Ukraine was once a hotspot for petty criminals online. Then the war with Russia came. Today digital warfare is being tested here. And the IT security industry is flourishing.
Companies can offer a young hacker $ 5,000 a month for his services.
( Photo: Jan Vollmer; graphic: iStock / cygnusX)
Artem Afian, a man in his 30s, with a well-groomed beard, brown vest over his shirt and olive-green trousers, sits at a wooden conference table in his office in Kyiv (Kiev), on the sixth floor of an office building. Through large windows, you can look down on the street, over which heavy SUVs with tinted windows thunder: New Toyota Landcruisers, Land Rovers and G-Classes on the holey streets of a country in which the average annual income is below $ 10,000. Behind Artem on the wall hangs a pop art version of the Renaissance painting “The Judgment of the Kambyses“. The picture shows how the corrupt judge Sisamnes is arrested and skinned before the judge’s chair is covered with his skin. “We also sent a copy to the judiciary, but they didn’t want it there,” he says with a grin. He represented operators of file sharing sites like Ex.ua
Afian specialized in IT law in the early 2010s. How his Ukrainian cyber scene is changing is reflected in his cases. In the beginning, private hackers called Artem when the police suddenly came to the door: Odessa cardboards who were caught handling credit card details with other people; Data miners who had looked too deep into foreign data records. He represented operators of file sharing sites like Ex.ua and others.
Five or ten years ago, Ukraine was something of hacking heaven. – IT lawyer Artem Afian
It was paid in Bitcoin for the first time. Artem’s law firm is now also building the legal framework for bug bounty orders: security tests that hackers carry out on behalf of customers. The classic hacker cases are fewer in his office. “Five or ten years ago, Ukraine was something of hacking heaven. But the era of the private hacker is coming to an end. The carders are almost gone. Hacking is now becoming more organized. If a teenager is caught chopping, the police come. And the next day a company that offers him $ 5,000 a month if he starts there.”
Meanwhile, the United States is sending cyber troops to Ukraine
This evolution also has political reasons: In 2014, Ukraine broke away from Russia with the Maidan Revolution; since then the capital no longer wants to be called “Kiev”, but “Kyiv”, in Ukrainian spelling. With emancipation, the country has become a test site for cyber weapons. While Ukraine was still a playground for private hackers in the 2000s and early 2010s, a digital war is raging there now. Meanwhile, the United States is sending cyber troops to Ukraine to learn how digital attacks work and to prepare themselves for them. At least since the attack on the servers of the Democratic Party, which is said to have helped US President Donald Trump to victory, the United States has also been aware of the effects that cyber weapons can have.
It is almost impossible to assign cyber attacks to a state and a command structure. After all, the possibility of denying it has been priced in from the start. In the significant attacks in Ukraine, experts and intelligence officers recognize Russian handwriting.
A worm that cost billions
The highlight so far at the test site in Ukraine was “Notpetya“: an infection that paralyzed an entire country in the summer of 2017 from a hacked server belonging to a small Kiev software company. According to estimates, the worm destroyed the data of ten per cent of all computers in Ukraine and in the meantime paralyzed two airports, 22 banks and several authorities. Notpetya jumped from Ukrainian networks to the corporate networks of companies such as pharmaceutical giant Merck or logistics companies FedEx and Maersk. The US company Merck is said to be Notpetya, according to estimates by the US expert Andy Greenberg Cost $ 870 million. At Maersk, the world’s largest container shipping company, the worm is said to have torn a $ 300 million hole. Security experts from the White House later estimated the total damage at about ten billion dollars – and accused the Russian secret service GRU. To date, Notpetya is considered the most devastating hack in the world.
The constant threat to Ukrainian IT systems has also made IT security a key issue: a thriving cybersecurity sector has grown out of the classic software outsourcing industry. Hackers and IT security experts are now working for the government and are increasingly attracting international orders.
Victor Zhora sits in a café called “The Cake” in downtown Kiev and eats cake. He is in his late thirties and is wearing a black turtleneck. Next to our table is a pink, two-meter-high plastic dog sculpture that reminds of the work of US artist Jeff Koons and gives the conversation a somewhat surreal touch.
Zhora has been working in Ukrainian IT security since the 2000s. “15 years ago, something like ‘Cyberwar’ was not an issue,” he says, forking a piece of the carrot cake on the table in front of him. That has changed since Ukraine moved away from Russia politically. In the meantime, he has helped digitally secure eight parliamentary and presidential elections – since 2009 with his own company Infosafe.
“The website was under constant attack.”
In Ukraine, voting is still on paper, making the result of the elections difficult to hack digitally. But in a country that has had two revolutions since 2004, ambiguities on election night can lead to heated feelings. “There was a lot of traffic on the election commission’s website on election night and the next day,” says Zhora. “The website was attacked continuously. We then tried to maintain it by all means – from web mirroring to DDoS defense. “
Zhora experienced the most intense attacks on May 25, 2014. “At the time, our big neighbour decided to prove to the rest of the world that we had chosen a junta in Kiev,” he says. Junta is the term used mainly by Russian media in 2014 to discredit the then Ukrainian administration. “There were three phases to the attack,” says Zhora. Even before the election, hackers with targeted phishing attacks had invaded the election commission’s computer system unnoticed. Just hours before the first projections were published on the election commission’s website, he and his colleagues got a tip. Someone had noticed that before the early projections, a picture of a supposed election winner had been uploaded to the page and could therefore be published at any time.
A picture of Yarosh as the election winner on the official website of the election commission would have had catastrophic consequences for Ukraine: Russian media, which also had a broad audience in Ukraine, would have given her junta thesis a new boost. The news of Yarosh as the winner would have brought both the paramilitaries of the “Prawyj sector” and the stunned supporters of the other parties onto the streets in a short time: the chaos that would have put the whole election in question.
“Our big neighbour decided to prove to the rest of the world that we had chosen a junta in Kiev.”
“When we saw the picture, we knew that the system had been compromised,” says Zhora. It would have taken too long to check the system entirely and to kick the attacker out with certainty. “So we started to replace all the nodes and the website completely,” he says. The new website went online shortly before the first projections. “The only call to the old link to the page where Jarosch’s picture would have been coming from the IP address of a Russian television station,” says Zhora with a meaningful look. The hack on the website of the Ukrainian election commission was something like the starting signal for the significant political cyberattacks on Ukraine.
On December 23, 2015, the light suddenly went out for 230,000 residents in the western Ukrainian region of Ivano-Frankivsk in the early evening. In a highly complex operation, hackers had taken control of a power grid for the first time worldwide. And they were well prepared. In spring 2015, they started using a word exploit sent by email called “Blackenergy3” to infect the computers of employees of electricity suppliers in western Ukraine.
The hackers have spent months bypassing electricity supplier firewalls and familiarizing themselves with industrial computers and their functions. Until it happened on December 23, 2015 – and they turned the lever at three distribution centres and 30 sub-centres and cut off the electricity. As a freestyle, the hackers paralyzed the emergency generators of the three attacked distribution centres during the attack so that even the already confused employees of the municipal utility company were left in the dark.
The Blackenergy hack followed about a year later, in December 2016, the hack on the Kiev electricity provider “Kyivenergo”. “The lights went out in the north of Kiev. The malware that was used was specially written for Kyivenergo’s industrial control systems,” says Zhora. “If you have something that works in such a system, you can try it out here and use it elsewhere.”
But not only the attackers are practising in Ukraine. Since the hacking on the elections and energy systems, the United States has been sending not only defence equipment and support – but also cyberspace units that study the attacks themselves to prepare the United States for them. “Our solution for the Blackenergy hack was to start the Storm in the distribution centres again manually. In the United States, that would no longer be possible, because the electricity grid is completely digitally controlled there,” says Zhora.
“The United States can observe how systems are attacked in Ukraine, and thus study the tactics of the attackers.”
“It is likely that the hackers wanted to see if the malware worked the way it was supposed to. And also how the international community would react to it,” Marie Baezner explains to me in a Skype call. Baezner conducts research at the Center for Security Studies at ETH Zurich on the role of cyber attacks in conflicts such as the wars in Syria or Ukraine. In one of her scientific articles, she counts 64 attacks and counter-attacks in the Ukraine conflict between November 2013 and December 2016. “Ukraine has a strategic value for the USA. The United States can see in Ukraine how the systems were attacked, what malware was used, and study the tactics of the attackers. It was helpful to see this before the 2018 midterm election. They will do the same before the 2020 elections and send cyber troops to Ukraine, Macedonia and Montenegro.”
In a networked world, cyberattacks on states don’t stay where they started. A small Ukrainian software company called “Linkos Group” works just a few kilometres from the café “The Cake”, where I meet Victor Zhora. Linkos sells a concealed accounting program called MEDoc, mainly to Ukrainian customers. In June 2017, hackers used one of the Linkos servers to release the worm, which later became known as “Notpetya”.
The hacker attacks on Ukraine, which security expert Zhora calls “a cold shower”, also had a vitalizing effect on the Ukrainian hacker scene. In the west of Kiev, in a café in an IT hub called “Unit City”, I meet Yegor Aushev and his business partner Evgenia Broshevan. Both wear hoodies, Aushev in black, Broshevan in red. With money from an early crypto-ICO, the two built a platform called “Hack Proof”. Companies can register for a penetration test on the platform: a “hackability test”. One of the approximately 3,000 legal hackers registered on the site then searches for weaknesses in the respective company – and logs what it finds.
The changing history of Ukraine from the former hotspot for small cybercriminals to the burned child of cyberwar has got the business going. “It took a long time to convince people to hire a Ukrainian cybersecurity company for the first time. On the other hand, Ukraine is now known for its hacks and hackers,” explains Aushev. An Asian airline is a customer he is particularly proud of. There are no official numbers, but Hacken-Proof founder Aushev estimates that there are around 30 cybersecurity companies in Ukraine. In doing so, he discovered the increasing demand for security specialists as a separate business area – and added IT security courses to his company’s portfolio. Not least because of hacks like Blackeenergy and Notpetya, the security industry is booming like never before.
