From the front lines of ‘the first real cyberwar’

Editor’s note: Natalia Tkachuk is no stranger to cyberattacks.

As the head of the Information Security and Cybersecurity Service — part of the National Security and Defense Council of Ukraine — she helps coordinate and manage the government’s response to cyberthreats, which now mostly consist of a bombardment of attacks from Russian military hackers and other groups.

“We are now witnessing the first real cyberwar,” Tkachuk said in an interview last week.

Tkachuk has been keeping her eye on usual suspects — groups like Fancy Bear, Cozy Bear, Gamaredon, and Turla just to name a few — but has also seen attacks from unexpected places. “It should be noted that not only russia and Belarus are trying to carry out cyberattacks on the Ukrainian infrastructure, we also see an increase in the activity from other unfriendly countries,” she said. “They are trying to take advantage of cyberwarfare and are carrying out cyber-espionage operations against Ukraine”

The interview was conducted in Ukrainian by Heorhii Hryshyn, a senior analyst with Recorded Future’s Gemini team, and was translated to English with the help of several analysts. Tkachuk requested that “Russia” and its forms be intentionally left uncapitalized in her responses. The interview has been lightly edited for space and clarity.

The Record: Have you seen an increase in petty cybercrime targeting Ukrainian citizens? Or an increase in cyberattacks targeting Ukraine's critical infrastructure?

Natalia Tkachuk: So far, we cannot assert an increase in petty cybercrime against Ukrainian citizens. Yes, there are indeed recorded cases of fraudulent activities in cyberspace related to internet users, such as soliciting funds for prepayments on housing rentals (there is an urgent need for housing for Ukrainian citizens who were forced to leave their homes due to hostilities), as well as the use of social engineering to exploit fundraising for military needs. However, this is more in the realm of internet scams, which has replaced petty cybercrime like stealing payment card details for financial gain.

We are now witnessing the first real cyberwar. Therefore, many cyber attacks on government institutions and critical infrastructure are coordinated and planned by the russians in order to cause maximum damage to Ukraine. Most of the attacks are now aimed at government agencies, energy, telecommunications and banking sectors. In most cases, the main purpose of the attacks is to destroy information using various data wiper malware. We can’t say that there is necessarily an increase in the number of the attacks, rather we can note the increased coordination of efforts in the preparation of attacks on a particular sector. Such targeted and dangerous attacks come in waves, amid the static noise caused by a large number of overall cyber incidents and small attacks that russian intelligence agencies use to cover active cyber operations.

It should be noted that not only are russia and Belarus trying to carry out cyberattacks on the Ukrainian infrastructure, but we also see an increase in the activity from other unfriendly countries. They are trying to take advantage of cyberwarfare and are carrying out cyber-espionage operations against Ukraine, including using zero-day vulnerabilities.

Thanks to our joint efforts, coordinated work and professionalism of key cybersecurity institutions, and support from the private sector and international partners, most attacks are discovered and blocked in the early stages.

TR: Can you identify some of the most active groups that are responsible for the attacks? Could you characterize their methods? What types of attacks predominate?

NT: Almost all resources of russia and its satellite states that are not engaged in the protection of their own systems are now involved in cyberattacks against Ukrainian infrastructure. We see the presence of all russian groups, including Gamaredon, APT28, APT29, Turla, UNC1152, and others, that are trying to attack public and private sectors. 

The main TTPs as a whole are inline with the activities of these groups, although we observed the evolution and creation of new tools and tactics. Among the main tasks, as part of their framework of cyber operations, are data destruction and damage to the functioning of the information systems, support of special information operations, and spying activity. Given the significant losses and adverse developments for russia in the physical theaters of war, russians are increasingly trying to use cyberspace to damage critical infrastructure by destroying and damaging information systems.

Among the main identified techniques are the use of spear-phishing, social engineering, brute force attacks, the exploitation of known vulnerabilities, as well as attempts to use "0-day" and "1-day” vulnerabilities. Recently we have seen an increase in the number of supply chain attacks.

We have also seen an increase in cyber-espionage operations aimed at penetrating the information systems of government agencies that are involved in preparation and adaptation of important defense, political, economic, and other decisions. Although they try to hide behind cyberwarfare, the tactics and tools used for these operations cannot be attributed to APT groups of russia and Belarus. Such attacks are thoroughly documented and after the investigations and final attribution, we will certainly disclose our findings publicly.

The main thing to expect is the increasing use of criminal hacker groups by russian intelligence services to carry out intelligence and subversive activities against Western countries and targeted cyber operations. The new vector of such attacks will be industrial espionage. After all, as a result of the effective actions of sanctions, russia has lost access to a significant number of leading technologies, which it cannot replace with their own, so they will try to steal them."

— Natalia Tkachuk, head of the Information Security and Cybersecurity Service

TR: How do you assess the interaction between the public and private sectors during the war, and are there any programs to reward hackers for their activities related to countering Russia?

NT: During the war between Ukraine and the russian federation, the cooperation of the public and private sector became much more effective. Much of the communication takes place in real time and at a very high level. The National Cybersecurity Coordination Center at the National Security and Defense Council of Ukraine (NCSCC) and other cybersecurity institutions of Ukraine cooperate with teams of highly qualified specialists in the sphere of cybersecurity, based on their expertise. The war has united all of us to achieve a common goal: victory over russia.

And we are very grateful to our cyber volunteers from around the world, who are fighting in this war and defending Ukraine!

TR: President Zelenskiy offered a pardon to prisoners that have military experience and are willing to fight in the war. Will a similar pardon be offered to those hackers that engage in war efforts against the invaders?

NT: At present, such proposals have not been considered.

TR: Considering that many tech companies are leaving or have left Russia and the ongoing global endeavors to exclude Russia from future global markets, do you foresee that these companies will look to Ukraine to fill that IT gap?

NT: Ukraine has been and continues to be a leading player in the IT market. Unfortunately, due to war and the corresponding increase in risks for customers, our IT industry is losing substantial capital that could have strengthened our economy during this time of war. 

The Ukrainian government is taking significant steps to support the local IT businesses, including simplifying the tax codes, assisting in the creation of regional and national IT hubs, and other measures. There are discussions on how to compensate for the risks to global players that could be working in Ukraine. 

I want to take this opportunity to urge Western companies not to leave the Ukrainian IT and cybersecurity market, which is currently proving its potential and demonstrating the presence of talented specialists and managers, even during the times of war. We hope that the world’s leading companies are seeing this as an opportunity for themselves. 

It is obvious that having legal job opportunities will reduce the number of those who will choose the dark path in cybersecurity.

TR: Some of the hacker infrastructure has been located in the temporarily occupied territories of the Donetsk and Luhansk oblasts. If other areas of Ukraine (such as Kharkiv and Mariupol) are occupied, do you foresee those areas also being used for cybercriminal infrastructure? 

NT: Since the beginning of preparations for the military aggression, russia has been actively using the temporarily occupied areas of the Donetsk and Luhansk regions and Crimea as a “gray zone” to place its infrastructure for attacks on Ukraine and Western countries. We have repeatedly raised this issue many times, but organizations responsible for Internet regulation have turned a blind eye to it.

During the course of russia’s military aggression against Ukraine, barbaric and terroristic approaches are being applied by russia, which is reflected in the complete destruction of the infrastructure of cities, especially in Bucha, Kharkiv and Mariupol. However, we have already seen attempts to use captured telecommunication infrastructure to conduct attacks, including attacks using the Signaling System 7 (SS7).

TR: As the economies of Russia and Belarus suffer from the effects of the war and sanctions, will there be a rise in the number of cyber criminals from Russia and Belarus?

NT: Yes, we predict the growth of cybercrime in the russian federation, and see two main factors that will affect this. Firstly, as a result of sanctions on russia, there is basically no IT sector left: all conscientious international IT companies have condemned russian atrocities and the war that was unleashed on Ukraine, closing their offices and stopping production in russia. This means there is no legal work for russian IT specialists inside the country. Many of them are going abroad en masse, not only due to lack of jobs, but because they are able to use IT technologies (editor’s note: virtual private networks, or VPNs) to bypass the Kremlin’s Internet censorship, gaining access to the truthful information about the crimes of their own government and armed forces. They do not want to live in such a country and pay taxes that go towards killing civilians in Ukraine. But among those IT specialists that remain, there will usually be those who will switch to the “dark side”, i.e. cybercrime.

Secondly, Moscow’s blatant disregard for the norms of international law in all spheres—including the fight against cybercrime and specifically, the Convention on Cybercrime—will certainly create favorable conditions for the domestic growth of cybercrime.

TR: In Russia, do you expect an increase in cybercrime targeting Western countries? What type of cybercrime should we keep an eye on? 

NT: Certainly. The main thing to expect is the increasing use of criminal hacker groups by russian intelligence services to carry out intelligence and subversive activities against Western countries and targeted cyber operations. The new vector of such attacks will be industrial espionage. After all, as a result of the effective actions of sanctions, russia has lost access to a significant number of leading technologies, which it cannot replace with their own, so they will try to steal them.

TR: As Western sanctions take deeper root in the dwindling Russian economy, will this lead to state-sponsored cybercrime in order to help subsidize the economy?

NT: We are already starting to see that russia is developing and legalizing "cyber piracy" at the state level. In effect, law enforcement agencies are giving criminal hacker groups “indulgences” to steal funds from banks of other countries, primarily EU and NATO countries. Of course, this mechanism of theft can be used to replenish the hole in the economy of the aggressor country.

TR: There have been several different theories for why Russia chose to arrest members of the REvil ransomware group and seize several dark web marketplaces in January and February 2022. Are there any theories that you believe are more likely to be true than the others?

NT: It is obvious that in Putin’s totalitarian russia, where everyone, including organized crime, is controlled by the intelligence agencies, independent (uncontrollable) hackers and marketplaces wouldn’t be able to hide for a long time without cooperation with them. Therefore, it can be said with a high probability that this is part of a special operation aimed either at hiding criminals from American and European law enforcement, or at directing them to “work for the government.” It is possible that some representatives of these detained groups are already involved in the planning and execution of cyber attacks on Ukrainian infrastructure.