‘A year of cyberwar’ with Russia: An inside look from a top Ukrainian cybersecurity official
A year after the Russian invasion of Ukraine, the Ukrainian government has suffered untold numbers of cyberattacks designed to render systems inoperable and carry out espionage or psychological operations. Ukraine appears to have been mostly successful in weathering these attacks, and Victor Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, has been at the forefront of coordinating Ukraine’s defense. On Feb. 24 — the one-year mark of the invasion — CyberScoop reached Zhora in his office in Kyiv to discuss his reflections on the past year, lessons learned and what comes next.
This interview has been edited for length and clarity.
What do you remember from this time last year on the day of the invasion?
On the 23rd, I was doing an interview on TV in the first half of day, and the second half was very busy with different incidents. It became more or less clear that there is a high chance of invasion on the next day. I left the office around half past 10 in the evening and our incident response group remained here to deal with ongoing incidents, and to monitor the overall situation. I had a call with the person I talked to last before the invasion, and they said, “Did you see Putin’s speech?” I didn’t see it, but I could hear the noise outside of fighters and bombs and missiles.
The focus was on relocation because we had our contingency plans, but some of them were altered because of Russia’s unexpected invasion plan. Our goal that day, after having a very busy previous day and busy night, was to maintain continuous operability of all our departments, including the Ukraine Computer Emergency Response Team in the state cyber protection center.
What is your overall assessment of the cyber-related aspects of this conflict?
We, like the rest of world, expected highly destructive and intense activity from Russian offensive units. But the overall conclusion from this — this year of cyberwar — will be in highlighting the role of cyber operations in support of kinetic operations. Cyber components remain very active, but their impact can’t be compared with the impact from conventional weapons.
Covert cyber operations during the eight years prior to the invasion, which we can consider part of this ongoing war, were preparations to the full scale war which we have right now — testing the efficiency of technologies and probing with the goal of understanding the possibility of using cyber as a destructive way of attacking Ukraine. We shouldn’t underestimate the importance Russian offensive cyberattacks. But in general, they choose to use more disruptive weapons, while keeping cyber operations for psychological operations or cyberespionage.
Another observation is that as they do on the battlefield, without having the ability to effectively counteract our armed forces, they focus on attacking civilians. The same we observe in cyberspace: Most of the targets are civilians.
Experts have said that the Viasat and Industroyer2 attacks have been the most interesting and significant single attacks of the past year. Would you agree?
Yeah, perhaps I would share this opinion. The difference is Viasat was a successful attack, from from the point of view of impact and disruption. Industroyer2 attempted to be destructive, but we were lucky to prevent it.
The Industroyer2 defense could be seen as representative of the improvement in Ukrainian defenses and the unprecedented international support ahead of and during the war from both private and public entities.
Yes, but I would highlight two phases. The first phase is the preparation phase, and then the war phase. The density and severity of attacks differed between these phases.
Between Jan. 14 and Feb. 24, we saw a lower density of attacks, which allowed us to prepare defenses, build capacity to train task forces and improve coordination. We improved our legislation, we launched cyber centers, we built security operation centers and systems of information exchange. Feb. 24 required a very quick response and the united efforts from thousands of people. We started relocating our data centers from Kyiv to western regions and to the cloud. After the invasion it was chaotic, because many volunteers started attacking Russian infrastructure. And we were dealing with a lot of lower impact incidents — these DDoS attacks — and we used urgent measures to get protection from these attacks and the defacements of local authorities’ websites. Especially the national registries and critical information infrastructures required a quick reaction.
A lot of what you’re describing, in terms of coordination and rapidly upgrading infrastructure, is difficult to pull off in the best of times, let alone with bombs falling and an invading force approaching.
Yeah but the help from the private sector and from our partners overseas was very, very important and very timely and helpful. Because there were disruptions of communication. There was shelling of fiber optic lines, of communication channels. But people managed to pull out their servers and storage from Kyiv and bring them to other locations. Cloud services were very, very helpful. That allowed us to have more visibility and provide detailed investigation and oversight of cyber incidents in the first two or three weeks.
How would you assess the impact of non-state hackers, both in Ukraine and from outside, participating in the war? Has it been helpful or harmful, or both?
To be frank, the chaotic way of finding the most effective approach to counter cyber aggression was due to the unexpected Russian war plan. Nobody here in Kyiv expected Russian troops to approach Kyiv. There was immediate reaction: People with skills in cybersecurity and in IT could offer the skills to appropriate tasks instead of taking arms and going to the east or to the north of Kyiv and defending our suburbs. That was the initiative.
And you can’t imagine how many calls I received. Hundreds of calls, hundreds of messages, and hundreds of people calling, texting, asking for orders. What shall we do? How can we apply our skills in cyberspace? How we can defend or even attack the enemy? So we said, “Yeah, please, if you can take this and this task for cyberdefense, please come to us.” The rest decided to be grouped in volunteer groups.
Where do you see the cyber elements of this conflict going over the coming weeks and months?
We expect or presume the war will continue, hopefully, no longer than the end of this year. But nevertheless, it’s a long period ahead. And according to what we observe each day, there will be continuous attempts to attack Ukrainian institutions, but perhaps with some shift from operations of impact to cyberespionage, network persistence and gaining abilities to support psychological operations to use cyber as a way of spreading disinformation and propaganda. That might explain their focus in attacking Ukrainian media, for instance.
They will definitely focus on finding opportunities to attack critical infrastructure. The energy sector was probed many times. These attempts became more frequent in the beginning of autumn with the launch of a campaign of shelling targeting Ukrainian energy infrastructure. With the summer approaching, perhaps they will switch to water treatment facilities or other critical infrastructure, perhaps transportation. I think these tools and these technologies that were deployed in this war will be improved and somehow used in new conflicts.
That’s a great point, that the tools and techniques developed and deployed as part of the offensive could, and likely will, be refined and used in other conflicts.
Cyberspace has no borders. It’s obvious. But there are more and more reports of Russian attacks on our allies’ infrastructures. This is a kind of revenge for the support of our partners to Ukraine. I think these attempts are meaningless in terms of any influence on the global posture, but internally in Russia I understand why they continue doing this: They are military officers; they are hackers that wear uniforms. They need to display some activities and report to their generals that they are doing something, and that they are successful somehow.
And they will say, “Listen, Ukraine was our focus, but now we are fighting with all the world.” And this completely fits with Putin’s doctrine he expressed that Russia stands against the West stands against NATO, and stands against all civilized world.
That means that we should prepare, we should share lessons, we should share information. We need to be united. We need to create a cyber coalition to counter the threat, at least first to counter threats with origins in Russia, and perhaps potentially from other well known states that support this unfair behavior in cyberspace.
