Counter-intelligence in the field of information security during the hybrid war
Information special operations, attacks of hackers, combat using of social networks and Internet services. What does the state do to counteract these threats? Which risks arise for civil rights and public security during the cyberwar? What are the first hybrid war lessons? Experience, arguments and assessments of the special services of Ukraine are in an article by Oleksandr Klymchuk, Head of the SSU's Department for Counter-Intelligence Protection of the State's Interests in the Field of Information Security, LIGA.net reports.
The hybrid war against Ukraine: the dominant factor
The hybrid aggression of the Russian Federation towards Ukraine is a multi-level combination of various forms and methods of negative influence, among which the dominant direction is informational and cybernetic.
An important aspect of the negative informational influence, which Russian special services try to realise, is its focus on the destruction of Ukrainian statehood beginning from the basic level - the historical memory and the self-awareness of the nation as definition.
To this end, Russian intelligence agencies use media, Internet resources, social networking groups, bloggers, trolls and even postal services controlled by them. Through this widespread network they not only collect intelligence information about Ukrainian citizens, but also deal with destructive propaganda information operations.
Another direction is the depletion of financial and material resources of Ukraine, creation of preconditions for the loss of its energy independence, weakening of transit potential and discreditation of our state in the international arena, with the subsequent creation of negative informational influence. At the same time, the Russian intelligence services combine destructive information influence and manipulation of public consciousness with cyber attacks on critical infrastructure objects with the cynical intentions and catastrophic consequences.
A number of powerful and sophisticated cyberattacks on computer networks in the energy, banking, transport sectors, and communications industries that have taken place since early 2014, have shown once again that the aggressor would continue to use cyberattacks as a tool of geopolitical influence. The counteraction requires not only efforts on the national level, but also the training of effective mechanisms of international cooperation.
As examples of active information activities of the Russian intelligence services during just few months, we can cite the following:
An attempt to destabilize the situation in Odesa due to the use of forbidden networks and the promotion of anti-Ukrainian content aimed at splitting Ukrainian society and tearing up the socio-political situation on the eve of the anniversary of the tragedy of May 2;
Attempting to carry out a series of one-intent provocations during the celebration of May 9. At the same time, following the instructions of Russian curators, the calls for participation in the so-called "March of the Immortal Regiment" in various cities of Ukraine, as well as the methods of the so-called "Ministry of Information of the DPR", were widely circulated through anti-Ukrainian communities in the forbidden social networking site VKontakte;
The deployment of an entire network of Russian intelligence services in Dnipro, aimed at instigating mass riots and provocations against patriotic forces through the manufacture and placement of flags in the public places with the prohibited symbolism of totalitarian regimes;
Broadcast of military parades in the occupied territories of certain areas of Donetsk and Luhansk regions, which was aimed at popularizing terrorists and "militaristic fire", which, unfortunately, has surrounded our northern neighbor;
The unsuccessful attempt to physically destroy Russian journalist Arkady Babchenko and make an information rebuke with his death for a discreditation campaign against Ukraine. Almost simultaneously with the emergence of information about his "murder" in Russian, separatist and, unfortunately, some Ukrainian resources, a massive campaign has begun against Ukrainian law enforcement agencies and the state in general. Our experts have found out signs of the coordinated information operation against Ukraine.
How does the SSU resist: 7 real examples of cyberwar
During the first five months of 2018, a complex of measures was implemented in the field of information resistance, the use of 181 Internet resources by Russian special services in order to destabilize the socio-political situation in our country and manipulate the public consciousness of citizens was identified and documented. As a result, the indicated resources were written into the sanctions list of the NSDCU, which significantly limited the possibilities of the Russian intelligence services to engage in subversion in the information sphere.
Besides, the Service closely cooperating with other public authorities and the society, managed to avoid provocations planned by the Russian intelligence services on the eve of the anniversary of the tragedy on May 2 in Odesa and the commemoration of the Day of Victory over Nazism in the Second World War. During the multi-operation, a network of Russian agents was found and disposed of, it was supposed to be used for provocations, which were prepared in Kyiv, Odesa, Dnipro and other Ukrainian cities.
In general, security officials during the first half of the year detected and warned 19 attempts by Russian special services to use the administrators of social networking groups to organize provocations through the use of prohibited online resources.
No less active is counteracting cybernetic threats. Based on the foundation created in previous years, with the assistance of the NATO-Ukraine Trust Fund on cybersecurity, an innovative development of the Situational Center for providing cyber security in the SSU was provided. Technical equipment and software for the work of the Center of Security Service of Ukraine was received as part of the implementation of the first stage of the Agreement on the implementation of the Ukraine-NATO Trust Fund on Cyber Security.
The key features of the Situation Center of the SSU are an automated system for detecting, analyzing and responding to cyber incidents and professional computer forensics. By the way, our Forensic Laboratory, as well as the Situation Center in general, is built not only for NATO's resource assistance, but also based on the experience and best practices of the Alliance. The SSU most quickly implemented several trust funds among the several trust funds from the construction of the strategy to the adjustment of equipment. Taking into account the significance of this project for the state, Head of the Security Service of Ukraine (SSU) General of the Army of Ukraine Vasyl Hrytsak, personally opened the Situation Center for ensuring cybernetic security. At the solemn opening, the SSU Chairman said: "We and foreign partners, are clearly aware that without cooperation and exchange of experience it is impossible to effectively counteract Russian aggression in the cyberspace."
The Center's specialists have already fixed and repeled over fifty cyber attacks of varying degrees of power, some of which could be much worse than the famous "Petya-A" for devastating consequences.
So, since 2014, one of the first devastating cyber attacks has been got by the computer networks of the Central Election Commission. Only few people know that a week before the elections in May 2014, the technological infrastructure was destroyed that was supposed to provide this extremely important event. Despite the lack of time, knowledge and resources, the work of the server and telecommunication equipment was renewed, and all preparatory measures to discredit the results of voting, which the Russian intelligence services had been prepared for several months, were timely neutralized.
In the course of the investigation, a version of the political order from the Russian intelligence services to discredit the acting authorities regarding the inability to organize the elections and question the existence of democratic institutions in Ukraine was confirmed.
In December 2016, because of the powerful cyberattacks on state bodies and transport enterprises of Ukraine, the Treasury temporarily suspended Treasury customer service. Access to the web portal of the Ministry of Finance was blocked, and the work of some energy and transport objects was blocked. It was probably the first time in the world, when an unauthorized interference with the operation of the technological control systems in the energy sector was recorded, only through a hacking tool called Blackenergy3, which could be considered as a cyber weapon.
On June 27, 2017, an attack using the malicious software "Petya / NotPetya", which used little-known vulnerabilities in the Windows system software, has temporarily blocked the operation of computing systems of certain critical infrastructure objects in Ukraine. But in quantitative terms, most of the small and medium-sized businesses were affected by the attack, which caused a profound resonance in society due to the termination of banking provision, administrative and other services.
However, this experience has allowed us to formulate a clear mechanism of action aimed at rapid response to cyber attacks of such level, as well as to effectively neutralize the subject of attack and prevent the occurrence of negative consequences, what has become an immediate and priority task for our specialists.
At the moment, we are expecting the practical realization of the second stage of the Ukraine-NATO Trust Fund on cyber security, which we agreed with the Alliance at the beginning of the year. We hope to expand our networks. We hope to expand the network of situational centers and significantly increase the number of critical infrastructure objects that will receive cyber defense. I want to mention the openness of our situational center for cooperation with all members in the field of cyber security: institutions, organizations, enterprises and profile specialists. By the way, the Head of the Service personally emphasized the importance of such cooperation: "Any representative of large, medium and even small businesses can contact the center for advice and assistance."
At the same time, we have several innovative projects that are designed specifically to establish direct online interaction with businesses in the topics of cyber security and the overall culture of cyber defense. One of them is the MISP-UA system, which is a platform for the exchange of cyberattack technology information.
The experience gained by the SSU specialists allowed us to prevent in October 2017 the organization of a cyber-security operation organized by the Russian security services aimed at blocking the work of computer bodies of the state power of Ukraine, large state and private companies and Ukrainian enterprises, the implementation of which was planned to be implemented with the use of updated software updates.
In April 2018, a cyberattack was discovered and localized to objects of the state defense industry, aimed at discrediting Ukraine on the international scene and disseminating inaccurate information on a number of critical infrastructure objects, in particular the unreliability of the Ukrainian side in cooperation in the scientific and engineering spheres .
In addition, the Situational Center for cybersecurity of the SSU detected and timely responded to a cyberattack directed to the information systems of the security and defense sector of Ukraine, primarily the SSU, the Ministry of Defense, the State Border Guard Service, as well as the units involved in the implementation of the tasks of the Combined Forces Operation. The purpose of this cyberattack was to damage both the computer networks of these departments and personal computers of employees for remote access and the theft of official information.
It was found that the cyber attack was committed by a hacking group that was located in the annexed Crimea region with the use of malicious software known as "Armagedon", which was previously used by the Russian special services.
In May of this year, the Security Service of Ukraine, in co-operation with representatives of international IT companies, has prevented from conducting a large-scale cyberattack with the use of malicious software VPNFilter on state structures and private companies in order to destabilize the situation during the UEFA Champions League final in Kyiv.
According to coclusions of cybersecurity experts, this cyberattack was aimed at defeating network devices and has been fixed all over the world since 2016. However, this time the geographic cyberattack was aimed exclusively at the Ukrainian segment of the Internet.
The results of our researches, including the ones in cooperation with leading IT companies, point to the common features of all cyber attacks that I have been talking about and the involvement of the known to SSU hacker groups that operate under the control of the RF special services.
Thus, the VPNFilter cyberattack mechanism, planned before the Champions League final, is identical to the cyber attacks that took place in 2015-2016 with the use of malicious software BlackEnergy and Petya / NotPetya.
CyberSanktions: why and against whom
In the context of Russia's hybrid war against Ukraine, one of the most widespread and most dangerous mechanisms of cyber-impunity has become integrated ARV attacks that involve the use of malicious software, methods of social engineering, as well as the implications of latent access to remote access through undocumented functions in Russian software.
In particular, algorithms for the work of anti-virus packages "DoctorWeb" and "Kaspersky" do not provide detection of malicious software products developed by special services of the RF, as well as undocumented functions for the collection of confidential and sensitive user information. I would point out that Kaspersky Lab was directly accused by the competent authorities of the United States in contributing to the leak of the latest development of cybernetic weapons from the US NSA.
Therefore, the introduction of this malicious software, as well as similar products and information resources into the sanction list of the NSDCU, is an important preventive measure to prevent cyberattacks from Russian special services against Ukraine.
Draft Law No. 6688 and blocking of the sites: Is there a threat to business and freedom of speech
First of all, it should be emphasized that the draft Law of Ukraine "On Amending Certain Legislative Acts of Ukraine Concerning the Responding to National Security Threats in the Information Sphere", designed to create effective mechanisms aimed solely at the prompt detection, response, prevention, prevention, neutralization cyberattacks, cyber attacks and cybercrime, the elimination of their consequences and the restoration of sustainability and reliability of the functioning of communication, technological systems.
The draft law is also aimed at improving the system of combating terrorism in cyberspace. In addition, it will allow the introduction of a mechanism for implementing the Decree of the President of Ukraine "On the decision of the National Security and Defense Council of Ukraine dated April 28, 2017" On the Application of Personal Special Economic and Other Restrictive Measures (Sanctions) "in relation to the members of the aggressor state that operate in the telecommunication sphere of Ukraine.
The statements of some journalists and politicians that this law is directed against the freedom of speech in the online media and words in Ukraine is a manipulation.
The draft law is aimed exclusively at countering the use of resources and services by criminals and foreign special services to carry out cyber attacks and cybercrime. They do not speak about the content. No investigator and prosecutor will be able to use the rules of this law for political pressure. The precise definition of cyberterrorism and the establishment of a framework for law enforcement agencies in the area of information security envisaged by the draft law, which will make it impossible to exert pressure on freedom of speech on the Internet.
A rather large number of cyber incidents were listed above. Quite often, the owners and administrators of the resources through which the attacks were carried out did not know or could not oppose the use of hostile hackers to their sites or services.
At the same time, during cybernetic attacks, the countdown time for response is about few minutes, so putting one on the side of the weights - blocking the web resource for 48 hours, and on the other, for example, the safe operation of the nuclear power station or the control system of Ukrzaliznytsia , we, as the SSU, choose the security of citizens.
Within 48 hours, the depleted resource will not lose significant funds from advertising, and the audience will not go away from it, at the same time, the Service will receive a real tool for the rapid and effective fight against cyber threats.
I want to emphasize that we are very grateful to the civil society, which actively participated in the discussion of this bill. I am sure, after the discussion, we will come to a balanced and effective normative-law act. This is the next step in our common opposition to Russian propaganda, fake detection and OSINT. Our joint actions allow us to achieve a synergistic effect and have effectively countered one of the most powerful intelligence services in the world for more than four years.
What experience can Ukraine share?
The world is changing its attitude to the problems of cyber security, and on the example of Ukraine there is a growing awareness that the most dangerous are not single hackers, but cybernetic and information threats coming from aggressive countries and their special services.
In this context, it is extremely important that Ukraine, through its representatives from the rostrum of the United Nations, can convey its position and vision. Valuable from this point of view, the statement was made by Deputy Head of the Security Service of Ukraine O. Frolov in the session hall of the UN General Assembly at the first conference of high-level leaders of anti-terrorist departments.
The work of the Ukrainian delegation on the sidelines was also very productive. It should be noted that meetings at the level of managers who are also experts in the field of countering cybernetic and information influences are extremely effective and allow to continue bilateral cooperation between countries and special services.
What is next
At present, the Ukrainian Security Service has created a powerful, creative and patriotic team of professionals who provide cybernetic and information security to Ukraine. It should be noted that the formation of such a team took place, first of all, thanks to Head of the Security Service of Ukraine Army General Vasyl Hrytsak. While still on the front and controlling the anti-terrorist operation, he realized the importance of the information confrontation with the aggressor. Therefore, we feel powerful and motivational support for the leadership of the Service
Our specialists alleviate Russian information influences on a daily basis and cybernetic attacks are reflected.
In order for this co-ordinated team to work even more effectively and grow in its professionalism, two things are needed:
obtaining new legally-defined instruments for counteracting Russian cybernetic and informational influences;
increase financing of information and cyber security units for the purchase of up-to-date software and equipment, as well as material incentives for high-level specialists.
Also, the Security Service of Ukraine counts on the civic consciousness and media literacy of our citizens who are the direct consumers of information. This was repeatedly emphasized by the Head of the Service. Only joint efforts of the public and law enforcement agencies can successfully and effectively confront propaganda and information aggression against Ukraine.