“We are not only better prepared, we are able to share our lessons learned,” said George Dubynskyi, deputy minister for security in Ukraine’s Ministry of Digital Transformation.
That is resonating in Europe and the United States, which have worked closely to protect Ukraine and now are importing strategy and intelligence in defense of their own cyber networks.
“The Russian invasion did prompt greater cyber cooperation between the U.S. and key allies, particularly in Eastern Europe,” said Brandon Wales, executive director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and coordinator of the American interagency defensive response. “When it comes to work across domestic critical infrastructure sectors, the war turbocharged the operational collaboration that we had kicked off.”
Ukraine had good reason to expect the worst. Russia had used innovative attacks on specialized software controls to cut power to swaths of the country during the winters of 2015 and 2016, and it had continued to use its rival as a proving ground with the release of NotPetya, a wildly destructive software that spread through a Ukrainian tax program and caused $1 billion in damages. The United States has indicted six Russian intelligence officers in those attacks.
That heightened sense of danger helped. U.S. intelligence agencies and multiple big American tech companies worked closely with Ukraine for years, sharing information on new threats and working through a list of best practices inside critical facilities, such as two-factor authentication, good offline backups and the use of multiple cloud vendors accessible from anywhere.
Ukrainian authorities installed better hardware and software, and passed legislation to give its regulators more power and increased flexibility to protect the data it keeps on citizens, Dubynskyi told The Washington Post.
“One week before the invasion, we were able to store copies in the cloud. It was a breakthrough,” Dubynskyi said. “We were able to move our critical data abroad to Amazon AWS, Microsoft Azure, Oracle and other vendors, without any formalities.”
The result wasn’t an airtight architecture, and some attacks got through. Russia beefed up its phishing attacks via social media and used stolen accounts of associates to better target individuals inside the government. But restricting access to a limited number of users who had physical tokens as a second authentication factor helped avoid disaster.
Russia deployed a variety of destructive programs known as data wipers through other means, and it stole passport data from border stations that it could use to track Ukrainians. It also hacked the satellite communication system Viasat, which the military used, and sidelined the Turkish-made Bayraktar drones whose successes against the invaders in the early months of the war were celebrated in widely circulated videos. Google disclosed the hack this month but did not specify what stolen information the Russians used to defeat the drones.
It also combined cyberattacks and physical explosions to force internet traffic through infrastructure it controlled.
“They cut optical fibers and they destroyed cell towers to deprive people of access to Ukraine’s digital space, to switch them to Russian digital space,” Dubynskyi said. “When you have no digital space, cybersecurity is useless.”
A direct appeal to Elon Musk brought Starlink terminals into the country and helped preserve internet access for most of the country, he said.
Russian government and allied criminal hackers have tried to break into most Ukrainian ministries, and in some cases succeeded, most recently through back doors that were set up before the war.
Russia and its allied groups, some posing as patriotic hacktivists, have claimed all manner of leaks of government documents. Most are fakes or exaggerations, but not all. Its other propaganda campaigns, also waged online, have been extensive and continue around the world.
Some propaganda has been boosted by networks of automated social media accounts for hire, which have helped propel #ZelenskyWarCriminal briefly into Twitter Trending lists in the United States, France, Italy and other countries. Some of the same accounts also touted cryptocurrencies and, more recently, Nigerian presidential candidate Peter Obi, according to researchers at the nonprofit group Reset.
But Russia’s biggest attempt to knock out Ukraine’s power again, with a version of the specialized software used against industry targets in 2016, was caught by security software because it reused too much of the earlier code.
Other private software caught more intrusions, in part by checking for unusual behavior. Dubynskyi praised Microsoft, Google and Cloudflare for their help, stemming partly from their analysis of vast activity by users. He noted it was in their interest to see what was happening in Ukraine and apply that to protect customers worldwide.
Microsoft set up a 24-hour secure hotline so that when it detected an attack in progress, its corporate vice president for security, Tom Burt, could call top Ukraine defenders immediately.
Burt said the company’s practice was to notify all targets of state-backed hacking attempts but that the hotline and personal touch “is kind of a white-glove notification” for war-related attacks that now has been extended to NATO and some NATO governments.
Like Dubynskyi, Burt warned that Russia is continuing to try new techniques. But they are doing so under a microscope: “We are learning more about how these actors operate and how they evolve their response.”
The U.S. government has helped by bringing the fight to criminal ransomware groups, some of which had turned their attention to Ukrainian targets. Arrests, takedowns and seizures disconcerted some in that shadow economy, and sanctions cut off some of their income, sending total collections down.
“The sanctions have made it hard to actually pay these guys,” said Billy Leonard, Google’s head of analysis for government threats.
Officials in the United States are applying what worked in Ukraine to their own cybersecurity efforts. Wales said the two-year-old Joint Cyber Defense Collaborative (JCDC), which includes big cloud, communications and security providers, is sharing more intelligence, including some that gets declassified within a day.
“We were able to get information within hours from initial infections in Ukraine, where JCDC members were sharing and using it inside of their systems, to protect hundreds of thousands of critical infrastructure operations around the United States,” Wales said.
Like Ukraine’s wider outreach efforts, CISA is now focusing on what it calls “target rich, cyber poor” sectors of the economy, protecting the hospitals, schools and local governments that have been battered by ransomware in the past few years.
Perhaps most importantly, CISA has seized on the lesson from Ukraine’s resiliency that proved doing the basics is much better than doing nothing, Wales said.
“Slow and steady, they made improvements in their security architecture, and they benefited from Western support, including the private sector,” he said. “Nation-states do have a lot of cyber capability, but you can make it harder.”