Ukraine and Europe’s digital battlefields
In the context of Russia’s invasion of Ukraine, discussions of cyber-warfare at this year’s CyberTech conference in Tel Aviv took on a deep urgency. Andrew Salerno-Garthwaite reports.
Russia has been the origin of at least two firsts in cyber-warfare. The first known cyber-attack by a state actor was an attack against Estonia in 2007, followed in Georgia in 2008 by the first cyber-attack in conjunction with a conventional military operation. Both trespasses find their beginnings in Moscow.
While these early attacks used a narrow variety of means, the current conflict in Ukraine, with roots stretching back to 2014, has employed all available instruments as cyber-weapons. Often the Russian effort has developed new instruments, invoking the participation of proxy cyber criminals with more advanced technical skills than the national capabilities, according to Ole Derevianko, chairman of Ukrainian cybersecurity company Information Systems Security Partners.
Former CIA director General David Petraeus would agree with Derevianko that the range of tools being employed by Russia has been comprehensive: “When the war in Ukraine began the most recent war back on 24 February of last year, Russia threw everything at Ukraine. It’s not correct to think that Russia held back in cyberspace or in its virtual attacks - and it also threw everything at the United States.”
Both gave presentations at CyberTech 2023 in Tel Aviv in February, where 20,000 participants gathered to hear 257 speakers from 90 countries discuss cybersecurity and build networks of collaboration over the borderless issues of cybercrime and cyber-warfare.
“I think the idea of cyber warfare kind of gives us a real misconception of what it is,” said Stuart McKenzie, a managing director at Mandiant. “I think the term cyber warfare is unhelpful when we think about how it’s used, because what we’ll see is it either as a prelude to a kinetic attack or to complement the kinetic attack.”
McKenzie points out that in 2016 NATO defined cyber as domain of operations along with land, sea, air, and space. “We kind of think of cyber warfare as two nations combating each other purely with cyber. And I think when we look at the history recently, we don’t really see that. That doesn’t play out at all.”
Democracy is much more fragile than the actual technical process of voting.
- Yigal Unna
The history of Russian cyber-attacks against Ukraine goes further back than the beginning of the invasion in 2022. One of the earliest notable attacks had the flavour of information operations, centring on the first presidential election after the Ukrainian Revolution of Dignity in 2014.
While certain elements were aimed at disrupting the systems of Central Election Commission were ultimately unsuccessful, a long reaching intrusion defaced the Commission’s website to display false results. As Derevianko explains, this produced a misleading narrative, that certain radical right-wing candidates were winning, a lie later capitalised on by elements of the Russian media.
// Gaby Portnoy, director general of the Israeli National Cyber Directorate, addresses the conference at CyberTech 2023 in Tel Aviv. Credit: INCD
The democratic fragility
Yigal Unna knows more than most about the struggle to keep elections secure. “I hold a Guinness Book of World Records in protecting democratic elections - four times in two years,” jokes the former director general of the Israeli National Cyber Directorate (INCD), during a panel on cyber challenges during times of war in Europe.
The discussion turns to critical national infrastructures that require enhanced protection cyber-threats: “You know, everyone speaks from his own pain. So, in Israel, democracy came as one of the critical infrastructure services. Democracy is much more fragile than the actual technical process of voting.
“It’s bigger…a large attack surface, as we call it. We see that the bad guys - the not-like-minded-countries and extremist terror groups and others - they realise that this is our soft belly. And most of the time the bad guys define for us, detect, and find for us, what is really critical, what is more central, than we can define from our point of view.”
Unna’s work has driven him into the grey and undefined area between cyber- and information-security, adding another complexity to a difficult topic: prioritising critical national infrastructure.
The entire concept of critical infrastructure itself is changing as the sun sets.
- David Kangumire
When prioritising systems for enhanced protection from cyber-attacks, regulators have different conceptions of what makes key infrastructure, as determined by the needs of the nation’s populace and the integration of systems, which can lead to convoluted interpretations, as David Kangumire, CEO of the Rwandan National Cyber Security Authority points out.
“The entire concept of critical infrastructure itself is changing as the sun sets. A single service, for example, electricity, which we all depend on; normally you would think that the electricity service provider, that would be the critical infrastructure. But if I need to buy our electricity, in my house, I’ll use more than that electricity,” Kangumire explained.
“I will use a bank to pay the money, I will use mobile telecom infrastructure to buy the same electricity, and then the electricity network. So, a single service, like putting power in my house, would require three critical infrastructures… We find this interconnection so seamless that you need to protect more than one critical infrastructure.”
Cyber strikes in Ukraine
In Ukraine, attacks to critical national infrastructure began in 2015, culminating in December that year with the first power grid attack through a piece of malware known as BlackEnergy, but only after the same tool had been used to attack media companies on the day of local elections in October.
The following year saw many more attacks to critical national infrastructure including energy, transportation, and government authorities including the Treasury Fund and the Minister of Finance. According to Derevianko, between 2018 and 2020, the number of attacks on critical national infrastructure increased five-fold, and the 2021 Microsoft Digital Defence Report found that 19% of the world cyber-attacks were enacted against Ukraine.
However, a curious change in events coincided with the beginning of the 2022 invasion. In the first two months of the war, there was around a 60% increase in the number of cybersecurity alerts, but this did not correlate with an increase in incidents, according to Derevianko. While cyberattacks against Ukraine increased dramatically in frequency, their rate of success did not move up in accordance.
The impact of cybersecurity attacks is in inverse proportion to preparedness.
- Lino Santos
An interesting parallel formed between Ukraine’s surprising resilience against Russia’s military operations and its capacity to withstand the large scale of cyberattacks. In both cases commentators were quick to emphasise how Russia’s capabilities may have been previously overstated, and then in later stages of the war observers recognised the importance of Ukraine’s preparations in advance of its defence.
“In that instance, cybersecurity actually did get better,” said Petraeus. “Cyber defences prevented Russia from ever bringing down the electrical grid, taking down the command-and-control system, cutting off the global Internet and so forth.”
Derevianko holds the contrary view that the success of Ukraine’s success in repelling cyber-warfare comes from its experience on the cutting edge of attacks that predate the open armed conflict: “Ukraine prevailed in the cyberspace because all these years, these teams of people were facing cyber-attacks constantly, were responding to them, and on a daily basis were recovering from very fierce and impactful attacks.”
Or as the head of Portugal’s National Cybersecurity Centre, Lino Santos remarked: “The impact of cybersecurity attacks is in inverse proportion to preparedness.”
The most important tool that cyber attackers can use is to terrorise the population by disrupting the regular services for people. “This is an important component in the cyber warfare. Just like disinformation,” said Derevianko, “you should not expect cyber to create effects like in a kinetic war. You cannot order a cyber strike and then something flies and shoots and then something is destroyed… cyber is a human business, you need a good team, and it takes time.”
The attacks that resulted in some disruption and required significant efforts to mitigate and recover were the attacks where the adversary had access before the invasion started, known as Advanced Persistent Threat (APT) attacks. “Cybersecurity here is all about how good you are at detecting something that was not detected by your regular security means.”
// Retired General David Petraeus, former Director of the CIA, in conversation with Robert Silvers, Under Secretary for Policy, Department of Homeland Security at CyberTech 2023 in Tel Aviv. Credit: Andrew Salerno-Garthwaite.
European attacks register at scale
When Daniel Markić, director of the Croatian Security and Intelligence Agency, addressed the conference in Tel Aviv, he was clear to focus attention on the two cyber threats that are defining this age: cyber espionage through APT attacks and ransomware, distinguished from one another more by their objectives than their means, but with that division becoming increasingly blurred as nation-state APT groups employ more and more cybercriminals.
Since Russia’s invasion of Ukraine, Croatia has itself discovered 19 state-sponsored cyber-attacks, up from 14 in 2019, representing a sharp increase over a short period time as the operators become more prolific. “APT groups mostly go for data of to our main ministries, the Ministry of Defence and the Ministry of Foreign Affairs,” said Markić.
The array of target priorities for Russian cyber-attacks would appear to differ between Croatia and Ukraine, according to Derevianko: “If you look at what Russia targeted predominantly in their cyber-attacks [against Ukraine], they were banks and other commercial enterprises, telcos, energy and utilities, and only after then defence and security.”
One consistent theme between delegates from all nations was the need for collaboration and information sharing between nations in an attempt to deal with an exponential growth in the number of cyber-attacks taking place, but the strictures of intelligence establishments have a counterproductive effect in this regard, as Markić’s appeal suggests: “We have to find a way to declassify intelligence signalling the cyber-attack, turn it to a technical information and share it with everyone who would need it in order to protect themselves. Intelligence is useful only if it’s actionable if it is usable.”
While in cooperation, the role they play is unanimously clear to nation-states, but the same cannot be said about the matter of accountability. When cyber-attacks are committed, it is not a simple matter to assign blame and to recoup compensation.
In a press briefing at CyberTech 2023, Gaby Portnoy, the Director General of the INCD, was contemplative on the subject: “I will tell you from the starting point, I don’t care who it is. I want to protect our nation. This is the first goal. After these words, we have to talk more again, we the table, about norms and values… what is sovereignty in cyberspace? If Hezbollah attack us from computers in Germany, this is a problem of the sovereignty of Germany? This is the question. So, we are premature now to start talking about that.
“But you can see a little bit of change, and from my point of view it’s sometimes not enough. The FBI did a very interesting operation, now, against [cyber-attack organisation] Hive. It brought out all of the encryption and passwords they needed to help the victims of ransomware, and they brought back $130 million from the wallets of the cybercrime group back to the [rightful] owners. It’s another aspect of protection.”
// Main image: From left to right: Natasa Glavor, Head of National CERT, Croatian Academic and Research Network; David Kanamugire, CEO of Rwanda’s National Cyber Security Authority; Lino Santos, Head of Portugal’s National Cybersecurity Centre; Igli Tafa, Director General of Albania’s National Authority on Electronic Certification and Cybersecurity; and Yigal Unna, former Director General, Israeli National Cyber Directorate, discussing ‘Cyber Challenges During Times of War in Europe’ in a panel at CyberTech 2023 in Tel Aviv. Credit: Andrew Salerno-Garthwaite.