the tip of everyone’s tongue this week.  In the past, nation states and cyberterrorists have captured attention by controlling cyberinfrastructure, holding it for ransom, or using it as a vector for some nefarious purpose.  Wiperware is simpler.  It instead seeks to corrupt storage assets to the point where the threatened system becomes inoperable.  It’s pure destruction.  To maximize damage, Russian wiperware targets the master boot record of storage devices using reputable signed drivers and libraries borrowed from popular disk utilities.  If successful, the target becomes disabled.  Coinciding with the invasion, Ukrainian and western cybersecurity experts have detected an uptick in this type of attack.  More on this later.

2. Satellites Would Benefit From Some Hardening

Futurists have speculated that wars will someday be fought in space.  To that end, Air Force Space Command has taken a backseat to the new “Space Force” that Congress approved in 2019. Logistics, infrastructure and information can win or lose wars, and as power outages and cellular disruptions cast a shadow on Ukraine, many are looking to the sky to see if the world’s satellite communications network will be an effective substitute.

Ukraine is served by a satellite internet service called KA-SAT by Viasat.  Concurrently with the invasion, KA-SAT has come under cyberattack.  Threat actors, widely speculated to be affiliated with the Russian Government, have injected firmware updates into the satellite infrastructure and have interrupted communications not only in Ukraine, but throughout Europe.  Notably, a utility company in Germany has lost control of 3,000 wind turbines which were being managed with Viasat’s data network.

Elon Musk’s Starlink internet service became available seemingly overnight in Ukraine, and as trucks full of transceivers arrived in Kyiv, Starlink came under attack as well, with the CEO tweeting “Our latest software update bypasses the jamming. Am curious to see what’s next!  In a way, this is free QA haha.”

3. Everyone Wants To Flip The Lightswitch

In 2015, Russian operatives conducted an exercise in which they deployed spearphishing and social engineering to fool Ukrainian operators into executing BlackEnergy malware. This vector allowed Russian hackers to seize control systems for substations in the Ukrainian power grid. In addition to disabling these substations, they flashed modems and backup batteries with poisoned firmware that rendered these systems inoperable. Simultaneously they executed KillDisk malware on workstations and servers while implementing denial of service attacks on call centers related to the Ukrainian power utility Ukenergo. This unprovoked attack left a quarter million people in the dark on a cold night with no way to know when or if power would be restored. It was only a test.

Notably, on February 24, Ukraine, in coordination with its neighbor Moldova, disconnected from the Russian power grid and has been powering itself solo ever since. A few hours later, Russia commenced the “special military operation” that everyone who isn’t Russian less euphemistically refers to as “war.” It’s possible that energy independence was interpreted by Moscow as an escalation in the conflict. The newly independent Ukrainian grid is performing impressively, humming along at 50Hz despite Russian military disruptions of up to 47% of their nuclear and coal fired power infrastructure.

4. Encryption Is Extremely Important

Incredibly, Russian soldiers relied on an encrypted communications system called ERA, which stopped working immediately after the invasion. Why? Part of it was Russian troops destroying the very cell towers they were attempting to roam on, and part of it was quick action from Ukrainian operators who noticed a lot of Russian sim cards on their network. Russian troops initially tried to purchase and steal prepaid Ukrainian sim cards from drug stores, and in response the Ukrainian operators disabled encrypted communications for those devices. Other Russian units fell back on VHF radios, which allowed HAM amateur radio operators to monitor their communications and post them to the internet.

Drawing inspiration from “Tokyo Rose” in World War II, Ukrainian and other amateur radio operators have also been broadcasting the sounds of squealing pigs and loud/painful 1kHz tones during Russian coordinated military operations on their unencrypted frequencies, and have interrupted attempts between Russian units attempting to communicate about the exchange of fuel and food.

5. Proactive Cybersecurity Has Saved Lives

When the exodus of Ukrainian women and children from the war zone began, one million people jammed Ukraine’s rail network. Russian state backed threat actors attempted to deploy wiperware and ddos attacks against the rail system to disrupt the evacuation. Fortunately, a team of American and European cybersecurity experts anticipated this and spent several weeks fortifying these data networks to repel the attack. Wiperware was found and removed from the rail network’s computers on the days leading up to the invasion, before it was activated. A $60 million investment and cooperation with US government and cybersecurity firms prevented a humanitarian disaster from becoming even worse.

Power and communications networks in Ukraine have come under attack and have remained resilient. While it’s too early to declare victory, it seems like weeks of planning and investing by western forces have improved Ukraine’s chances in this war, which has already lasted much longer than most analysts anticipated.

6. Leveraging Technology To Move Information Has Changed Warfare Forever

Ordinary Ukrainians have been observed in the press making molotov cocktails in what look like neighborhood block parties. Twitter and other social networks have become platforms for instructing the citizenry in their objectives, which include disrupting fuel delivery to Russian tank and artillery units. The lesson here? People who can communicate are more powerful per capita than people who can’t. It’s fascinating to see how information technology has rapidly become as effective a force multiplier in warfare as it has in business.