Since the invasion of Crimea and eastern Ukraine by Russia, there have been many well-documented cases of the use of computer network operations for intelligence collection and even force projection. Over time, the scale and impact of these attacks has risen considerably, including the remote, unauthorized manipulation of Ukraine’s electricity grid and a country-wide attack that has been called the most damaging malware incident in world history.
The Ukrainian Presidential Election in 2014 was marred by hacktivism, cyber espionage, the release of stolen sensitive information, the compromise of Ukraine’s Central Election Commission (CEC) website, and a carefully planned psychological operation against Ukraine falsely claiming that a far-right candidate had won the poll. Ukraine’s Computer Emergency Response Team (CERT-UA) wrote that this was the most “technically advanced” cyberattack it had ever investigated.
Thus, on 25 November 2018, when the Russian Federal Security Service (FSB) fired upon and seized three Ukrainian Navy vessels as they transited the Kerch Strait, which separates the Black Sea from the Sea of Azov, we should expect to see some elements of this military operation and subsequent geopolitical tension reflected in cyberspace. And sure enough, numerous sources reported cyber incidents:
One private firm, called Stealthcare, reported that both Ukrainian government and military targets were hit with a phishing campaign designed to facilitate diplomatic and naval espionage prior to the seizure, attributing them to “Russian government-affiliated actors”. The same company reported that another cyber actor tied to the Russian FSB also attempted to install a backdoor called Pterodo in multiple Ukrainian government agencies just prior to the incident. There is no further information at this time to question or confirm the veracity of both reports.
In the 24 hours following the seizure, cybersecurity firm Comodo reported a sharp spike in malware detections on both sides of the Ukrainian-Russian border, as cyber actors, perhaps from many countries, sought to capitalize on the tense and rapidly unfolding situation.
On the Russian side of the border, researchers announced that a hospital, possibly associated with the Russian presidential administration, may have been targeted by cyber actors seeking information on the captured Ukrainian sailors. As evidence, they cited the fact that Adobe released critical security updates for two Flash Player vulnerabilities. Adobe credited two cybersecurity firms and one independent researcher with the attack analysis. This alleged attack was detected on 29 November, or four days after the Kerch Strait incident.
One Kennan Institute expert, Nikolas Kozloff, believes that Ukraine will be much better prepared for cyberattacks in 2019, having not only learned from their own experiences but also having recently received support from the West, including the U.S. UK, Estonia, and NATO. In an interview with Kozloff, one senior Ukrainian official, Vasyl Filipchuk, said “Experts are confident that we have one of the best cyber security defense systems in the world. We have neutralized Yandex and Kaspersky, so I think Russia would find it quite hard to intervene now.” Further, he added that “We vote on paper ballots … All ballots will be counted manually at the Central Electoral Council, so there’s nothing to hack.”
While cyber operations have become a regular feature of nearly every political and military conflict, these incidents still take considerable time to investigate and analyze, making them especially vexing during a fast-moving crisis. The added challenge of correct attribution and false flagging, makes this problem even worse. Therefore, as our Task Force analyzes network security incidents in the run-up to the 2019 Ukrainian Presidential Election, we will try hard to accurately report the facts, but also to assess the credibility of the sources.