Ukraine is a testbed for global cyberattacks that will target major infrastructure
On the ground in Kiev, TechRepublic got a first-hand look at the frontline of a cyberwar that involves alleged Russian state-sponsored hackers, organized crime, and lone-wolf attackers.
I made a huge mistake the moment our airplane skidded to a hard stop at Kiev's Boryspil International Airport. I toggled off of airplane mode and for a moment allowed my phone to connect with Vodafone, the local data carrier in Ukraine. No big deal. My international roaming plan would prevent massive data charges, and my virtual private network (VPN), I assumed, would protect me from snoops sniffing mobile traffic. I needed to connect with colleagues attending the Global Cybersecurity Summit (GCS), a 2-day event designed to unite industry leaders and address urgent security challenges facing governments, private companies, and NGOs. The irony was that I'd landed right in the middle of a hacker trap.
Technology is transforming the world's economy rapidly. From political conflict caused by climate change to emerging tech like machine learning and the Internet of Things (IoT), says GCS co-organizer Ryan Brack, a senior vice president at Mercury Public Affairs. "We must plan for today's threats while anticipating tomorrow's. There aren't enough brains to tackle the cybersecurity challenges that governments, businesses, non-profits, and average users continually face. GCS united experts across multiple disciplines to discuss the pressing topics critical to our cyber and economic security in a highly topical setting."
More about cybersecurity
Security challenges that initially impact business and government in Ukraine quickly migrate to consumers around the world. Kiev is the frontline of a cyberwar that involves alleged Russian state-sponsored hackers, organized crime, and lone-wolf attackers. In December 2015 Ukraine was hit with a coordinated cyberattackthat took down the country's power grid. The sophisticated, multi-stage strike was planned months in advance and involved email phishing that exploited vulnerabilities in Microsoft Word macros and allegedly gave Russian hackers access to serial-to-Ethernet ports. Direct access to power grid controls allowed the hackers to own the system and rewrite the port's firmware, preventing defending Ukrainian workers from stopping the attack.
Spurred by the kinetic war in Crimea, months later the country's power grid was slammed with another attack, this time using malware and ransomware. Reporting for ZDNet, Zack Whittaker explains the cyberattacks against Ukraine are a warning to the West and a "large-scale test." Similar modular cyberweapons, Whittaker says, could be easily "refitted to target other types of critical infrastructure."
The use of ransomware against Ukraine is particularly ironic, says one source with knowledge of Ukrainian lone-wolf attackers, because much of Ukrainians' defense against Russia is funded by ransomware. The campaign against the Ukraine is asymmetric, the expert says. "Russia has nearly unlimited funds to push the war in the south (in Crimea) and to fund [hacker-type] training in universities and organized criminal organizations. To defend itself, many Ukrainian hackers are developing new forms of ransomware to fund counterstrikes."
Brack says GCS organizers chose Ukraine because the country "is considered a test bed for attacks on major infrastructure. Targets over the years include the national power grid, national railway system, one of their major stock exchanges, and Boryspil, Ukraine's busiest airport."
On the tarmac of Boryspil airport my phone grew warm in my pocket, trying in vain to connect with Vodafone. As I lugged my duffle towards customs I ignored the tell-tale warning sign of a StingRay, a surveillance device that mimics cellular data networks and allows hackers to grab critical data, including a device's MAC address and some encryption keys. I had taken precautionsand deleted all unnecessary applications prior to landing in Ukraine, but the imminent concern was surrendering my device for inspection. Business travelers crossing state lines, even in the West, should always encrypt devices and remove unnecessary sensitive data.
My handler grabbed my jacket and whisked me to a private security line where my American currency was "inspected," but my device was ignored. I was passed to a second handler, Anton Solopikhin, deputy head of GloBee, a Ukrainian NGO that encourages local business development and was the local sponsor of GCS. "The [recent cyber] attacks did temporarily hurt Ukraine," Solopikhin says, "but we have been fighting Russia for a long time. They attack our infrastructure and our people's minds using Пропаганда," the Ukrainian word for propaganda. "But we know how to fight back. You in the West could learn some things about our [anti-hacking] technologies."
Cybersecurity experts, including former US Deputy Secretary of State Antony Blinken, agree that while there is a growing focus on the applied science of cybersecurity within private and public institutions, better security demands a collective response from these organizations. "[Hacking] is threat that is growing, becoming more acute, and manifesting itself in a number of ways," Blinken explains. "The hard truth is there's no single organization--governments, corporations, NGOs, academic institutions--that has the solution to this problem. [Cybersecurity] demands a collective response and all these groups need to work together proactively."
The diplomat prescribes three components to achieve organic cyberdefense at global scale. First, better defense comes from better public-private partnerships. As technology erodes national borders it's incumbent on global actors to collaborate, share information, and respond in kind to overt and covert attacks.
It's also critical for public and private institutions to set international norms and standards for how technologies and good actors should behave, especially in peacetime. "We did this with arms control in the advent of the nuclear age," and in many ways, Blinken says, deterring cyberweapon proliferation is more complicated because digital weapons are harder to find, easier to deploy, and often in the hands of non-state actors. Particularly in the age of machine learning and IoT, good policy must be established that encourages innovation while also enforcing security protocols on devices.
Deterrence must be a priority for all actors. Corporations and government organizations must be willing and able to impose costs on entities and groups that use offensive cyberweapons and malware. These steps won't eliminate all vulnerabilities, Blinken says, but they will drive down hacks and slow proliferation.
"All of these things need to come together, and it has to be in collaboration and in partnership."The same type of energy that goes into creating [innovation] needs to go into thinking about what some of the consequences might be and guard against and mitigate [damage]."
Hearts and minds are also at risk, agree most cybersecurity experts. Bots and fake news can atomize a population before and after major cyberattacks. Tactics likely deployed by Russia during the 2016 American election were first tested in Ukraine. Fake news was rife in Ukraine prior to the 2014 election and was coupled with cyberattacks against voting infrastructure. "Ukrainian elections in 2014 saw an attack which targeted Ukraine's central election computers, network infrastructure, and vote-reporting systems," Brack says. "If the last attack was successful, the malicious code would have shown the pro-Russian candidate winning with 37% to the pro-Western candidate's 29%. In actuality, the pro-Russian candidate received just 1% of the vote. Not coincidentally, Russian Channel One news ran with a 37% update, though the fake detail was never published by the targeted vote-reporting sites."
Simply stated, as evidenced by Russia's alleged tampering with the French election, election and cultural hacking in the West is an ongoing occurrence, not a one-off event. "When we think of the cybersecurity threat we often think of the threat to our critical infrastructure: energy networks, hospitals, and road infrastructure," Blinken says. "Equally important is the threat to our human infrastructure: the effort to influence what we think, what we believe, what we know. Both of those threats are converging."
The moment I took the stage at GCS, every single one of my social media accounts was hammered by a brute force attack. Earlier in the day, worried my device had been compromised, ethical hacker and GCS speaker Victor Gevers ran a forensics test of my device. My device was clean, but that did not guarantee safety. "iOS isn't impossible to hack," said Gevers, the founder of GDI.Foundation, a group that provides responsible disclosure of security vulnerabilities to organizations.
"To deploy an iPhone zero day against you would be very expensive," Gevers says. "This does not promise you security, but it's important to determine your threat level and risk profile. You are a low value target, but every organization should take precautions against hacking. Even if you're using a Mac or iPhone, you're still at risk. When in doubt, bring a burner or just turn off your phone."
Using programs like John the Ripper and Burp Suite brute force attacks use common password combinations in an attempt to guess a user's password. A combination of two-factor authentication and diverse passwords stored in a password manager saved my accounts, but I wasn't out of the woods. Each brute force attack was followed by a phishing email. "They're probing and profiling you, looking for an account you forgot to lock down," Gevers says.
The combination of brute force and phishing is easy to identify, he explains, because most spam is filtered to your email spam folder automatically. "Phishing emails targeting you specifically will hit your inbox immediately following a brute force attack. They hope you confuse the legitimate login email from [social media] sites with the fake phishing email."
The fake phishing email looked great and would have been easy to mistake for legitimate mail had I not checked the domains inside the message. Like spam, each used a variation of a legitimate domain.
It is precisely this type of attack that gave alleged Russian-aligned hackers access to the emails of former Clinton campaign Chairman John Podesta, CIA and other US government documents, countless undisclosed corporate hacks, and the Ukranian power grid. The hacks in Ukraine resulted in not just power outages, but a shutdown of some internet services by the government.
In May 2017, Brack says, "Ukraine's prime minister issued sanctions against Russian internet companies and banned their services, including the search engine used by a third of Ukrainians, Yandex. The following week, Yandex's offices in Ukraine were raided. In total, four of the top 10 most used websites in Ukraine are now officially inaccessible in the country."
The raids were rationalized and explained by the government as an attempt to restore Ukrainians' privacy and digital security. But not unlike the soon-implemented EU database regulation, Brack worries about civil liberties implications. "Questions swirl around how far is too far in the fight to protect users," he says. "The same issues exist around encryption where government and law enforcement generally advocate for extreme solutions like rootkey and backdoor access, while technologists and advocates push for data/user security and focus on civil rights."
The tête-à-tête between Russia and Ukraine is not without a little levity. Perhaps underscoring the need for free speech and an open internet, in late May of 2017 the two nations traded barbs on Twitter. The debate resolved nothing, and resembled many social media arguments with Ukraine deploying a Simpson's GIF to emphasize the country's angst with the ongoing conflict.
"The great strength that we have is that we built an open, connected world," Blinken says, "and that open and connected world is increasingly [challenged]. The big divide in so many societies now is between those faced with these incredible forces of change and feel like the best answer is to play defense to protect themselves, to build a wall. And with those who continue to believe that our best bet is to remain open and connected, and to do what we can to shape the forces of change to our advantage, or to at least mitigate the downsides. If those who believe the only answer is to build walls then we're really at risk of losing so much of what has been a source of our strength and our progress, not just materially but as human beings."