Ukraine’s cyber chief on the ever-changing digital war with Russia

Russian hackers have been attacking Ukraine for over a decade, but until the war began, cyberattacks still seemed like something out of a science fiction movie for ordinary Ukrainians. Many had to learn how to safeguard their hardware and their data.

The agency responsible for raising awareness for cybersecurity in society, private businesses, and the government is called Derzhspetszvyazok, or the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).

Its chief, Yurii Shchyhol, faced the difficult task of explaining Russia’s digital threat to Ukrainians and the rest of the world.

His agency also oversees the coordination of all Ukrainian state services responsible for digital security and establishing a relationship with private businesses, which have become a lucrative target for Russian hackers.

One year into the war, his job hasn't gotten any easier. Russian hackers are continually adapting and enhancing their methods, while also searching for fresh targets, Shchyhol said in an interview with The Record.

And as Ukraine and Russia gear up for expected spring and summer operations, Shchyhol expects Russia to intensify its cyberattacks. His objective now is not only to defend against attacks but also to hold those responsible accountable and bring them to justice.

“This is not a war between soldiers. It's a war between the aggressor nation and the civilian population. The majority of Russian missiles target innocent civilians, and the same is happening in cyberspace,” Shchyhol said.

In a Zoom interview conducted in Ukrainian, The Record asked him about the current state of cyberwarfare in Ukraine one year after the invasion and his expectations for the near future. The interview has been edited for length and clarity.

The Record: How have Russian cyberattacks on Ukraine changed since the beginning of 2023?

Yurii Shchyhol: Russian cyberattacks on Ukraine are ongoing, but hackers are changing their attack vectors and targets.

In 2023, cyberattacks on Ukrainian commerce, finance, and defense sectors have significantly decreased. Hackers may have lost interest in these areas because they cannot quickly find vulnerabilities there that they can exploit. Instead, they have turned their attention to other critical targets, such as the energy sector.

Another change we've seen is a surge in supply chain attacks against the private sector, particularly software manufacturers. These attacks are highly complex and demand greater levels of training, knowledge, skills, and abilities to execute successfully.

Hackers are also increasing the number of attacks on government agencies, attempting to gain access to personal data and establish a foothold in systems.

Russian cyberattacks have been relatively unsuccessful in the last six months. However, this suggests that they are likely preparing for a large-scale operation in the future.

TR: How has the use of malware evolved?

YS: Russian hackers previously focused on using wipers to destroy systems. Now they are mostly employing malware to gather information from private messengers, emails, and devices.

This shift suggests that hackers are setting the stage for the implementation of wipers. Their next step seems to be focused on destroying infrastructure and causing more harm to Ukraine.

TR: How do Russian cyberattacks affect the Ukrainian military?

YS: The Ukrainian military is one of the priorities of Russian hackers. For example, they are constantly trying to attack the Ukrainian battlefield management system Delta. However, we have taken measures to enhance its protection and have collaborated with American and European partners to improve its architecture.

Currently, the Ministry of Defense team is working on launching its own CERT [Computer Emergency Response Team]. The sooner they accomplish this, the more effectively they can secure the entire defense system. [Editor’s Note: The military CERT will complement an existing team, CERT-UA, which serves under SSSCIP.]

In my view, it is crucial for every industry, whether it's energy, defense, or telecommunications, to have its own SOC [Security Operations Center]. This dedicated SOC will have the specific knowledge and expertise needed to protect the system from hackers.

TR: How do you work with Ukrainian private businesses?

YS: Public-private partnership is crucial in countering cyberattacks. We rely on feedback from private companies to identify vulnerable systems and provide the necessary protection.

We are working on strengthening cooperation with the private sector, particularly software companies that have experienced an increase in supply chain attacks.

When hackers breach a private company, it can cause significant damage to other institutions using their software. This was the case with the NotPetya virus in 2017, which took down hundreds of networks across Ukrainian government agencies, banks, hospitals, and airports, causing an estimated $10 billion in global damage.

We also cooperate with private Ukrainian cybersecurity firms. They are more flexible than the state, where regulations are stricter and bureaucracy is more common. In addition, private companies offer higher salaries and thus have a large pool of skilled cyber specialists. We are trying to build a system to keep in touch with these specialists even after the war.

TR: What assistance does Ukraine receive from foreign partners?

YS: Since the war began, Ukraine has been able to access advanced technologies from major private companies such as Microsoft, ESET, and Cisco. These technologies were previously unavailable to us. [Editor’s note: The Record’s parent company, Recorded Future, is one of the foreign cybersecurity firms assisting the Ukrainian government.]

Our partners' investments are not only for Ukraine's defense but also serve their own interests. Ukrainian specialists possess valuable experience in full-scale cyberwarfare, unlike any other country. While our partners contribute technology, we provide them with expertise and skills they didn't possess before.

Now, Ukraine has the ability to acquire any necessary technology, and the bureaucratic procedures for obtaining them have been greatly simplified. Some technologies that were once too expensive for us are now provided free of charge.

TR: How does the American data analytics company Palantir help Ukraine?

[Editor’s note: In February, Palantir CEO Alex Karp told Reuters that Palantir’s software helps Ukraine target Russian tanks and artillery.]

YS: We work with Palantir, but we can't discuss it publicly. Its powerful analytical capabilities are incredibly helpful for Ukraine, particularly in military management, providing essential information for our operations.

TR: How do you protect the state and military communication system during the war?

YS: Russian hackers are interested in targeting the state government communication system, but it is impossible to hack as it does not have open internet access. It's a closed system with strong encryption.

Instead, hackers are trying to send malicious software to the private devices of government officials. If they have their work email on those devices, the attackers can gain access to it.

The situation is more complicated in the military. It's hard to tell soldiers in the trenches which messenger to use, so they use whatever is convenient. We urge them not to send coordinates or sensitive information that could endanger their lives. These are the basic rules of cyber literacy.

The SSSCIP military personnel have developed a secure Ukrainian messenger that is already being tested. I also use it. We are working with partners — trusted private companies specialized in messenger development — to improve its security, and soon we will deploy it within certain government agencies.

The messenger will have a closed-source code. We will initially share it among the military and government officials. If the technology proves reliable, we can make it available to the public.

TR: How have Russian hackers changed over the past year?

YS: We are witnessing the restructuring of Russian hacker groups. They are becoming more specialized, with some focusing on energy while others target the telecommunications sector. In the past, these groups operated independently on their own projects. However, there now seems to be a greater level of unity among them. This can indicate that they receive instructions from the country's leadership.

In Russia, there is no equivalent of what we understand as hacktivists — independent hackers who operate at their own discretion. Instead, Russian hackers are in some way controlled by special services, the military and politicians. Their primary objective is to undermine and destabilize Ukraine.

We are gathering evidence of all the crimes committed by Russians, including in cyberspace, and we are actively advocating for cybercrimes to be recognized as war crimes. Hackers can be considered war criminals when they carry out attacks that could result in the deaths of innocent civilians. We expect them to be held accountable for all the crimes they have committed in Ukraine.