Defending Ukraine: SecTor session probes a complex cyber war

It was a quick, but for a packed room of delegates attending a SecTor 2022 session in Toronto, an eye-opening 20-minute tutorial that explored the litany of Russian cyberattacks in Ukraine and what has been done to prevent them since the war broke out on Feb. 23.

The presentation on Wednesday from John Hewie, national security officer with Microsoft Canada, centred on a report issued in late June entitled Defending Ukraine: Early Lessons from the Cyber War, that was covered in IT World Canada the day it was released.

In a foreword to it, Brad Smith, president and vice chair at Microsoft, wrote that the invasion “relies in part on a cyber strategy that includes at least three distinct and sometimes coordinated efforts – destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operating targeting people around the world.

“When countries send code into battle, their weapons move at the speed of light. The internet’s global pathways mean that cyber activities erase much of the longstanding protection provided by borders, walls and oceans. And the internet itself, unlike land, sea and the air, is a human creation that relies on a combination of public and private-sector ownership, operation and protection.”

As Hewie pointed out to security professionals attending the conference, the feeling within Microsoft was that the cyber warfare and the attacks that were going on were being vastly underreported, “which is why we invested in the work that I am sharing with you today.”

He said that when the war began, there were cyberattacks on upwards of 200 different systems in the Ukraine: “We initially saw the targeting of government agencies in those early days, as well as the financial sector and IT sector.”

Prior to the invasion, added Hewie, Microsoft security professionals had already established a line of communication with senior officials in government and other sectors, and threat intelligence was shared back and forth.

“And then as the war went on, we saw continued expansion of those attacks in the critical infrastructure space – nuclear, for example – and continuing in the IT sector. When the Russian campaign moved around the Donbas region later in March, we saw coordinated attacks against transportation logistics for military movements, along with humanitarian aid as (supplies) were being moved from western Ukraine to eastern Ukraine.”

There was, said Hewie, a laundry list of destructive cyber attacks as well as enough circumstantial evidence to see a coordination between the “threat actors who were launching these attacks” and the traditional Russian military.

In fact, the report notes that “destructive cyberattacks represent one part of a broader effort by the Russian government to put its sophisticated cyber capabilities to work to support its war effort. As a coalition of countries has come together to defend Ukraine, Russian intelligence agencies have stepped up their network penetration and espionage activities targeting governments outside Ukraine.

“Not surprisingly, this increase appears to be most focused on obtaining information from inside the governments that are playing critical roles in the West’s response to the war.”

It states that since the war began, the Microsoft Threat Intelligence Centre (MSTIC) has detected Russian network intrusion efforts on 128 targets in 42 countries outside Ukraine. Authors write that these represent a range of strategic espionage targets likely to be involved in direct or indirect support of Ukraine’s defense, 49 per cent of which have been government agencies.

“Another 12 per cent have been NGOs that most typically are either think tanks advising on foreign policy or humanitarian groups involved in providing aid to Ukraine’s civilian population or support for refugees. The remainder have targeted IT companies and then energy and other companies involved in critical defense or other economic sectors.”

The war in Ukraine, said Hewie, also forced president Volodymyr Zelenskyy and other government leaders to quickly pivot when it came to migration to the cloud. As recently as early January of this year, legislation was in place that forbade government data from being stored outside the country.

“This whole idea in Western Europe around digital sovereignty and what it means is taking on a new twist,” he said. “It gives me the flexibility to operate my government outside my country if critical assets are targeted.”

The report, meanwhile, notes, that prior to the war, Ukraine had a “longstanding Data Protection Law prohibiting government authorities from processing and storing data in the public cloud. This meant that the country’s public-sector digital infrastructure was run locally on servers physically located within the country’s borders.

“A week before the Russian invasion, the Ukrainian government was running entirely on servers located within government buildings – locations that were vulnerable to missile attacks and artillery bombardment.

“Ukraine’s Minister of Digital Transformation, Mykhailo Fedorov, and his colleagues in Parliament recognized the need to address this vulnerability. On Feb. 17, just days before Russian troops invaded, Ukraine’s Parliament took action to amend its data protection law to allow government data to move off existing on-premises servers and into the public cloud.

“This in effect enabled it to evacuate critical government data outside the country and into data centres across Europe.”

Leave a Reply