Exclusive: How a defend-forward operation gave Ukraine’s SBU an edge over Russia

Russia had been trying to crack into Ukraine’s critical infrastructure networks long before the war began, and they still haven’t given up, says Illia Vitiuk, head of the cyber department at the Security Service of Ukraine, known as the SBU. His team responds to 12-15 serious cyberattacks every single day.

“We had a serious attempt to penetrate one of our telecom operators, and we only have three of them,” he told Click Here during a recent interview at SBU headquarters in Kyiv. “And indeed we stopped it. This penetration could have led to eavesdropping, listening to phone calls of our people, reading messages, etc. And they could just stop this telecom operator for some period of time.”

It isn’t just telecoms, he said, in the past 20 months Russia-backed hackers have targeted Ukraine’s electrical grids, water and gas suppliers, power systems, internet providers and law enforcement agencies. And yet, he says, “they failed in bringing serious and disastrous effects.”

In the past Russia has managed to turn off the lights in Kyiv and attack Ukraine’s power grid in the dead of winter. But since the invasion, Ukraine’s cyber operators have been able to keep those kinds of attacks to a minimum. “Unfortunately, this is a marathon,” he says. “And they still have time.”

On a recent trip to Ukraine, Click Here spoke with Vitiuk about Russian cyberattacks, the importance of an early defend-forward operation with American hunt teams, and why he considers attacks on civil infrastructure “to be nothing but a war crime.”

This conversation has been edited and condensed for clarity.

CLICK HERE: We know Russia has been trying to crack into Ukrainian critical networks for years. Can you give us a recent example of what they have done?

ILLIA VITIUK: One example: They tried to conduct a supply chain attack [on] the company that made telemetry equipment for water and gas companies. This is something we [have] never told about. It was just a couple of months ago. And this was telemetry equipment that could see and measure the consumption of water or gas. So they penetrated this company and a new update was about to come out. And with this update, they wanted to penetrate into these systems [with a kind of supply chain hack similar to the SolarWinds hack in 2019].

Just imagine what it could lead to. Literally they could have stopped the flow of water and the flow of gas. And we understand that they will continue to try to combine kinetic attacks and cyberattacks simultaneously in order to maximize the overall negative consequences from this stuff. And gas is heating, you understand? This is civil infrastructure. So it can and could lead to catastrophe.

CH: Have you seen more attacks like that?

IV: Well, it’s something that is happening constantly. We had a serious attempt to penetrate one of our telecom operators, and we only have three of them. And indeed we stopped it. This penetration could lead to eavesdropping, listening to phone calls of our people, reading messages, etc. And they could just stop this telecom operator for some period of time. … And if one of [the companies] is out of operation, the other two won't be able to operate because they will be overloaded.

CH: This is one of the reasons hunt teams came here from the United States before the war, right? To prepare for exactly these sorts of attacks. Were you involved with those operations?

IV: Yes, of course.

CH: And when the hunt teams came from the United States in December 2021, did they find lots of malware on the networks … did the mission make a difference?

IV: We started to work with them actively since 2018. And indeed, their Cyber Command team came in December [2021]. For two months we worked here together. Power grid, logistics and infrastructure, military objects — we inspected [and] analyzed together. We conducted, let's call it, threat hunting.

So we were the ones who chose which systems and organizations we needed to analyze and inspect because we knew that they probably would be under massive cyberattacks. We found a lot of [vulnerabilities], and [the Americans] left us equipment that gave better visibility into our networks. It helped us a lot because just after the invasion, Russians started to attack these systems. So it was indeed very, very useful and we are very grateful for that help.

CH: When the war began, was Russia disappointed because exploits had been taken away and they didn't realize it? In other words, I'll take this web shell away without the Russians knowing. They think they have this compromised, and when they push the button, it isn't compromised anymore.

IV: I'll be frank with you, sometimes it works just as you described. And indeed, their expectations were far beyond what actually happened. They thought that after these cyberattacks our digital infrastructure [would] be on its knees. They started them a couple of hours before the actual invasion and then when the invasion was actually underway. But they failed in bringing those kinds of disastrous effects. During [the] first weeks, we saw that they were hunting high and low [for something to attack]. So there were attacks on pharmacy shops, on toy stores. And I do believe that they already lost the important accesses — they lost the aces in their sleeves — but the orders were to attack, so they were attacking everything they could actually find.

Of course it created a bit of a panic among the small businesses [that were targeted], but indeed this was not the result [the Russians] were actually counting on. So because we had those eight years already, and we had those partnerships with special services [and] Cyber Command, we already had our TTPs [tactics, techniques and procedures] and understanding of how to act and what to protect. So, indeed, they failed here just as they failed with the blitzkrieg on the ground, it's just the same story with cyber.

CH: One of the animating ideas behind the hunt teams is that so much malware was — and still is — tested here in Ukraine before it is sent out into the world. Are you seeing attacks that are completely new and revolutionary?

IV: Well, a very important thing that we revealed and understood recently [is that] Russia is building a national cyber offensive program. We knew of special services like GRU [military intelligence], FSB [security agency], SVR [foreign intelligence service], but now we see a new approach.

They started actually teaching students of some military educational establishments offensive [cyber] disciplines. So it means they have specific subjects, specific disciplines, installed into their learning program. This is something brand new. No one ever teaches people how to attack state systems and how to destroy them. Russia does it today. They conduct R&D [research and development] in their higher educational establishments, and they create a foundation and basis for future scaling up of their cyberattacks. [The Russian Embassy in Washington did not respond to a request for comment before publication.]

CH: Are you seeing indications of how this system is actually being used?

IV: There was a report about [how] we stopped an attempt to penetrate our military situational awareness systems. They created — and we found — seven malware samples, which were specifically developed for one of our military situational awareness systems called Kropyva. Like I said, they have a research institute and they saw that there are some problems with the system that Android devices were connected to.

One of the ports was opened and they used this vulnerability, exploited it, and it gave them access to all of the devices connected — thousands. And then you can see everything that is in this phone or tablet, whether it's Telegram or Signal or whatever. You could potentially see which Starlink it is connected to. You could absolutely [get] coordinates and see if there are too many devices in one place. Maybe it's a headquarters, and then you can coordinate a missile or artillery strike.

CH: How far did this attack go?

IV: We found it almost on [its] initial stages. So they just started to deploy it, and we blocked it. We took away these devices, cleaned them, then we closed the initial problem that gave them this access. Then we needed to work with this malware to understand what it is.

CH: And with this new educational program you talk about, have you seen any changes in the way Russian-backed hackers are operating?

**IV: **Well, this national system started at least five years ago. That's according to the data we have, at least. But the clear and understandable example [is] the number of attacks. In 2020, it was 800. And then [it was] 4,500 in 2022. They were preparing themselves [for] this war. But regarding [Russia’s] national cyber offensive program, it will be a problem because they will have more professionals. They will have more resources, and maybe it will be possible for them to attack other countries, not only Ukraine or low-level DDoS attacks on Estonia or Lithuania or NATO websites.

I always say that Ukraine acts as the shield [for] the whole developed democratic world because we are encountering most of Russia’s aggressive cyber potential. That's why we want international cyber companies to come here and to help us assess the needs of our critical infrastructure. We need to build a gold standard of cybersecurity.

CH: As you know, the International Criminal Court has said it now considers cyberattacks to be potential war crimes. Do you think a cyberattack actually has to reach completion — i.e. the gas goes off — for it to be a war crime?

IV: Great question. This is our job, by the way — the Security Service of Ukraine, together with the prosecutor's office, collects evidence of the cyberattack. We take the information we have — who conducted it, attribution and stuff like that — and then we put it into criminal cases that will later go to ICC. We have a very bright example of a victory in this area. Just before the war, in 2021, we accused and later convicted members of Gamaredon Group — a [Russian] APT group — of conducting cyber attacks on objects of critical IT infrastructure here in Ukraine. We were able to penetrate into their systems, and we listened to their internal phone calls. We could understand who exactly did which attacks and operations.

CH: Do they have to actually destroy the power grid for it to be considered a crime, or do they only have to attempt?

IV: In the Ukrainian criminal code, if there is an attempt, and you did everything you needed to do in order to commit a crime, that's enough. You will be accused and convicted. The time for impunity for this has passed, and it's very important to bring this understanding everywhere in the world to every hacker. If he committed a crime, sooner or later he will be prosecuted and he — and everyone who is in charge of him — will be brought to responsibility. I do believe that together [with the ICC] we will build up a new model that will [hold] people accountable.

CH: One reason I ask about war crimes is because there's been increased targeting of Ukrainian law enforcement. Russia is trying to hack into courts and the prosecutor's office. And I wonder whether you see that as indication that they have a genuine concern of being held accountable, that because there’s technical evidence and you’re being careful about the chain of custody of cyberattacks, they need to worry about what you have.

IV: No. I believe for now this is not a reason. For instance, if we speak about Gamaredon Group, they conduct vast phishing campaigns. So they try to penetrate everywhere possible. They need intelligence.

CH: So this is just part of their broader campaign to try and get into as many things as they can? A crime of opportunity, as opposed to being thought through?

IV: Absolutely. If we speak about their priorities today, I would say that this is power grid, logistics and transportation, life support systems, water, gas, civil infrastructure, telecom operators, internet providers. So that's where they focus their attention most. And, of course, armed forces and military systems that we actively use today. [Russia] even moved some of their APT [advanced persistent threat] groups closer to the front lines in order to get access to devices like phones and tablets right away, in order to get quick access to our infrastructure on occupied territories so they can use this to conduct cyber attacks. They are indeed evolving.

CH: We always thought that, from a cyber perspective, Russia was a 10-foot-tall bear that could crack into most anything. And since the war started, one of the ways of looking at Russia is that they're very good at planning something long-term. But when something goes wrong, they're not great at pivoting and being nimble. Do you see any evidence of that?

IV: You're absolutely right. You know, it's not only about cyber. It's everywhere. Russia has a system, and it's very important. But it is rotten. It is corrupted. It has bureaucracy and all this stuff. That's why it doesn't work. It's not fast. It's not agile. But they do evolve, and now you see how we all thought that all these sanctions imposed will actually cause more problems to them, but it didn't happen yet. We stopped a lot of supply chains already, but we understand that they will search for ways they can buy washing machines in order to get some kind of chip that they need. Unfortunately, this is a marathon. And they still have time.

CH: We've talked to a lot of members of the volunteer IT Army. Can you explain how they help?

IV: Yes, indeed. Starting from the first day of the actual invasion, there was literally a line of people that were trying to contact us and say, What can we do to help? There were even cybercriminals, Russian ransomware hackers that ran away from Russia and they also wanted [to help]. There were regular IT specialists that helped us take infrastructure [and] important hardware from Kyiv and relocate it to western parts of Ukraine. And to some extent, we coordinate their activity because very often they just don't know what to do [to] use their potential.

CH: So do they ask for advice and you say, It'd be nice if you had this …

IV: Some of them work on their own. But for us, as a special service, we need to understand who does what and understand that that's something that helps Ukraine and doesn't do anything bad to Ukraine or our partner states. Some of them get initial access to some Russian systems, then we work more thoroughly with it. Another thing is countering disinformation campaigns, and we need to somehow try to convey information to Russia. So after the beginning of the full-scale invasion, there were millions of emails [and] phone calls that were sent to Russia regarding atrocities in Bucha and Irpin — to show the public there in Russia what is going on. A hacktivist group [may] do something, [and] we partially coordinate this activity. But who did what, you will know after the war.

CH: But this is offensive cyber, right?

IV: It is. Like I said, the time for impunity has already gone.