Victor Zhora on cataloging cyberwar crime evidence against Russian hackers targeting Ukraine

Cyberattacks have played a significant role in the war in Ukraine. Officials in Washington and Kyiv have blamed Russian hackers for targeting satellite systems and using digital assaults to execute disinformation and psychological warfare campaigns. Beyond that, Russian operatives are believed to have carried out widespread hacking campaigns to carry out cyberespionage, surveil Ukrainians and spread propaganda to support the war.

There’s also an emerging question in this conflict about what would constitute a cyberwar crime even when a digital assault may not directly lead so someone’s death. But what if a cyberattack is directly tied to civilian atrocities? Could the person on the other end of a keyboard be found guilty of war crimes in an international court?

Victor Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, explores this question and many other facets of the ongoing war in Ukraine on a recent episode of the Safe Mode podcast.

This conversation has been edited for length and clarity.

You’re deputy chairman of the State Service of Special Communications and Information Protection of Ukraine. That’s a long title. Can you break that down for us and tell us a little bit about what that is for those who don’t know. 

Thank you, Mike. And thank you for having me today. The State Service of Special Communications Information Protection of Ukraine is the governmental body with a special status responsible for many functions, more than 100, including but not limited to providing special secure communications to country leaders, broadcasting of TV and radio signals, then the protection of critical infrastructure and cyber protection, of course. My role as a deputy chairman is to oversee the national incident response team, CERT UA, the state cyber protection center, and also I’m responsible for digital transformation projects in our servers. And these projects are actually external organized and launched to serve for critical information infrastructure and governmental entities. So we have the national backup center. We have a service platform for cybersecurity. We have a trusted internet connection point and the incident response team itself serves for citizens, for businesses and for the public sector, too.

Today is June 21. Could give us the state of play at this moment with some of the things you’re dealing with and where things are with the Ukraine Russia war. A counteroffensive started not too long ago. Let’s just step back for a moment and give us the big picture. What’s going on in your day to day, and how things are for Ukraine right now. 

First of all, we are in an active phase of countering a full scale invasion of Russia to Ukraine. And it’s June, and it’s more than almost one year and a half of this unprovoked, unprecedented, and unjustified war against our country. And hopefully now we switch to a phase of counter offensive. But despite that, we face a lot of challenges, including genocide and ecocide on the Ukrainian territory. In the case of the explosion at the Kakhovka hydroelectric station, which caused many deaths, but also a huge ecological catastrophe. Our expectations of counter offensive are very high because every minute, every day is very important in saving people’s lives and liberation of our territories.

I know that people suffer a lot in these separately occupied territories. So all of the efforts of the Ukrainian armed forces, and the president of all Ukrainian people are focused on liberation of our territories and pushing back Russian occupation forces. In cyber … we face continuous aggression from the Russian side, which started on January 14, 2022. The number of incidents per week or per month isn’t decreasing. Russian offensive cyber units continue to be very dangerous and very active. Each day we face up to 10 cyberattacks and in total, from the beginning of the invasion, [we] registered around 3,000 major cyber incidents. Also, there are numerous attacks that are prevented with the use of different network protection equipment. Of course, Ukraine is not alone, and we are grateful to all our partners, all our friends.

There is a reconstruction conference for Ukraine in London right now. So, of course, we should think of bringing people back and of reconstruction from all the, from all the destructions made by Russians in our country, which unfortunately continues because almost each day here in Kyiv we have air alerts and we have drones attack and missile strikes on the critical infrastructure, which is more dangerous and concerning to our civilian infrastructure, including residential houses, including hospitals, schools, etc. Every day we are facing huge challenges, but nevertheless we are optimistic Ukraine shall prevail. 

As you mentioned, the area that you’re focused on around the war involves cyber, cyber defense. Could you characterize the role cyber is playing in the conflict and how that’s evolved since the beginning of the war.

As I mentioned earlier, we consider the first strike in cyberwar to be made on January 14, when up to 70 governmental websites were attacked by Russia affiliated actors. Some of these websites were defaced. And also the first use of a wiper in this phase of cyber aggression was registered. After that, we faced a number of huge DDoS attacks and a number of serious cyberattacks on the day before the invasion. That goes in parallel with the kinetic war in the middle of Europe in the 21st Century. And, of course, cyber plays a great role in this being an independent component, rather destructive, potentially destructive. And so thankfully we are able to maintain the necessary level of cyber resilience.

But at the same time, I would split all cyberattacks into three groups. The first group is influence operations: information, psychological operations, aiming [for] subversion and sowing of propaganda. Now they [have] turned more to our partner countries in order to undermine the support from these governments. The second group is the data collection. We’ve observed the shift from destructive operations to more cyberespionage in the recent half a year. And, the third group is destructive operations aiming to cause an impact to our information infrastructures, data, different online services, etc.

Sometimes they are executed separately in order to bring this kind of impact. Sometimes they are used as the amplification for psychological effects for kinetic operations. In many cases, we observed coordination between cyberattacks and kinetic attacks. In the first phase of war, the focus was on destructive operations, aiming, for instance, to disrupt the communication of armed forces.

An attack on the Viasat network is a great example of this. Then again, there were numerous attempts to interfere with the air media, etc., to use cyber as the instrument for influence separation. But in the recent five or six months, starting from the beginning of this year, we observed a shift to mostly cyberespionage operations, aiming to get important information. There’s certainly a shift, but the attackers remain very active in pursuing their goals to impact Ukraine’s digital, digital systems and online services for government and for citizens. And of course use cyber as a supportive component to kinetic efforts. 

Can you give an example of this sort of cyber kinetic dynamic? I know there have been some reports and some disputed reports around some cyberattacks that may be followed by a kinetic attack, or you just drill into a little bit about how that’s playing out specifically on the ground. 

There were numerous cases of these attacks, which we consider to be coordinated. For instance, there were attacks on missile strikes on certain regions, and at the same time, attacks on local internet service providers. Again, we see a lot of signs of coordination with attacks on critical infrastructure. Just a year ago, there was a statement by the largest private energy company in Ukraine, which observed a simultaneous attack on their network infrastructure. And at the same time, missiles strike on their thermal power plants. There’s an obvious sign and reason for coordination of these attacks. And we even issued a report on this focusing on coordination of cyberattacks and kinetic attacks.

So all of these reports together with our digest on cybersecurity and researchers on different threat actors that target Ukrainian organizations are available in public. Please feel free to subscribe to our resources and get the newest information from what’s happening in Ukraine. We have this on a web resource, Facebook page, etc. And Twitter is very active.

I’ve heard that the U. S. officials say that there are a bigger, broader variety of Russian hacking groups involved in attacking various aspects of Ukraine than previously thought. You’ve got groups that are connected to the government intelligence services, military, but even maybe some, some freelance groups that are aligned with different parts of the government that are carrying out various types of attacks. Could you give us a snapshot of all the different players that are involved in carrying out cyberattacks on Ukraine from Russia.

It’s often considered that these groups can be state actors, state associated actors and groups that are located in some states or with regards to Russian offensive cyber capability. I think that all of them are state or state associated, including even hacktivist groups that are famous for their Telegram channels, but no doubt that in each of these groups, there is an officer of Russia special services. So all groups that represent the Russians, Russians offensive capabilities, are united with the same goal. They’re military offensive units, hackers in uniform from well known groups, Sandworm, APT 28, APT 29. All of them are associated with the GRU or FSB or SVR or different institutions of the Ministry of Defense. Then cybercriminal groups. Again, they coordinate the activities with their chiefs in the Kremlin or wherever, and activist groups who are competing for attention and funding of more official offensive units. So they share, they share tasks, they share targets, and they share resources for all those groups.

So they are all united. And of course, official military units remain to be the most dangerous power, targeting not only Ukraine, but also European countries, the United States, Canada, and all our friends and partners who are standing with Ukraine.

How are U. S. companies helping you in defending against Russian cyberattacks?

From the first days of the full scale invasion, there were a lot of proposals of help and real help. We continue getting software, hardware, cloud infrastructures, consultancy, threat intelligence from global IT providers, from dedicated cybersecurity companies. And this is a huge support, which is proposed both on a bidirectional basis. And then, of course, there is support from governments and particularly from the U.S. government through different ways of cooperation, including USAID funded projects. This help and this assistance is really enormous and is crucial for all the cyber defense and our resilience. And we are extremely grateful to the U.S. government and to our partners from the European Union.

What else do you think the U.S. or Western companies can be doing? You wrote a piece in Cyberscoop, in fact, calling for a broader coalition to be formed to deal with Russia and Russian aggression around the world. Can you talk a little bit about what you’d like to see going forward?

Since the aggression continues and we continue countering it, we require more resources since Ukraine is on the front line of this global cyberwar. And even in case we have any licenses for software that contributes to our cyber resilience, they need to be renewed. We need to scale up because we want to cover more of the critical infrastructure. And we are especially focused on protecting businesses. Our direct responsibility is to help protecting state information resources through our platform services, through the National Backup Center and for all the services that we have here in our agency, but entire cyber resilience can be achieved only with a joint efforts from business and from public sector, especially when we talk about critical infrastructure, the biggest part of which is privately owned in Ukraine. We are also working on this through standardization, through requirements, through legal frameworks, but at the same time, understand that these organizations require funds, they require time, they require talented specialists to implement everything needed. Prevention of cyber incidents requires assistance, which can be shared through our service or through our other colleagues from the national cybersecurity systems. So that’s one track with regards to cyber correlation. It works very well in exchanging information, which is very important for us and for timely response or prevention of cyber incidents.

So there’s threat intel, indicators of compromise, exchange information on different threat actors, TTPs. etc., but we want to pay back with the lessons learned or with the visibility or what we have with the TTPs by threat actors that can be used in targeting other countries. There should be a coalition of states with responsible behavior in cyberspace united with the goal of [stopping] Russian cyber aggression, and [holding] people responsible for conducting all these attacks. We need to discuss widely, because we should limit the access of the aggressor to technologies, and we need to identify the exact people standing behind these cyber operations. Some of them can be considered as cyberwar crimes, especially in cases when they are supportive to kinetic operations, majority of which are war crimes or a focus on the impact to civilian infrastructure. Again, using civilian targets in kinetic war is considered to be a war crime, especially when it causes casualties, but with regards to the cyber world, it’s a completely new concept, which should be widely discussed with academia, with the governments and with the prosecution and with the courts. One of our activities is identifying the cases which can be considered cyberwar crimes, then collecting evidence and sending it to the International Criminal Courts. So this work is being done together with the General Prosecutor’s Office and our consultants from all over the world. So I think this is potentially the most effective way of bringing those people to accountability.

I understand that most of them are military [service members], hackers in uniform, but again, we need at least decisions made by countries to acknowledge them, to be responsible for these cyberattacks and, and to identify the mechanism, how we can reach out to them physically and bring them to court. This is important and through the potential use of or any other mechanism, we can treat them as war criminals. These atrocities that are done by occupant forces are unprecedented, but again, this is the first case of using cyber weapons in the kinetic conflict and using cyber weapons as independent components, separate components. It should bring us to a new understanding and new concept of treating cyber aggression. 

What, in your mind, or from your point of view, when does a cyberattack become a war crime? I don’t think we’ve ever seen a digital war crime prosecuted.

That’s an absolutely novel approach. And of course, there should be a discussion with lawyers, with prosecutors, because we should clearly identify the criteria for these crimes, but as an example, for instance, I can give the data collection operations aimed in getting information on Ukrainian citizens on occupied, temporary occupied territories and following use of this data for executions or for torture … . So in the case of Russian occupants committing war crimes with prisoners, with civilians on occupied territories and this is achieved through cyber operations, aiming to get available information on them that causes basically the following consequences that can be a part of this war crime. For instance, when there is a huge attack, cruise missile strike, and then the following attack on the media, for instance, or on critical infrastructure, on the energy sector, which can cause deaths in hospitals or other consequences. Again, this can be considered in my opinion, but we should have this discussion and clearly classify these incidents and these attacks to actually be a cyberwar crime. 

So early on in the war, and I think even today there have been reports of Americans, Europeans joining the Ukrainians in the fight, either on the ground or on the digital battlefield. There’s a broader effort among people online to identify Russian propaganda. There are hackers who have come to Ukraine’s aid, that sort of broader digital effort. I was wondering if that’s something that’s still going on and what role that’s played. 

I’ve obviously got official assistance and unofficial volunteers. With regards to volunteer activity … inspiration for all of this obviously decreased, but some of active volunteer groups are maintaining their efforts in decreasing the enemy’s ability to attack Ukraine and our partners. It’s difficult to evaluate the efficiency of these efforts, but I would say it’s of course a great contribution to our resilience. First of all, it’s a kind of sublimation of skills and energy of people in protecting and helping Ukraine. Again, everybody has a right for justice. I think that what Russia did was violating all international laws and norms, and of course in cyber, that’s caused this kind of reaction by volunteers. Their activity is helpful for us in defending our digital boundaries and digital infrastructures. 

Is cyber playing a role at all in the counter offensive or any other offensive operations?

Since we don’t have cyber forces, it’s difficult for me to make any statements on the cyber component in this, but certainly there can be some capabilities in different, security and defense sector agencies that can be used for kinetic counter offensive, particularly in getting important intelligence for our armed forces.

Looking ahead, what are your big concerns, your big worries for the months, weeks ahead for Ukraine in regards to cyber? 

One of our major concerns is that according to the aggressor’s tactics, they are focused on gaining access to service providers, to supply chains, through which, of course, they can bring more impact to our infrastructure. Our daily routine is to maintain this resilience, to quickly identify threats, breaches, and attempts to attack our … critical infrastructure. Critical infrastructure is still in focus, particularly the energy sector. So that should be our focus in cyberdefense. And that’s why we are worried about maintaining stability in our cyberspace while counter offensive continues.

Well, Victor Zhora, I appreciate you taking time out of your day. It’s late there in Kyiv now. We really appreciate you talking to us. Thanks so much. 

Thank you so much. It was a pleasure.