4 May 2023

Countries Caught in the Crossfire Wage War From Afar

DIEGO LAJE

As the physical war in Ukraine rages on, some cyber warriors are fighting the battle from a distance. Sweden, no stranger to cyber bullying from the Kremlin, has become home to many of these fighters.

While Ukraine’s forces barely kept Russians out of Kharkiv in the first days of the war, residents lived their darkest hours. “We stayed for some time after the invasion, and then we decided that it’s going to be safe, safer, out of the city,” said Oleksandr Adamov, 38, professor and cybersecurity researcher.

Adamov started teaching malware analysis courses in 2009, and a year later, he joined the Kharkiv National University of Radio Electronics where he still instructs cyber skills virtually. Two weeks after hostilities started, Adamov was scheduled to be in Sweden for a teaching job. As an educator, he is exempted from military mobilization. “I took the permission from the military office to leave the country,” Adamov said. Thus, he, his wife and their 11-year-old son traveled to Sweden, where he has been researching and teaching future cyber defenders at Sweden’s Blekinge Institute of Technology since 2012.

Adamov is specialized in reading Russian malicious code and understanding how it works, among other attributes. “I’ve been working in this area for, I believe, more than 15 years; so mostly, it’s called malware analysis and reverse engineering,” Adamov told SIGNAL Media in an interview.

“[Adamov] has executed the reverse engineering and deep analysis of the tools being used during several attacks,” said Oleksii Baranovskyi, senior lecturer also at the Blekinge Institute of Technology and associate professor at the National Technical University of Ukraine.

Baranovskyi is another Ukrainian cyber defense expert currently based in Sweden.

“Cyber has become a really important matter for states, for all European states. They realized that we need to build capability,” said Marcus Murray, founder of Truesec, a Swedish cybersecurity company.

Murray’s company engages military and civilian institutions to defend Sweden against daily attacks and intrusions. He also works around the region and has been involved with Ukraine’s digital war.

“The focus and the goals of cyber attacks on Ukraine shifted from information stealing to destruction, destroying something; but if we talk about the NATO countries, it’s information gathering, information stealing, a kind of intelligence, using the cyber domain to get it,” Baranovskyi told SIGNAL Media in an interview.

Russian government spokespeople have repeatedly denied involvement in cyber attacks on any other countries, including Ukraine.

Russia’s convergence of cyber and battlefield methods is a constant theme discussed among cybersecurity experts. This tactic is evident in Russia’s attacks on civilian infrastructure—banned by international humanitarian law—while engaging privateers to carry the weight its regular forces cannot shoulder on the physical battlefield or in cyberspace.

“Russia’s persistent use of ‘proxy’ groups throughout the conflict, such as Wagner Group and pro-Russian cyber criminals, hacktivists, and influence actors, has revealed Kremlin control or direction over these groups while further illuminating Russia’s desire to have plausible deniability over its actions,” stated a report by Recorded Future, a consultancy.

Russia’s effort to cripple Ukraine’s online activities during the first phase of the invasion is suggested by the figures from Wordfence, a cybersecurity company protecting 376 educational institutions in the country. The company observed the following attack pattern in early 2021:479 attacks on February 24

37,974 attacks on February 25
104,098 attacks on February 26
67,552 attacks on February 27

In its report, the company attributed these attacks to a Russian hacker group.

Initial actions against Ukraine combined malware, other cyber attacks and disinformation.

“The cyber component hasn’t been a game changer. They did take out some satellites in the beginning, which was annoying, but then the Ukrainians found other ways to communicate,” said Murray.

In the opinion of Ukrainian cyber defender Baranovskyi, Russia is far from an all-domain champion.

“They do not have strategic planning, at least in the cyber domain, because all their actions are tactical,” Baranovskyi said.

“Quantity has a quality all its own” is a quote often, and perhaps falsely, attributed to the Russian dictator Joseph Stalin. Nevertheless, this philosophy also seems to resonate in the cyber domain.

“They’re not ideal hackers. They have a good school for this, maybe military, I don’t know,” Baranovskyi said. He clarified that tools have shrunk and actions are limited to a few moves (see “A Dangerous Transition” below).

“It seems like they are just working to create functioning malware that does one thing, and that’s basically wipe; they essentially want to sit on the edge of the network. They want to attack email servers. They don’t want to phish; they just want to attack the edge: firewalls, email servers, routers, things like that,” said Greg Hatcher, founder of White Knight Labs, a cyber-defense firm and former engineer for the Army Special Forces.

“It’s a training from day by day,” Baranovskyi explained to SIGNAL Media, as he had observed Russians repeat the same attack. This might make them experts at one particular move, but over time, it eliminates the element of surprise, according to this expert.

The war seems to be taking its toll. Just as units engage Ukrainians in long battles of attrition, where advances are expected and defendants gain the opportunity to inflict maximum casualties, a similar thing may be happening in cyberspace.

“They might not have a deep bench of malware developers, or if they do, maybe they’re just burnt out because we’re seeing malware developers in Russia making actually a lot of coding errors,” Hatcher said.

As Russia continues its attacks on Ukraine, people like Adamov are watching. The playbook is open, and lessons are being shared.

“I’ve studied attacks, Russian attacks, against the Ukrainian power grids, and now I use this, this experience, this knowledge, creating this new cybersecurity program,” Adamov said. This class is over a decade old, but the war has given him an opportunity to put his work in overdrive.

Still, despite his new life as a refugee, Adamov’s family tries to cushion the dramatic changes his son has seen in his last year. The virtual space where Adamov battles cyber attacks is the same space that allows his son Andrew to continue education in his home country by attending PUSH School in Kharkiv as a distance-learning student.

“We are happy to be able to continue school, education, for our son on distance because he likes it. He got used to his school, his classmates, and he was happy to continue even on distance, but still, it’s much less stressful,” Adamov said.

Even though online, it is as though Adamov’s son never left his friends in Kharkiv, and the family has managed to build a life in a country untouched by this war, they cannot wait to return home.

“We plan to come back once the war is over and is going to be safe,” Adamov said. When facing Ukraine’s odds, Adamov expects his country to prevail. “No other option,” he said.

A Dangerous Transition

Experts agree that attacks on Sweden intensified once it made its intention to join NATO public. The announcement placed the Nordic country in Moscow’s crosshairs. At the same time, attacks on a yet nonmember were not an action against the alliance, thus, lowering the costs of potential aggression.

Accession is also an opportunity to harvest intelligence about the Kremlin’s strategic rival.

“After the moment they [Sweden] have decided to move to NATO, they’ve been a main target for cyber intelligence ... because they became more close to the NATO structures,” said Oleksii Baranovskyi, senior lecturer at the Blekinge Institute of Technology, Sweden, and associate professor at the National Technical University of Ukraine.

“We have had a pretty large number of attacks targeting Swedish infrastructure, or the websites of important infrastructure organizations, and that is related to Russia; we would call it a disinformation campaign,” said Marcus Murray, founder of Truesec. But by the time Russia moved on Sweden, its playbook was well-known by companies, the military and the government.

Experts like Baranovskyi had been preparing new generations of defenders for years and had seen how Russia waged cyber war.

And both Ukraine and Sweden implemented defensive tactics to diminish or neutralize Russian attacks. By early 2022, both countries “prevented themselves from being too dependent on single points of failures, so I think that even if you look at the power plants, etc., in Sweden, for example, you can hit one place, it will all get dark,” Murray explained. He went on to say that Russians could attack a part of the power infrastructure, but they were unable to cause a massive failure.

Still, Russia has a problem when targeting Sweden as they have few cyber operatives who speak the language well. This has created what Baranovskyi qualified as a “natural firewall.”

“Attacks, I believe, will not be so efficient, and they’re not so efficient as attacks against U.S. or Germany or Ukraine due to the language because not so many people around the world speak Swedish,” Baranovskyi explained.
The Data That Ran the Gauntlet

As Kyiv was threatened from the north and east during the beginning of the Russian invasion, defenders realized there was a capital vulnerability.

“The very definition of the country, Ukraine, is basically in computers today,” said Marcus Murray, founder of Truesec. Before, national records were kept on paper, a practice Napoleon standardized and spread in Europe.

“So, who is a citizen of the country? Who owns land? Who owns a company?” Murray explained that all this information is in databases.

The vulnerability was that all this data was stored in data centers in Kyiv itself. If Russians took the capital, they would own all the data.

Thus, a new initiative arose: “A campaign to start to try to transfer that outside Ukraine in the beginning of the war. It was a very stressful operation done by a lot of countries,” Murray said. Data was migrated to the cloud, where only Ukraine could control it, despite data center ownership.

“You have no idea how many terabytes that was, but it was a lot of data. It’s troublesome; you can’t just press upload to the cloud,” Murray explained.

After days and nights of work, the country’s key data was put beyond the reach of the invading force. Had the capital fallen, invaders would have found only empty buildings with limited chances of finding information on every inhabitant, voter, taxpayer and passport holder.

No comments: