How Ukraine's Cyber Police fights fraud, scams, and attacks on critical infrastructure
Editor’s note: Ukraine’s Cyber Police had a busy year in 2022.
The law enforcement agency typically focuses its efforts on online fraud, scams, and other forms of financially-motivated cybercrime. But when Russia invaded Ukraine in February, the Cyber Police started seeing a surge in new types of attacks.
Yurii Vykhodets, who leads the department, said that he now spends much of his time trying to investigate and prevent cyberattacks targeting government institutions and critical infrastructure. Stopping Russian disinformation operations is also a priority. Last month, for example, the Cyber Police seized more than 100,000 SIM cards used to register bot accounts that spread pro-Russia narratives on various social media sites.
“The enemy constantly seeks to destabilize the situation in our country, including through massive attacks against information targets, banking institutions, and other social institutions,” Vykhodets said.
The conversation below was conducted in Ukrainian by Heorhii Hryshyn, an analyst team lead with Recorded Future’s Insikt Group, and was translated to English with the help of several analysts. The interview has been lightly edited for space and clarity.
The Record: What is the number one challenge you face right now?
Yurii Vykhodets: As with all Ukrainian police, the number one challenge that the Cyber Police Department faces is ensuring that the law is followed, even in a time of martial law. As part of our mandate, the Cyber Police reacts to any criminal activity directed against the citizens of Ukraine from across the internet.
In keeping with the legal framework of martial law, the Cyber Police — and in particular our analytical and IT divisions — has changed the focus and priorities of its work. We primarily focus on countering distributed denial-of-service [DDoS] attacks and attacks against media organizations, analyzing the enemy’s information space, collecting information regarding cyber incidents, developing projects to support the army and volunteers, and safeguarding information resources. We also focus on international cooperation, and securing our operational work at an appropriate level across key areas including the banking sector, online fraud, cybercrime, and crimes relating to illegal content.
TR: What types of cybercrime are most prevalent in Ukraine right now?
YV: Without a doubt, two types of cybercrime have prevailed since the full-scale invasion began. Specifically, cyberattacks directed against government institutions and the country's critical information infrastructure, and online fraud. On top of that, the enemy constantly seeks to destabilize the situation in our country, including through massive attacks against information targets, banking institutions, and other social institutions.
At this time, all the elements of government cybersecurity are working in constant, coordinated collaboration. All facts of illegal activity are properly identified, assessed and documented, and work is also done to establish who’s involved in this illegal activity.
TR: Has the war led to any notable changes in criminal cyber activity? Specifically, do you expect repeats of sophisticated attacks such as WannaCry or NotPetya in relation to the war?
YV: War always brings its own changes, so Cyber Police personnel are constantly analyzing the newest cyberattack vectors and devising countermeasures. We want to be ready for the enemy’s repeat attempts to conduct complex, multi-vector attacks that could have serious consequences.
But Ukraine's infrastructure is not what it was last year, and certainly not what it was 10 years ago. The cyber community trains and improves almost every day, so the chance of repeat attacks like those you mentioned is minimal. Today our most difficult task is securing information resources and networks for our energy infrastructure.
TR: Many volunteer hacking organizations have popped up over the last year in support of Ukraine. Are there any initiatives like this that you support?
YV: Together with volunteers, the Cyber Police developed a project called “Мрiя” [“Dream” in English] that helps counter enemy propaganda across the internet.
For this, we use the public Telegram bot “StopRussia | MRIYA.” Citizens send the bot enemy resources they've found for further investigation. After that, the content is assessed, and if the resource actually contains misinformation or pro-Kremlin propaganda, the “StopRussiaChannel | MRIYA” Telegram channel is used to block it. Instructions on how to do this are in that channel.
More than 750,000 users have joined the channel since it was created, and they’ve submitted over 3.95 million complaints against various information resources used by the invaders. As of today, more than 20,800 hostile resources reaching more than 271.9 million people have been blocked.
Anyone who’s willing to help can join the struggle against the enemy in cyberspace.
At the same time, we’re working on another service: the Telegram bot “Народний месник”(English translation: "National Avenger") - @ukraine_avanger_bot. This is a convenient way for citizens to inform law enforcement personnel about signals and indicators they’ve discovered that might be used for enemy coordination, unexploded ordnance, the location of enemy equipment, looting and banditry, or any other information that relates to military activity. Specialists in the National Police of Ukraine, the Security Service of Ukraine (SBU), and the General Staff of the Ukrainian Armed Forces all have access to this analysis.
TR: In November your department published four stories about scammers motivated by greed rather than ideology or the war. Are most of your efforts directed at stopping ordinary cybercriminals?
YV: Countering fraud on the internet is still one of the main vectors of the Cyber Police’s work since, unfortunately, people who are looking to illegally "cash in" or get rich at others' expense haven’t gone anywhere. Scammers adapt their schemes according to the country’s situation, so the Cyber Police respond by documenting crimes and bringing perpetrators to justice.
Right now, charity scams are the most widespread schemes. Scammers collect donations by pretending they'll be used to help war victims or by pretending to be volunteer organizations and charity foundations. They rent out non-existent housing, book fake transportation from regions where hostilities are ongoing, sell non-existent goods, including military munitions, and use phishing schemes to obtain citizens' banking information.
One of the cruelest cases of fraud that the Cyber Police has uncovered since the full-scale war began was the fake evacuation of residents in Mariupol. The suspect promised to get two citizens out of the occupied city to Ukrainian-controlled territory. However, the man didn’t organize any transportation. After waiting for help that didn't come, the two Mariupol residents died. That case is already in court. The scammer could face up to eight years in prison.
In March, we uncovered another example of heartless enrichment at war victims’ expense. A resident from the Kyiv area moved to Uzhhorod, and from there they started to build their “business” with three friends. The scammers posted advertisements for rental residences, accepted deposits, and disappeared. However, instead of apartments, the perpetrators sent people... to a cemetery. Three families with four young children moved out of Kharkiv, sent a deposit, and received the GPS coordinates for a home. They arrived at the coordinates at night, but instead of a home, they found a cemetery. After they complained to the “landlord”, they were cynically told: "That’s where you belong." The scheme's organizer was detained in Uzhhorod, he's behind bars. In the capital, the Cyber Police searched the residences of the group’s other members. At this time we know that they were able to scam 55 people.
TR: On October 31, you announced you had joined an international initiative to tackle criminal money-laundering operations. What is your level of cooperation with other cybersecurity services like in this and other areas? In what ways do you interface with Western cybersecurity?
YV: Within the framework of international cooperation with representatives from partner countries' law enforcement agencies and digital currency exchanges, Cyber Police specialists conduct a variety of operations to identify and halt the transfer of crypto assets that might be used in any way to either support propagandist activity on occupied Ukrainian territory or finance sanctioned entities connected to the Russian Federation.
During investigations of cybercrimes and cyber incidents, the Cyber Police Department exchanges information with international law enforcement agencies through communications channels with Europol and Interpol. In order to share information more quickly, a special unit was created inside the Cyber Police Department. This unit is responsible for the Department's international collaboration and for communicating with representatives of international law enforcement agencies in Ukraine and abroad.
When investigating cybercrimes, sharing information quickly is important, but sometimes this is complicated by the legislation of the countries that we cooperate with. In some cases, in order for us to receive answers to a simple request for information, international law enforcement agencies require us to submit requests for international legal assistance [in accordance with Mutual Legal Assistance Treaties, or MLATs]. This directly impacts the speed of an investigation.
Adam Janofsky is the founding editor-in-chief of The Record by Recorded Future. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.