Search

Overview of cyberattacks in Ukraine

On January 14, the Ukrainian authorities reported that several ministries were targeted by cyberattacks. Laurent Célérier, Executive at Orange Cyberdefense and teacher at Sciences Po, answers EurAsia Prospective's questions on the subject.

EurAsia Prospective: So far, what do we know about these cyberattacks? Who has been targeted? What was the modus operandi in comparison with the most famous cyberattacks (Stuxnet, SolarWinds)? What was the damage caused by these cyberattacks?

Laurent CELERIER: Referring to the information we have, it indicates that about fifteen websites of Ukrainian Administrations (Ministry of Foreign Affairs, Education, Veterans Affairs, etc.) were attacked on January 14, 2022. These cyberattacks mainly consisted of a defacement of their homepage which was replaced by a propaganda message in Ukrainian, Russian, and Polish. In essence, it said: "Ukrainians, be afraid and prepare for the worst. All your personal data has been uploaded to the web".

It seems that a known vulnerability ( https://www.cvedetails.com/cve/CVE-2021-32648/) was exploited manually in a content management system (CMS).

To date, it does not appear as though there has been a massive leak of personal data.

In terms of complexity and damage, on a scale from 0 to 10, the Stuxnet cyberattack against Iran's nuclear centrifuges and the SolarWinds attack affecting the American administration and several large organizations are rated 10, whereas the cyberattack against Ukrainian ministries is rated 1 or 2.

The consequences of this cyberattack, besides the temporary unavailability of the compromised websites, are the negative perceptions from both the Ukrainian population as well as the rest of the world. Nonetheless, it was the confidence in the Ukrainian government to be primarily impacted.

EurAsia Prospective: is it possible to know who is responsible for these cyberattacks? Does the way of operating, the size of the attacks or the techniques used, point to a State, a criminal organization, or a known group of hackers?

Laurent CELERIER: The question of finding a culprit in cyberattacks is always difficult, as the technique used in these attacks often does not allow us to identify the perpetrator. It only allows for the collection of clues (tools and techniques used) which, coupled with a deep analysis, can lead a political or judicial authority to decide whether to keep the attack confidential or reveal it publicly. In the case of the Ukrainian cyberattacks, the low level of technicality and impact of the attacks opens a wide range of possible suspects: from a single hacker or a group of state-mandated cybercriminals to an intelligence service. The current situation in Ukraine as well as the absence of financial motivation in the attack indicate a political motive. Who would have the benefit of undermining the trust in the Ukrainian government? When answering this question, you can drastically reduce the suspects.

An overly simplistic analysis is sometimes not appropriate. Firstly, these attacks may have been carried out by a single person rather than a group of hackers, fostered by the current climate in Ukraine. Secondly, and without falling for a conspiracy theory, multiple strategies are possible: these cyberattacks have led to confirm once again the support of the United States and the European Union to the Ukrainian government, which was possibly the aim of these cyberattacks.

EurAsia Prospective: does Ukraine have the cyber defense resources to deal with these attacks? What is its level of preparation and resilience, compared to other former Soviet Socialist Republics targeted by hackers such as Estonia?

Laurent CELERIER: The cyberattacks faced by Ukraine are not of a high complexity on a technical level. Therefore, they can be remedied quickly by the country's state capabilities or by being assisted with private cybersecurity companies. American and European experts being sent to Ukraine is not justified from a technical point of view, but it is rather a response to a political commitment. Nevertheless, these cyberattacks reveal a worrying level of low maturity in cybersecurity within the state. Ukraine had already suffered cyberattacks in 2015 and 2017 on its critical infrastructure, and particularly affected electricity production. The technicality required in these cyberattacks suggests likely an attack from another state.

These previous attacks could have led, as was the case in Estonia in 2007 after it suffered a complete paralysis, to a strengthening of Ukraine’s cybersecurity level. Given the general situation of the country and the lack of sufficient investment, this does not seem to have been the case, placing Ukraine in a worrying situation.

EurAsia Prospective: This attack took place at a time when the Russian Federation put a lot of pressure on the Ukrainian military, diplomacy and media for a month and on its former space of influence. Do these attacks nurture a "hybrid war" or the "Guerassimov doctrine”?

Laurent CELERIER: The war doctrine called “new generation of Valery Guerassimov”, which shaped as a reaction to American hybrid war and Chinese "out-of-bounds" war, is based on the coordinated use of all types of resources, whether military, diplomatic, civilian or private, to achieve its political objectives. It is in fact the umpteenth mutation of the "integral" war considering cyber space in its technical aspects but also in its influence.

What is currently happening in Ukraine is indeed an example of a new type of conflict where the different actors operate mainly in the digital space to defend their interests.

The main risk of using this cyber weapon, in the field of influence, is to lose control. For example, actions can be taken spontaneously by "sympathizers" and initiatives to manipulate information to generate opposite reactions to those intended while "attack tools" can turn against you.

EurAsia Prospective: On the eve of presidential and legislative elections, is France better prepared than Ukraine to face cyberattacks against its institutions, businesses, or political parties? What are the main results today of its cyber-defense strategy?

Laurent CELERIER: For about fifteen years, France has been fully aware of the cyber threats to its national security. Since 2008, essential operators must respect many cybersecurity regulations, and the French state has considerably reinforced its capabilities, by developing the National Agency for the Security of Information Systems and its military capabilities in this area.

I would therefore say that the main infrastructure in France has a significant level of security.

On the other hand, and despite the efforts that went into cybersecurity, such as the recent recovery plan, known as the "peripheral members", such as local authorities or SMEs, still have significant room for improvement. For example, attacks by defacement on City Halls or SMEs, like those suffered by the Ukrainian ministries, are carried out daily. However, the level of impact significantly depends on the current state of a country. A cyberattack in one country could be considered a “small incident” whereas in another it may result in a “major crisis”.

In this respect, the upcoming presidential and legislative elections are indeed a crucial moment. Among the types of current operating models, three seem to be critical: hacking campaign team data to destabilize a candidate, as was the case in the United States with Hilary Clinton's emails; the proliferation of fake news, making it difficult for voters to have reliable information and thus destabilizing the democratic process; finally, the disruption of the vote itself, which is likely to rely more on electronic voting than in the past due to the pandemic.

While government services are already mobilized to try to reduce these risks, it is essential to continue to educate citizens on cyber risk and to add the right technological protection.

EurAsia Prospective: Do these cyberattacks give us a good status of the current landscape of cyber threats?

Laurent CELERIER: The cyberattacks in Ukraine and their international repercussions confirm several trends. First, it is now clear that competition between states extends to the digital space. Whether in a confidential or open manner, states reinforce their traditional military capabilities with capabilities and doctrines for actions in the digital space. Moreover, no matter the impact of a cyberattack or its origin, a cyberattack is now considered a real assault and can lead to many political reactions. Finally, by claiming that the personal data of Ukrainians had been stolen, the ability of the State to respect and protect data and the private life of its citizens has been compromised. This has become a key element of the social pact between individuals and the public authorities, especially during the pandemic with the acceleration of the digitalization of health care.

The article was published on EurAsia Prospective.

Read the original article

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT