Ukrainian-Russian Dispute Moves Into Cyberspace

Rising tensions between Russia and Ukraine have spilled into cyberspace, although it remains unclear whether government entities or lone wolf patriotic hackers are responsible. In a highly embarrassing incident, Russian President Vladimir Putin’s webpage was knocked offline, even as a Kremlin source said it was unconnected with “the events in Ukraine.” Other Russian websites attacked include the Bank of Russia, the Foreign Ministry and state broadcaster Channel One (https://www.dailysmi.net/news/456101/; RT, March 14). In Ukraine, cyber-assaults included the National Security and Defense Council, the Crimean Supreme Council as well as the Crimean independence referendum website (ITAR-TASS, March 11, 16). The most important casualty of the clashes so far is the free flow of information.

The current clashes echo earlier Russian political disputes with former Soviet republics. In 2007, Estonia, a member of the North Atlantic Treaty Organization (NATO), was subjected to cyber-attacks that blocked websites, froze its entire Internet infrastructure and paralyzed bank cards and mobile-phone networks. Despite Russian denials, Estonian officials were convinced of Russia’s involvement. In March 2009, Duma deputy Sergei Markov stated that one of his assistants carried out the cyber-attacks (Ekho Moskvy, March 5, 2009). However, Estonian defense ministry officials dismissed Markov’s assertions.

During the 2008 Georgian-Russian conflict, after Georgia shelled Tskhinvali on August 8, most South Ossetian websites went offline. Russian media, including “Russia Today” (since rebranded as just RT), were subsequently subjected to cyber-attacks. In turn, Georgian websites, including those of the president, parliament, government and the foreign ministry, were hacked. The website of then Georgian president Mikheil Saakashvili was assaulted in a wave of denial of service (DDoS) attacks from 500 IP addresses (Fond Strategicheskoi Kul’tury, October 31, 2008).

According to research published by the U.S. Cyber Consequences Unit, “The cyber-attacks against Georgian targets [in 2008] were carried out by civilians with little or no direct involvement on the part of the Russian government or military” (U.S. Cyber Consequences Unit, “Overview by the US-CCU of the Cyber Campaign against Georgia in August of 2008,” US-CCU Special Report, August 2009, pp. 2–3).

However, the situation in Ukraine today is significantly different. Much of Ukraine’s telecommunications infrastructure dates from Soviet times, making it particularly vulnerable to penetration by Moscow. And even more importantly, the Russian military now has the ability to conduct offensive cyber-operations. Notably, after belatedly realizing the need for a Russian military command capable of operating in cyberspace, Putin signed legislation in 2012 establishing the Foundation for Advanced Studies—a structure, which is roughly analogous to DARPA in the United States and is designed to develop innovative technology and modernize the military-industrial complex, including in the realm of cyber-warfare capabilities (VPK, October 18, 2012; venture-news.ru, June 6, 2012).

Attacks from cyberspace on both Ukrainian and Russian targets have been escalating in earnest. On March 4, Ukrainian Security Service (SBU) head Valentyn Nalivaichenko said, “I can confirm that an […] attack is under way on mobile phones of members of the Ukrainian parliament for the second day in a row. At the entrance to Ukrtelecom in Crimea, illegally and in violation of all commercial contracts, equipment was installed that blocks my phone as well as the phones of other deputies, regardless of their political affiliation” (kp.ua, March 5). Whereas, on the evening of March 13, Russia’s state broadcaster Channel One website was forced offline by a DDoS attack, alleging, “Our site is temporarily unavailable due to DDoS attacks from Kiev” (Gazeta.ru, March 14).

In an ominous development predating the current dispute and far more sophisticated than relatively simple DDoS attacks, since 2010 dozens of Ukrainian network servers have been attacked with the “Snake” cyber espionage malware “tool kit” (Kyiv Post, March 9). The first such attack was recorded in 2010, followed by three in 2011, six in 2012, eight in 2013 and fourteen since the beginning of 2014. Software security engineers from BAE Systems uncovered Russian characters in Snake’s source code (BAE Systems Applied Intelligence, March 14).

Illustrating the very real danger of spillover in this apparent Russian-Ukrainian cyberwar, a more recently discovered Snake software variant, “Uroburos,” has “Russian roots,” and there are “strong indications” that the programmers behind Uroburos are the same ones that attacked US military servers in 2008 and 2011 with Agent.BTZ—an earlier version of Snake, which the Department of Defense acknowledged had infected their classified networks (antivirus.ua, March 13). Germany’s G Data Software said, “Notable hints include the usage of the exact same encryption key then and now, as well as the presence of Russian language in both cases” (G Data SecurityBlog, February 28).

While so far scant evidence exists that the hacking war truly involves state players, it is expanding. On March 14, Russian Ministry of Communications experts said that they identified a location in western Ukraine as the source of an attempted cyber-attack to jam Russian TV satellite broadcasts (RIA Novosti, 15.03.2014.). Two days later, several NATO websites were hit by DDoS attacks. “CyberBerkut,” named after the previous Ukrainian regime’s feared riot police, claimed responsibility for hacking NATO’s main website (nato.int), NATO’s Cyber Defense Center (ccdcoe.org) and NATO’s Parliamentary Assembly (nato-pa.int) because of the North Atlantic Alliance’s “interference” in Ukraine (Utro.ru, March 16).

Earlier cyber-attacks against Estonia and Georgia showed Russia that civilian cyber campaigns cause serious economic and psychological disruptions in a target country without provoking any serious international response. In Crimea, the stakes are far higher amid rising international opposition, so it seems unlikely that Russia would want to undertake direct massive military and government-backed cyber-attacks for fear of a political backlash.

Still, on March 17, the Ukrainian acting minister of foreign affairs, Andriy Deschytsya, visited NATO for talks with Secretary General Anders Fogh Rasmussen. While the meeting was closed to the press, the cyber conflict was doubtlessly high on the agenda. But whether the cyberwar will cool down now that Ukraine is moving its military forces out of the peninsula following Russia’s unilateral annexation of Crimea remains to be seen.