In recent interview, ousted Ukrainian cyber official spoke about new Russian attacks, long-term plans

Ukraine’s anti-corruption agency sent shockwaves through the country’s cybersecurity agencies on Monday morning, when it announced that it had launched an investigation into the procurement practices of a handful of its top cyber officials.

The agency said on Telegram it was investigating a possible embezzlement scheme that included Yurii Shchyhol, the head of Ukraine’s State Service for Special Communications and Information Protection (SSSCIP), and his deputy. A short time later, Shychyhol released a statement saying he had resigned and an impartial investigation would prove his innocence.

His deputy, Victor Zhora, released his own statement on Facebook hours later saying he had “completed his tenure” at the agency and added, “Concerning the information released today about me and my colleagues, I cannot reveal the details of the investigation, but I am confident that I can protect my honest name and reputation in court.”

Recorded Future News’ Click Here podcast interviewed Zhora on November 10.

When we sat down with Zhora in Washington, D.C., he made no reference to anything that might be amiss at the agency. In fact, in a wide-ranging discussion he talked about SSSCIP’s long-term objectives, including investigating Russian cyberattacks targeting the country’s critical infrastructure, cyber resilience, and how Ukraine has prepared for attacks on its power grid again this winter.

Below is Click Here’s conversation with Zhora, which has been edited for length and clarity.

CLICK HERE: So one of the groups that everyone talks about when it comes to Russian hacking, particularly offensive hacking, is Sandworm. Are you seeing Sandworm change its strategy in any way?

VIKTOR ZHORA: Well, the strategy is the same. They're still focusing on the critical infrastructure [and] on governmental institutions and entities. They're using a wide variety of tools, but certainly they're changing their tool sets. And we see a shift in operations from disruptive operations to cyber-espionage operations to data exfiltration. That is the exact area where Sandworm is extremely professional. We consider them to be one of the most skilled threat actors associated with Russia. The last trend that we are observing is the use of generic, legitimate instruments in order to bypass cybersecurity solutions installed in victim organizations.

CH: What does that mean, exactly? What does that look like?

VZ: It means there's [a] huge variety of different open-source tools [that are] widely available and can perform the same functions as the specifically designed cyber offensive tool. And you can combine tools from several open-source instruments and all of them can be hardly detected by cyberdefensive solutions.

CH: This is, essentially, a “living off the land” attack.

VZ: Absolutely. That's the right term.

CH: Mandiant came out with a report recently about this “living off the land” attack that was on some substations. Can you tell us a little bit more about that hack and what you know about it?

VZ: I think that all details that could be shared about this attack [are] described in the Mandiant report. But the main [takeaway] of this report is the fact that kinetic attacks and cyberattacks are often coordinated with each other. Critical infrastructure is one of the key focuses of attackers. In early December last year, [we] tripled our efforts in working closely with the critical infrastructure facilities and sectoral bodies in terms of strengthening cybersecurity, particularly in the energy sector. We have multiple cyber exercises. We are working on strategization. We are working on setting up requirements for cybersecurity policies and procedures. So I hope that we are much [more] prepared for these cyberattacks than a year ago.

CH: Was there anything about that particular Sandworm attack that surprised you?

VZ: Oh, frankly, it's not a big surprise for us. Every time you're facing a cyber incident, you [find] yourself a bit surprised. But in terms of [the] energy sector — and particularly Sandworm — it’s not something new because Sandworm has been attacking the Ukrainian energy sector since the 2015 Black Energy attack, which was followed by industrial attack at the end of 2016 and the slightly altered code of Industroyer, which was called Industroyer 2, in the beginning of April 2022. So each time you're dealing with a highly sophisticated and technically advanced attack.

CH: Who discovered this latest one?

VZ: I'm not sure I can disclose many details of how this case was investigated. But the behaviors and anomalies that you can detect in your network always come from a sort of crisis situation in the organization. So there were plenty of stories about the Black Energy attack and even screen recordings. We don't have this with regards to the incident described by Mandiant in their report. But I would say that that was a very tough period in the energy sector — when energy generation and energy distribution capacities were attacked by cruise missiles and by UAVs, which started on October 10th last year. That was a very challenging period, and the entire energy system and power grid were unbalanced, which resulted in numerous power shortages all across Ukraine, in addition to the cyberattack. So it was a collective work and thankfully it was quickly mitigated. And it resulted in this interesting technical story by Mandiant.

CH: When we were in Ukraine in September we spoke with Illia Vitiuk of the SBU [Security Service of Ukraine] and he told us about a supply hack on a telemetry company that was helping water and gas utilities measure consumption.

VZ: Well, this is one incident in a series of similar incidents. And that again explains the focus in the tactics because it became more difficult to attack critical infrastructure facilities directly. So Russian threat actors are seeking opportunities to attack supply chains. And that happens in all spheres, not just in critical infrastructure but also in software development and telecom companies. It’s a way to get access to many organizations [that] are clients of a particular company, and I would say that the supply chain attack is one of the key attack vectors nowadays in Ukraine.

CH: Would you say that's sort of a newish trend because you've hardened your defenses on the obvious targets? That Russia is sort of spreading out to get to the less obvious targets?

VZ: Yes, it's a change of tactics when it's difficult to break through the well-protected doors and critical infrastructure. You need to find some backdoor, which is often available in less-protected companies of the supply chain to this critical infrastructure. The main rule is to provide the air gap between the IT [information technology] and OT [operational technology], to physically isolate all technological systems. So that should be a main principle of building infrastructure for such companies. We proposed legal initiatives in setting up requirements even for those supply chain companies. They should be compliant with cybersecurity requirements in the same way as the critical infrastructure, because we understand if you're a commercial company and you don't have any obligations, then you can be an easy target for attack. We would like to avoid such incidents.

CH: Those targets might also be civilians unaware that access to their accounts could be used to gain footholds for larger attacks.

VZ: Yeah, the basic [precautions] make a difference. And each person should understand that they are decision makers, and in order to avoid mistakes, they should follow simple cyber-hygiene rules. There is a set of recommendations that can decrease the risk up to 90 percent. Of course, large organizations, they all have cybersecurity policies [and] solutions deployed. They have CISOs, they have staff. But even for smaller organizations, it's very important to maintain minimal permissions for all accounts and to follow recommendations widely shared by regulators.

CH: Are you actually seeing a change in tactics?

VZ: It's a shift to cyber-espionage and [using] this information in their military operations. I think that’s the main trend. As the war goes on, I think the important, sensitive data that Russians are [looking] for in our networks [could] bring them some advantage on the battlefield. We also observe the use of cyber operations as part of information operations. When there were attacks on Ukrainian governmental entities or private sector companies, [there were] simultaneous attacks on some popular media resources, placing false news [and] blaming CERT-UA for the lack of protection. This is a sort of new tactic used by Russia, and that’s just a single example. Of course, the overall impact of cyber operations cannot be compared to kinetic [attacks], but they’re widely used to amplify psychological effects and destructive effects and sometimes kinetic strikes.

CH: The SBU’s Vitiuk told us Russia is trying to grow its cyber force by recruiting from a young age, sort of like they did with Olympic athletes. Spotting cyber talent young is not completely new. Israel's been doing this for years with their Magshimim program. But I'm wondering if you have seen this, and if it manifests itself somehow in attacks?

VZ: It's difficult for Russians to scale up their cyber capabilities because of a lack of human resources and because of intellectual flow. Many skilled people have left Russia in the first months [of the invasion]. So the potential human resource is, of course, youth in high-tech schools and also from volunteer communities. One way of engaging people to cyber offensive operations against Ukraine and our partners is seeking for talents in different Telegram channels where there’s always an officer of [the] FSB [Federal Security Service] or GRU [military intelligence] searching for the most skilled people and then inviting them to more official military structures.

I don't think it's articulated officially somewhere, but we can see the signs from different contests [and] conferences. They are putting focus on younger people because it's the only way for Russia to scale up and maintain the same intensity of cyberattacks as it was earlier.

CH: What's keeping you up at night right now? What's the thing you're most worried about?

VZ: We are first of all worried about the adversary’s evolving capabilities. And our concern is to maintain the same level of defense [and] our ability to counter these attacks. People are tired. There is more than a year and a half of war, and we are working 24/7, so it's a long run for all of us. Of course, we lack resources for defense, as the number of cyber incidents is continuously growing. The good fact is that the number of critical, high-severity incidents has decreased in the last half year. I do hope that it reflects our defensive efforts, but nevertheless, we should be aware of new vulnerabilities, new zero days, new tools and new approaches used by the adversary.