Ukrainian cyberdefense in need of upgrades as tensions rise

Kyiv, Ukraine — Far from dramatic headlines, military maneuvers, and diplomatic threats, a silent war appears to already be unfolding in Ukrainian cyberspace.

But Ukraine’s cyberdefense lacks key security practices and measures that leave systems vulnerable to known exploits already in use by cybercriminals, experts told The Record. 

For Dmytro Zolotukhin, former deputy minister of Ukraine’s information policy, it’s time to undertake drastic reforms.

“We have to remember that we are actually at war and we still have to do very quick reforms,” he said.

There is no sustainable, centralized, and automated patch management processes, or use of proactive threat intelligence to secure state institutions, according to experts from Ukraine-based cybersecurity firm FS Group. Instead, many IT processes still reflect Soviet heritage—with a long line of decision-making hierarchy, low budgeting, and a lack of well-established information security processes.

Developing closer cooperation between governmental agencies, the expert community, and business representatives may be key to improving security. Unfortunately, government agencies try to solve issues behind the scenes instead of relying on experts from the private sector, sticking to a post-Soviet mentality where vulnerability is perceived as a weakness. 

“Cybersecurity shouldn't be a political issue,” Yegor Aushev, the founder and CEO of Cyber Unit Technologies, told The Record. 

But often, experts say, Ukrainian state agencies tend to neglect the help of IT specialists from the private sector—thinking that it’s better to keep the system’s flaws hidden. 

A digital strike

The latest cyberattack that stunned the country took place on the night of Jan. 14, when unidentified attackers defaced the websites of more than 70 Ukrainian government agencies under the guise of ransomware.

The attackers didn’t include a data recovery mechanism, which led researchers to label it as designed to be destructive. The Ukrainian government was quick to point the finger at hackers tied to the Russian government.

The message left on the defaced homepages claimed that the personal data of Ukrainians were “uploaded to the web” and became public, a claim that couldn’t be verified. “Be scared and expect the worst,” the message read. 

The threatening message should be taken seriously, according to Ukrainian cybersecurity experts, and push Ukraine’s cyber defense sector to change practices. 

Yet despite a history of serious attacks, including Not-Petya and BlackEnergy, Ukrainian cybersecurity standards remain low, according to experts from FS Group who requested they not be identified by name due to corporate policy. 

They pointed out the state agencies and institutions’ unpreparedness, lack of knowledge on data security and information hygiene. “Often, the attack on the public sector occurs through the use of phishing, spear-phishing, and credential stuffing,” FS Group experts said.

For Aushev the latest hackers’ message was clear: The bravado was a foretaste, and Ukraine’s critical infrastructure might be next. 

“Those attacks were just for fun, they’re playing with us,” Aushev told the Record. “They could destroy a city without any military intervention.”

Communication is key

Aushev and some others argue it’s impossible to create an efficient cyber defense from attacks such as this without involving the private sector. He also thinks that a Post-Soviet culture of secrecy hurts the country’s capacity to adapt to new threats.

“The government should express its needs and request it, the private sector will deliver help,” Aushev said.

One major barrier to private sector assistance is that Ukrainian law currently is not structured to allow bug bounties, a key security process where researchers report software problems to vendors in return for rewards. In fact, reporting such flaws could instead show researchers violated local law, according to Aushev.

“Our enemies can use these vulnerabilities, but we can't report about it,” Aushev said.

“The agencies think, what if your cybersecurity experts see some secret information if they try to penetrate our system? My answer is, what if the secret information is already open to anyone?” he added.

However, new amendments will allow legalizing of an external pentest with notification of the institution about the vulnerabilities and the bug bounty program, which could support cooperation between the Ukrainian government and cybersecurity researchers, according to FS Group.

Asymmetric cyberwar

While investigation of the recent attacks remains ongoing, most of Russia’s toolkits are known and well documented, FS Group experts told the Record. The toolkit of an APT group, regardless of the affiliation, is approximately the same, varying on the goal they want to achieve. 

The backbone of starting and carrying out many attacks is a fairly well-known tool, the “Swiss knife” in the world of cyberattacks and cybersecurity—Cobalt Strike, initially positioned as a commercial product for penetration testers and Red Hat teams to conduct security audits. FS Group also mentioned the Blackhole exploit kit, which uses various CVEs to deliver malware to the victim's resource. 

For Zolotukhin, APT 28, APT 29, and certain cybersecurity companies are being used by the Russian intelligence, but those teams’ leaders are usually not a part of Russia’s law enforcement.

“They are independent freelancers but Russian intel blackmails those hackers by saying—either you work for us, or you go to jail,” he said. “And this is working.”

“But Ukraine, as a democratic country, can not use these kinds of instruments to defend itself,” he said.

Funding and education

For Zolotukhin the level of the cybersecurity sector is a part of the bigger picture in the IT domain. “The healthier the IT, the better cybersecurity experts it can produce,” he said.

But the government does not allocate sufficient funding to the field of cybersecurity, meaning professionals prefer to work abroad with a higher salary and better conditions. IT specialists usually earn roughly $830 per month in the public sector, on average.

One more essential issue that needs to be solved is the education gap. In Ukraine, international certifications in forensics, cybersecurity, IT audit, and IT management are not recognized at the state level, while universities don’t prepare specialists according to international standards.

Overall, the human factor is the key, but Ukraine didn’t grasp its importance yet. 

Employees use the same passwords as for personal accounts, which are being compromised from time to time and published in the public domain or being sold. Roughly 50-60% of attacks can be avoided by conducting training and educating personnel on these vulnerable areas to raise safety awareness, according to FS Group.

The vast majority of security breaches are due to human errors, Aushev said. “We need to explain to people in simple terms why cybersecurity is crucial for everyone,” he added. 

“At the end of the day, it should come from society.”