CyberWar already in Ukraine


The recent PetyaA virus attack has shown not only the level of Ukrainian information systems protection but also the level of cyber security issues awareness. Emotions went away, work restored, conclusions made ...

The recent PetyaA virus attack has shown not only the level of Ukrainian information systems protection but also the level of cyber security issues awareness. Emotions went away, work restored, conclusions made ...


But what conclusions are made by the competent authorities responsible for cyber security and protection of the Ukrainian information space? We are talking about this and a lot more with Igor Kozachenko, the CEO of the "ROMAD" company and the former head of the State Centre for Cyber Defense and Counteraction to Cyber threats, the State Service of Special Communication.


- The Head of the Cyber police mentioned in a recent interview that the PetyaA virus attack would have been impossible without the special services involvement - most likely, Russian ...

During a cyberattack well-prepared special services usually use mimicry methods. Therefore, it is difficult to determine the country of attack with the technical methods only. I also believe that cyberattacks can be compared to terrorist attacks and, accordingly, the country of attack should be determined with the same methods. One of them is defining who benefits and who can potentially stand behind it. And here, I definitely agree with the Head of the Cyber police.

There is also a misconception that when an attack occurs, it is immediately shown who is attacking as if it is flagged in there. In fact, one cannot immediately determine who is behind it - an in-depth analysis is required to do that. Responding to a similar question on one of the conferences on information security, I presented screenshots showing that one of the first attacking countries was Ukraine. 70% of the attacks come from within the country because it's easier and more efficient. Typically, users especially of home network, neglect the most basic computer protection. Hence, tens of thousands of computers get infected with bots with the ability to further attack the country's information resources. This is an outsider and this is the most important thing - readiness of our compatriots. Tell me, do you have an AV on your PC?


- Yes.

- That means you have at least some kind of protection. Many would answer that they don’t have an AV. Thus, a computer and home network as well are prone to infection. A bot-network is created based on such computers; a control computer gets an access to such a network and makes, for instance, DDoS-attack i.e. an attack of service denial or an attack on the country's information systems. Therefore, in order to find out who is behind this attack, you need to find the managing server and the computer that manages it. Here is the computer and it belongs to the attackers and through them it is possible to get to the person calling the tune.


-Was the PetyaA attack paid for?

- 90% that yes. Why? Because the aim of the attack was not to encrypt the data and get the buyout but to completely destroy the data on computers affected by the cyberattack. It is also prominent that the attack itself occurred on the eve of the Constitution Day of Ukraine celebration.

First of all, the ransomware has encrypted the data but nobody offered "give us money and we will give you a unique decryption key." That is, it was a pre-planned action aimed at discrediting information systems and their protection. Second of all, it is absurd that after encrypting the data on the victim’s computer, the second stage was the destruction of all information on this computer! We have seen the result and the consequences of this.


- The virus did not attack all vulnerable computers but only selected EDRPOU codes. What do you think, what was the main purpose of the intruders and why was the “M.E.Doc” software chosen for the attack?

It's not about the entry point chosen. It could be any establishment, any provider with a large client database, Ministry of Justice’s registries, which have access to many information resources. By the way, earlier, some attacks took place on the Register of the Ministry of Justice in particular, and notaries suffered primarily in this attack.

The second attack took place in the spring of 2017, an attack by the XData encoder that went almost imperceptibly but it was merely a test case. Any system that has access to any users’ information resources is interesting to the attacker and the greater the access the more interest it evokes.

That’s why “M.E.Doc” was chosen for the attack – it is obvious, there were many reasons for it. Firstly, a large network of users both public and commercial; secondly, it happened on 27-28th, the end of the month, a lot of reporting was being done with the “M.E.Doc” software; thirdly, users start updating their software at this time meaning a possibility to conduct (with a high chance) a full-scale attack; fourthly, selectivity –only those resources were attacked that were of special importance for the attacker with the help of the scenario (EDRPOU codes). 

Analyzing the full script of this attack, it's most likely been a run-in test of, I would go so far to say, cyberweapons. With such a reconnaissance in force there were three main questions to answer: the first one is the speed of infection, the second one is the penetration speed and the last and the most important one is the reaction speed how would users and especially security administrators react on blocking this kind of vulnerability.  And we all know that no one took the responsibility for the attack – it only proves the case to be ordered by apparently the intelligent services.  


- This isn’t the first attack in Ukraine, right?

This is one of a few. The CVK (the Central Electoral Committee – editor’s note) was attacked in 2014. Before that, power supply systems of Ukraine such as Transcarpathian Oblenergo were affected. Why Transcarpathia? It was important for the client to try the attack on the power sector of the region. And earlier, an attack on the financial establishments was conducted: the Ministry of Finance and Treasury because they needed to try the tools for the attack on the financial sector of Ukraine. Previously, attacks on the public governmental offices such as Presidential Administration, the Cabinet of Ministers, the Ministry of External Relations, the Ministry of Defense, the National Security Agency, the Ministry of Home Affairs, the State Service of Special Communication were made and still are being made. Also mass media of Ukraine is not left out of the focus as they are interesting from the point of propaganda and possibility to become a field for spreading “useful” info to the public. All the attacks were specific and targeted specific aims which ones - you can conclude yourself especially by putting all the pieces of info together in a common strategy. 


- Is “M.E.Doc” more protected now?

- I believe yes! They have got strong protection. One of the security features is the Romad EDR – a unique solution to protect end users provided by our company. This is the Next Generation Endpoint Protection and Response (NGEP) software that allows you to protect your automated work place from a malware with the help of the latest level of cyber protection. Our solution also provides real protection against the so-called "zero day" threats. This software is implemented and fully protects PCs and servers of the company’s network as it is called there. In addition, the security policy for the company's entire infrastructure has been revised and amended. And the most important is experience. They have been tried by fire, and, therefore, they have become stronger!


- Coming back to the attack. Comparing with what you experienced for the last 3 years, was the PetyaA attack the most powerful?

With my experience in the field of cyber defense and having sufficient experience in protection the election since 2004, such attacks have been modified and complicated. When in 2004 the first DDoS attack on the information resources of the Central Electoral Committee took place, the attack level occupied 2 Mbit. Back then we thought it was a collapse. We were protecting the state information resources with special equipment, it was new and very expensive at that time, and we thought it could not be worse. To date, 2 Mbit is a trifle compared to any ping that can be generated on a modern computer and to conduct a DDoS attack but with a small botnet even a home one, one can conduct a full-scale DDoS attack. So, the latest attacks, as for DDoS attacks, have already risen to 14-18 GB per channel, and this was already noticeable for those providers that have such external channels. As for virus attacks, they have become more sophisticated. Why? Because the virus writers began to apply several technologies in one package. Often, the attack combines a symbiosis of DDoS-attacks, as a distracting maneuver; virus attack, as obtaining the intended result of the script (obtaining passwords, data encryption, data deletion, tracking, retrieving data, etc.); and gaining control and access to information resources.


- Did the PetyaA virus achieve aimed results?

De facto, we can certainly say that the results have been achieved, assaulters have accomplished the goals: they assembled static information, taking into account that after 27th there was G-20 summit and it had been previously claimed that Russia could be removed from SWIFT, we may summarize that they try to show us: ‘Look what we did. Please imagine that we can do the same worldwide.' It means that all of the sudden all government, administrating, energy, transport, and medical institutions will be benumbed within two hours. There will be no register, finance, energy or information system working. Everything will be paralyzed up to the phone: no light, no hot water, and no signal. At the same time, a reputable person will appear on the scene and say: ‘I have a key that will help you in deciphering the system, but you must fulfil obligations. Also, there is a timer with the final countdown.'

However, let's witness the benefits of the attack - responsible executives of big companies and government of Ukraine started to take a positive view of the cyber security as far as consequences of such attacks make them move in the right direction. This can be proved by the latest laws and regulations of cyber security, and, also, by decisive actions of government and responsible executives of big companies. Thus, allocating funds to ensure information protection is a big breakthrough to build a common information protection of a country and cyber security in general. It is good that we can learn from past mistakes. God help us for it to be our last mistake, and, also, that we actually could be one step ahead of possible threats.


- Anyway, let's talk a bit about M.E.Doc. Please tell us is M.E.Doc to blame for being attacked? There has been a lot of information that M.E.Doc bears guilt for everything because there was almost no security and everyone willing could crack and enter the system.

As I said, M.E.Doc is just one of possible scenarios of the attack on information assets of a country or business sector. Everyone could and can be in its shoes – any big government or private enterprise that might serve as a so-called entry point.

I don't understand why everyone came down on M.E.Doc. Let's turn to PetyaA one more time. Exploits used in PetyaA were stolen from one of the most protected agency in the world - NSA (USA). A hacking group ‘Shadow brokers' is reasonably blamed for the theft. According to the investigations of many antivirus companies, Russian secret service is behind this.

Also, what kind of blame we're talking about? The expertise level of professionals standing behind the NonPety attack allowed cracking almost any enterprise, company or organization.

That's why we always tell our clients that recent AV solutions can't fully protect their information systems. We explain that they need new security tools of so-called next generation.

Developers of the next-generation solutions as one claim that static pattern used by traditional AVs is out of date. It's a solution that has been used for 20 years but it can't be used any longer. As PetyaA showed, and from what we have seen from our potential clients, there was a big mess. Machines, including those with the latest versions of operating systems with all possible patches, ‘fell'. They ‘fell' just like the others – fell together with Eset, Symantec, McAfee and the rest of world-class AV names.


– Could M.E.Doc do something to prevent the situation?

My opinion is that the level of attack was so high that almost no one could resist it. Today M.E.Doc, tomorrow the Treasury, the day after tomorrow the National Bank, then goes the largest providers of Ukraine. The mechanism could and can be different. If it was a few years earlier, the victim could become Ukrtelecom. Why so? As far as at that time, Ukrtelecom was a monopolist of Ukrainian information environment, and it would be logical to infect the information structure of the country. Nevertheless, now M.E.Doc was much favourable for attackers, as it has a large client base. And as I said, this attack was the trial of one of the potentially possible scenarios. Tomorrow it can be a complex entry point. For example, it may be the registry database, the second - the largest provider, and the third - the information reporting system.


- Does it mean that they can go through a tax agency and attack it in the same way as M.E.Doc?

This is just one example of how one can test the effectiveness of one's cyber-weapon... There is no doubt that this is a prototype as surely as that in fact there is a wider action spectrum.


– Does it mean that it was a trial?

Yes, it was a trial and a demonstration of power capacity. If you add here a couple of segments that I mentioned earlier, these include attacks in 2014-2016 on our information assets - they would take everything under control. What would be the result? - the energy market would "fall", the financial system would "fall", the information structure would "fall", the entire Ukrainian information infrastructure would "fall". You can make a conclusion about the consequences by yourself.


– What are the conclusions?

Many people think that cyber war is something distant and ephemeral but I can certainly tell you that a cyber war has already been going in Ukraine. Every second. And, accordingly, there are people who really fight at the keyboard. We are some of them and we try to place our shield in time for a deleterious sword.

In general, Ukraine has become logically better prepared for such attacks. However, technologically we are talking about the fact that even not all Western vendors, or, more precisely, none of the Western vendors have managed to prevent the previous threat.

Therefore, the conclusion that we all need to make is to seek and implement safety solutions that can provide protection against the modern type of threats. As the thumb rule shows, standard antivirus software hasn't solved, and couldn’t solve the problem of protection due to the archaic structure of its software.

Given that there have already been emerging new solutions - the next generation of endpoint protection (of users). The company Gartner in its Magic Q,uadrant gave them the classification of NGEP. We are a part of this alongside with our next generation product that studies the system calls of the operating system and on their basis forms the behavioural characteristics of the malware families. Due to we focus on behavioural characteristics that is not on how a malware looks like  but how it behaves, we don't need to chase malicious files that aren't always presented in the system. Roughly speaking, all "PetyaAs" behave alike. It doesn't matter what its generation is. The main thing is that the behavioural characteristics are the same. If we make it more profound, this behaviour is described as follows: it shall affect the master boot record of the computer. As far as all kinds of "PetyaA" behave identically, we conclude that they belong to the same genus (family). When you know how to select such characteristics, then if another "PetyaA" is used for the next attack, until he behaves like "PetyaA", there is no threat to the network protected by us. For our technology of modification, "PetyaA" is another descendant that makes security automatically work.

According to the Gardner classification, the term "antivirus" isn’t used for next generation representatives. I will repeat once again, we present ourselves as an endpoint detection and response the so-called EDR. This is a security tool against the malware of the new generation.