A top Ukrainian security official on defending the nation against cyber attacks

Editor’s Note: In November 2020, The Record published an interview between ​​Recorded Future expert threat intelligence analyst Dmitry Smilyanets and Serhii Demediuk, the Deputy Secretary of Ukraine’s National Security and Defense Council.

In the wake of an escalating crisis between Ukraine and Russia, Demediuk agreed to a follow-up interview in which he discussed issues including the recent defacement of Ukrainian websites, the security of the country’s critical infrastructure, and Russia’s motivations.

In addition to his role on the NSDC, Demediuk was tasked in 2015 with building out Ukraine’s CyberPolice force, which prosecutes cybercriminals and thwarts state-sponsored attacks. The interview with Smilyanets was conducted via email in Russian, and was translated to English with the help of several members of Recorded Future's Strategic and Persistent Threats team. It has been lightly edited for clarity. 

Dmitry Smilyanets: You’ve observed many cyber intrusions over the years, both by intelligence agencies and criminals. What has changed since we interviewed you back in November 2020? Who is the biggest threat today?

Serhii Demediuk: Nothing has changed significantly. In my opinion, only the approach towards preparing such attacks has changed. Earlier, the attack was carried out in a chaotic manner once access to a particular resource was gained. Now, there is a very meticulous, rather scrupulous, and purposeful preparation using intelligence activities, such as the recruitment and initiation of employees. Well, besides this, cyber attacks committed by criminals to achieve economic advantage are gradually surpassing the tools of the special services, which sometimes misleads many experts and annoys the special services themselves. But they are separated by a huge line — cybercriminals are aimed solely at obtaining [financial] benefits, and the special services are aimed at destructive actions. Therefore, the special services still pose the greatest threat, acting cynically and without humane prerequisites, while having huge financial and political (legal) support from the state, which in most cases is not inherent among criminals.

DS: In our last interview, you discussed the threat of attacks on critical infrastructure—do you think Ukraine is as vulnerable/more vulnerable to these attacks than they have been in the past?

SD: I believe that wherever modern electronic computing technologies are used, a high level of threat exists, regardless of the country and its economic well-being. If you do not pay due attention to cyber defense issues, then the vulnerability of such structures will be very high. At the same time, even those companies that invest heavily in cyber defense should be aware that the human factor can negate all expenditures and efforts in an instant. Therefore, the selection of trusted personnel who will ensure the functionality of defensive systems remains an important and urgent issue. A definite answer to which does not yet exist.

Ukraine's critical infrastructure is no exception. There are enterprises where their management understands and realistically assesses the possible threat and, in order to minimize it, systematically creates a good cyber defense. And there are those who underestimate the problem and in fact, only imitate such activities. Thank God there are fewer such leaders every year.

DS: What measures has Ukraine taken to secure critical infrastructure recently? What plans do you have in place to continue to secure it?

SD: At the end of last year, we managed to lobby for the adoption of the Law on Critical Infrastructure, which will allow the state to regulate the security situation of such facilities, including in cyberspace. Currently, regulations and mechanisms are being developed that will make it possible to properly organize the relationship between the state and the owners of critical infrastructure, which is mainly privately owned, to ensure their safety. These mechanisms will also include coercive measures if the owner does not independently provide proper recommendations on the government’s security.

DS: The defacing of Ukrainian government websites on Friday, if you take a step back, does it matter? Is it strategic — or just a “poke”?

SD: It is still difficult to accurately assess the level of damage caused by this attack, as measures are being taken to contain it. But we can already say with confidence that for us essentially it could not lead to serious consequences. However, the informational narratives that accompanied this attack indicate that this was a red herring to cover up for more destructive actions, which, in my opinion, we will feel in the near future. And, with high probability, this may be in the energy sector. Since the vulnerabilities used for the attack on January 14 are also present in some energy enterprises, however, they were not hit. At the same time, the active scanning and testing of the network infrastructure of energy enterprises that day were unprecedented. And there are also many other indicators that have been recorded as evidence of this threat.

I can also assume that a subsequent attack may occur simultaneously with the intensification of military aggression against Ukraine.

DS: Please share with us details of the investigation, who is responsible for the attack?

SD: Since the attack to which we have assigned the #BleedingBear code is being investigated as part of criminal proceedings by the Security Service of Ukraine, I cannot disclose the data. I can only offer a preliminary assessment based on the data that we received from the affected organizations and the companies that are providing cybersecurity services within a framework of cooperation, as well as based on my information received earlier.

The tactics, techniques, and procedures (TTPs) that were recorded during the attack and the analysis of the resulting logs indicate actions reminiscent of the so-called Ghostwriter operation, which we and some leading cybersecurity companies believe is supported by the group UNC1151 which is affiliated with the intelligence services of the Republic of Belarus. This is the very same group that is suspected by some researchers of cyber attacks on Polish government organizations that took place on the eve of the #BleedingBear attack.

An analysis of the content distributed in Polish, as well as in similar operations carried out in 2021, indicates that it was created exclusively using Google translate. The coordinates of a school in Poland remained in the metadata of the picture that was uploaded to the hacked resources. Such primitive methods are frequently used by UNC1151, and in our case, they also indicate that the attackers wanted to "play" on Polish-Ukrainian relations, which is also often used by UNC1151 when attacking the Polish side.

Also, the malware was used in this operation to encrypt the servers, very similar in its characteristics to malware designed to steal and destroy information on computers and servers, often used by criminals.

In addition to this, the staging of the attack was developed [in a manner] analogous to the NotPetya attacks carried out in 2017.

And the method of delivery of the malware used in this attack is more characteristic of such groups as Sandworm, APT28, or APT29. It is worth noting that Sandworm played a key role in the NotPetya attack in 2017. That is why today we pay more attention to this fact.

On the whole, the totality of these data indicates that this cyber attack could have been carried out by an unknown group or one of the aforementioned ones, that is trying to imitate the activities of the listed groups in order to mislead cybersecurity specialists. Otherwise, it is a demonstration of the synchronization of the cyber forces of the Russian Federation and the countries included in the so-called [Collective Security Treaty Organization] format. Similar [interoperability] has already been demonstrated by the presidents of the Russian Federation and Belarus in the events in Kazakhstan, for example in the use of military formations. I think in this case it might have happened as well.

DS: The concurrent timing of the REvil ransomware gang arrests and the cyber attack on Ukraine raises a lot of questions. Do you think it was a coincidence?

SD: Personally, I think that this event should be a matter of detailed study in relation to its possible use in the attack, some of the members of the REvil criminal group specialized in ransomware and [the group] is made up of citizens from former Soviet states, including Ukraine. I also draw this conclusion because the source code of the malware detected on some of the affected devices, designated by Microsoft under the name WhisperGate, has similarities at the code level with some malware that is used for ransomware attacks. But a feature of WhisperGate is that it was modified in such a way that fragments [of the code] responsible for encryption were removed from it, leaving only those blocks that enable the unconditional destruction of information without the possibility of recovery. This confirms the involvement of certain special services in this [activity] since destructive methods are predominantly in their wheelhouse. Thus, the attackers undoubtedly used the techniques known to us for ransomware attacks, but at the same time launched malware on the victim’s computer and executed it selectively in manual mode. And this indicates that high-class ransomware specialists were needed to carry out this kind of attack. Synchronized work [like this] needs [people who are] professionals in their field. And there are not so many ransomware specialists at this level who have served in the special services of those countries that we suspect. But there were plenty of them in the REvil group.

An indicative fact is the arrest, allegedly of the main founders of REvil, which took place on the same day when the attack on Ukrainian government websites was carried out. This calls for additional verification of these facts since we know for sure that in July 2021 the Russian special services carried out an operation to neutralize REvil group. However, there were no official reports of this at that time. But almost simultaneously with the operation, on July 13, the entire REvil infrastructure went offline without explanation, even for its customers.

This may be a coincidence, but it may also be a planned action.

DS: Russia says they arrested those hackers at the request of the US — what do you think Russia’s true motivations behind this are? Is real cooperation between the West and Russia in the cyber domain possible?

SD: This game of checkers has started to achieve some benefits. Except, in this game, the Russian Federation plays at their sole discretion. Russia is not able to extradite its citizens, but it can easily organize a show trial for the criminal prosecution of its citizens. And taking into account what is happening in Ukraine, as well as the United States, where despite the elimination of this group ransomware attacks continue which have tactics and techniques that exactly resemble the work of the REvil gang. It is already becoming an obvious fact that this is an imitation of cooperation.

I assume that the members of the REvil gang can continue their criminal activities under a different name, but, I think, not as independently as before.

DS: Presently, many countries, big and small, are trying to build their cyber defenses against intelligence agencies and cyber criminals. You’re obviously right there on the front lines — what would you advise national cyber advisors, heads of national CERTs, etc?

SD: First of all, do not try to build all cyber defense exclusively by state bodies. In this area, the state should regulate, as a rule, the relationship of all entities involved in cyber defense, as well as organize fair conditions for the criminal prosecution of those who have been identified as engaged in illicit activity.

Aside from that, it is necessary to envision the construction of a national system for the exchange of information regarding cyber incidents and malware samples, as well as an online notification system for critical threats between all interested parties, regardless of their property rights or status. An openness to cooperation with international companies and establishing direct contacts with the law enforcement agencies of other governments is also an important element of cyber defense.

Only by adhering to such basic rules can a reliable level of cybersecurity be achieved.

DS: To get a little more technical, what share of attacks start with account take over (ATO) and credentials compromised by stealer malware, such as RedLine?

SD: Over the past year, attacks aimed at compromising accounts — brute force, password spraying, the use of stealers, etc. — occupied fourth place in terms of prevalence and accounted for 5-10% of all recorded incidents. At the same time, since October 2021, we have noticed a sharp surge in activity related to the distribution of malware designed to steal credentials (stealers). Several campaigns were recorded in which hundreds of thousands of malicious emails were disseminated, and as a result, more than 25,000 user accounts in various online services were compromised.

The attack was mainly aimed at Ukraine — among its targets were both government agencies and critical infrastructure facilities, private sector enterprises, and individual citizens. Several EU countries were also impacted, at which point we immediately notified our foreign partners.

For victims, we have established an emergency notification system for state bodies and critical infrastructure facilities; all of them were alerted and given appropriate recommendations. But it should be noted that our recommendations are not always correctly followed by the victims, which leads to them and their users repeatedly falling into the crosshairs of stealers, and sometimes they simply do not listen to our recommendations at all.

DS: As far as I can see, Russian and Ukrainian cybercriminals can coexist and work together. Even if debates get heated, mutual respect can help them to achieve common goals. Is it possible to restore relationships between Ukraine and Russia?

SD: Relations will be restored one way or another, but this will happen after the government and the president of the Russian Federation stop building the empire they have made up for themselves and give up military provocations and occupations of sovereign states.

DS: Do you have any comments on the current geopolitical situation and climate?

SD: I am not a supporter of predicting and commenting on geopolitics as such. Because it seems different for each state depending on its military, financial, and oil/gas capabilities. It also depends specifically on the structure of the state governance and individually on other heads of state. Therefore, I will refrain from making any comments on this issue.