Digital warfare in Ukraine

This report deals with digital warfare at the example of cyber activities conducted in the Ukrainian conflict. It shows how digital warfare has evolved over time and how Ukraine has become a testing ground for cyberweapons. It discusses the difficulties of assigning and preventing cyber-attacks. Based on a ransomware attack in 2017 this report will show that cyber warfare is much more than a theoretical threat. It will highlight the impact of the malware attack NotPetya, as well as the reaction of politics and computer experts to the occurred events. This report summarizes the aspects of the cyberwar in Ukraine and derives strategies for preventing future attacks. The last section of the paper explains concrete countermeasures according to the ISO standard.

1. Introduction

Cyberwar has never been more ubiquitous than it is today. The events taking place in Ukraine place the whole world in the grip of new challenges. At the moment there might be no better place to witness cyber conflict in action than Ukraine. Ukraine has been the victim of a sustained cyber-assault unlike any the world has ever seen, undermining practically every sector of Ukraine - media, finance, transportation, military, politics, energy. The following describes Cyberwar in general and how the Ukraine has become a digital test field for cybercrime. It will also show why it is important to keep an eye on the conflict and what we can learn out of it.

2. Cyberwar

This section explains cyber warfare and how it differs from regular warfare. Impacts on social and economic levels are shown as well as the associated problems.

“The physics of cyberspace is fundamentally different from all other war zones." [Gre 18] A cyberweapon reminds in this physics that distance is not defence. Every barbarian is already at every gate. And the network of entanglements in this ether, which has unified and set the world up for the last 25 years, can bring it to a standstill in a few hours on a summer’s day. [Gre 18]

Cyberwar is a warlike conflict between states in the virtual space, which is led by means of information technology. It aims to harm countries, institutions or society electronically and disrupt important infrastructures.

The effects of cyberwar and cyberterrorism are unimaginable. It is not is not a power or water failure that lasts for a few hours and then everything continues as usual. If it comes to cyberwar, the consequences are devastating. Specifically, this means that all communication, information and supply tracts might be interrupted. As a result, people are completely isolated and vulnerable. Masses of panic and supply shortages could result. - There are emergency plans in case natural disasters cause a failure that lasts a few days, but no one expects a loss of supply for several months or even years.

2.1 Targets

Ukraine proves to be a good target for attackers due to the ongoing military conflict with Russia. Many of the used computers there run pirated software that does not receive security patches. In addition, Ukraine is very well connected within Europe offering a backdoor vulnerability to hack other states. [Cer 19]. In many cases the computer systems are not the final target - they are being targeted because of their role in managing real-world infrastructure like airports or power grids.

Knock out the computers and you can shut down the airport or the power station as a result.

Commonly if we talk about a critical security threats and attack surfaces we often think of critical infrastructure like hospitals, energy supplier or hardware in general. But there is not just the hardware or technological problem we have to face. Equally important is the threat to the human infrastructure for example influencing what we think, what we belief and what we know. As an example, people who live in the east of Ukraine are mostly Russian-speaking. This is mainly due to the fact that these areas can only consume Russian media due to the strong influence of Russia. This isolation means that the eastern population suffers from a lack of information and sympathizes with Russia through targeted propaganda measures. [Bae 18, Pg. 14]. Also, many cyber-attacks on the Ukrainian government as well as the failures caused by cyber-attacks have contributed to the inhabitants loss of trust in their government. These attacks are increasing the sense of chaos and doubts about the ability of the government to ensure security and order. This also means that our open, networked world is being questioned by many people. Some societies believe that the best way to respond to change is to build walls to protect in isolation. In this way we lose much of our networked world, not only material but also human.

The attacks on power grids in Ukraine are the first of their kind that have been proven to cause power outages. The blackouts are not just isolated attacks. They were part of a digital blitzkrieg that has lasted for years in Ukraine. [Gre 18] Attacks of this kind can take place more frequently in the future and also outside Ukraine. This includes critical infra-structures such as hospitals and defence infrastructure. The former president of the USA Barack Obama said that the security requirements concerning critical infra structures are the most serious challenges of today. [SK 17, Pg. 3]. NotPetya was an attack which cost estimated $10 billion to clean up — It was “as close to cyberwar” as we’ve come. [Cer 19] This attack offers a perfect example of the potential extent of damage considered critical infrastructure as a target. The complete attack scenario is discussed in detail in the NotPetya section.

2.2 Attack attribution

The attribution of attacks remains still complicated to the fact that technical evidence may have been manipulated in a certain way in order to incriminate others or hide information. It is especially complicated in the case of Ukraine due to the mass and impact of occurred attacks, but also to the high technical level that was used by the attackers to perform and hide their actions. Also, the distinction between state and non-state actors remains unclear, since the state can deny any relation to the affected group. Tools are often shared and publicly available. Therefore, there is no way to attribute their usage to a specific group. [Bae 18, Pg.12]

3. Historical background

This section discusses the historical background which led to the occurred events in Ukraine. It focuses on the most relevant cyber-war related events that occurred in Ukraine and explains their origin. It will also show how Russia developed their cyber capabilities over the past decade up to the year 2017 when an attack was performed that’s impact reached an unpredictable and unprecedented damage potential.

Ukraine has been locked in a grinding, undeclared war with Russia. It has become a “hotspot” for cyberattacks, meaning that the cyber-aspects of the conflict with Russia relates to a series of actions taken in that context by states or non-state actors in cyberspace.

With the fall of the Soviet Union the Ukrainian People’s Republic proclaimed their independence on 24 August 1991. Russian government still continued to maintain certain influence and control over former Soviet Republics especially over the Ukraine.

At the end of 2013, there were violently repressed protests by the people due that the Ukrainian President Yanukovych stopped the association agreement with the EU. [LpB 19] The Agreement would have strengthened the relation between the Ukraine and EU enormously. Through the disputes several demonstrators are dying as a result of the violent riots. At that time the Ukraine also becomes target of several DDoS-attacks which affected institutions websites and cell phones of members of Parliament. [Bae 18, Pg. 7]

In 2014 the majority of Russian-speaking citizens of the Crimea decided in a controversial referendum to join Russia. [LpB 19] To achieve a majority the Crimea was intervened by the Russian military. Strategic important infrastructure like various airports were seized by non-uniformed soldiers, also electricity and drinking water was only severely limited. To isolate the Ukrainian military on the peninsula Russian forces cut off telephone cables and interrupted communication channels. Also, in 2014 servers of the Central Election Commission got infected with malware. The malware was removed by the Ukrainian cyber emergency response just in time before the election. [Gor 14]

On December 23, 2015, the first known successful cyberattack on an energy company took place in Ukraine. The invaders were able to shut off the power supply for six hours by using the so-called BlackEnergy malware. Approximately 250,000 inhabitants and companies around the Ukrainian capital of Kiev were affected by this attack. [SK 17, Pg. 1] The exciting thing about this attack is that its potential size has been estimated to be much larger but it has not been fully utilized. Experts suggest that it was primarily a question of determining the extent and response to such an attack and not turning off the power grid in the long term. [SK 17, Pg. 2]

A year later in December 2016, attackers managed to turn off the light in large parts of the Ukrainian main town of Kiev again. The attacks in 2016 and 2015 were not much different – the only distinction was that the blackout in 2016 became more complex by the fact that the attackers were able to develop more experience and better tools over time. [BBC 17]

In 2017 the widest-reaching and the world’s most financially damaging attack took place. The attackers combined their knowledge of former power grid hacks with the so-called Petya malware and a vulnerability known as EternalBlue initially discovered by the U.S. National Security. The resulting malware “NotPetya” was used by the attackers to compromise the software of a small Ukrainian tech company called Linkos Group. The software, was widely used, giving hackers access to thousands of users and devices. The attack was the most damaging attack in history of a scale and cost. Its estimated damage and recovery measures amount to $10 billion. [Cer 19]

Image Timlene attacks Ukraine Figure 1: Timlene attacks on Ukraine

4. NotPetya

Research has concluded that the attack of the Petya variant, which began on 27 June 2017, was intended more as a destructive attack on Ukraine than as a means for cybercriminals to make money on ransom. In other words, this attack was not for financial gain, it is a weapon disguised as ransomware.

The release of NotPetya was an act of cyberwar by almost any definition - an attack that began, at least, as an assault on one nation by another. It was probably more explosive than even its creators intended. Within hours of its first appearance, the worm raced beyond Ukraine and out to countless machines around the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania. [Gre 18]

List of the approximate damages reported by some of NotPetya biggest victims:
$870,000,000 Pharmaceutical company Merck
$400,000,000 Delivery company FedEx
$384,000,000 French construction company Saint-Gobain
$300,000,000 Danish shipping company Maersk
$188,000,000 Snack company Mondelēz
$10 Billion Total damages from NotPetya, as estimated by the White House [Gre 18]

US intelligence agencies also confirmed in that Russia’s military, the prime suspect in any cyberwar attack targeting Ukraine, was responsible for launching the malicious code. Russia denies the hacking allegations. [SK 17, Pg. 2]

4.1 Initial Vector

The infections with NotPetya began with a software supply-chain threat. It was a legitimate updater of the document management software M.E.Doc, which is heavily used by Ukrainian companies, and companies operating in Ukraine, for maintaining information on tax and payroll accounting. [MSD 17]

4.2 Propagation

The older version of NotPetya called Petya (2016) required the victim to download it from a spam email, launch it, and give it admin permissions. “To date, it was simply the fastest-propagating piece of malware we’ve ever seen,” says Craig Williams, director of outreach at Cisco’s Talos division, one of the first security companies to reverse engineer and analyse Not­Petya. [Gre 18] However, NotPetya only takes a single infected machine to affect a whole network. The dissemination is done by several approaches:

  • stealing credentials or re-using existing active sessions
  • using file-shares to transfer the malicious file across machines on the same network
  • using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines

The ransomware can spread by two exploits of the Microsoft Server Message Block (SMB). EternalBlue (CVE-2017-0144), the same exploit used by WannaCry and EternalRomance (CVE-2017-0145). Both exploits were developed by the United States NSA to take advantage of a flaw in the Windows implementation.

It also is using a credential dumping tool similar to Mimikatz to find network administration credentials in the infected machine’s memory. Then it uses the PsExec and WMIC tools built into Windows, to remotely access other computers on the local network and infect them as well. The combination of EternalBlue and Mimikatz is brilliant because the virus can infect computers that aren’t patched, and then can grab the passwords from those computers to infect other computers that are patched. Both vulnerabilities have been fixed by Microsoft in security update on March 14, 2017. [MSD 17]

Research on Shodan (also known as search engine for the Internet of Things) shows that there are still about a million computers currently using the SMB v1 protocol and that the port can be reached from the internet.

Image Shodan SMB v1 Figure 2: Ranking of threatened countries [Kub 19]

4.3 Encryption

Once a system is successfully compromised, the malware will begin to perform a privilege check to determine what permissions the running account has. Based upon the privilege the malware will encrypt the victim system in one of two methods:

If NotPetya is running on administrative privileges it will attempt to encrypt the Master File Table and the Master Boot Record of the hard drive (PhysicalDrive0). After modifying the MBR, the system displays the following fake “chkdsk.exe” partition repair screen as it encrypts the hard drive, shown below in Figure 2. [MSD 17]

Image Output Figure 3: False CHKDSK Output from Malware MBR Code [MSD 17]

If overwriting the boot sector fails the NotPetya’s wiper function irrevocably destroys the first ten sectors of the drive. Additionally, if it finds an anti-virus process-hash on the system, it will also wipe the first ten sectors of the disk drive. [Sui 17]

After completing its encryption routine, the end user cannot get back into Windows. Instead they see a ransom note (Figure 3) called README.TXT. This happens because NotPetya encrypted the MBR, thereby breaking the normal Windows boot process.

Image NotPetya Encrypted Figure 4: Screenshot of a system compromised by NotPetya [MSD 17]

4.4 Decryption

In the previous version called Petya the installation ID contains crucial information for the key recovery to extract the decryption key. However, NotPetya did not intended the boot sector or the ten sectors that are wiped to be restorable. The ID shown in the ransom screen is just plain random data. Additionally, the design of the attack suggests that it was carried out by a technically skilled group of cybercriminals, yet the execution of the ransomware and payment methodology showed little to no expertise or intent to produce financial gains. Thus, it is designed to permanently disable as many machines as possible, rather than as a tool for financial gain. [Sui 17]

5. Effects

Cyber-activities conducted in a particular place do not only affect the country on a domestic level, but may also have major international repercussions. A perfect example of this is the presented NotPetya malware, which originated in a Ukrainian software company and has spread rapidly worldwide.

NotPetya “was when everybody realized how vulnerable we are when Ukraine gets hit,” Maigre, the former head of NATO’s cyber defence centre. [Cer 19]

That’s why in 2017, Ukraine hosted the first Global Cybersecurity Summit (GCS), an international gathering of over 500 experts in computer technology, policy and business. The goal was to address the critical issues of cybersecurity, but also to discuss prevention measures.

One of the key findings of the meeting was the lack of skilled labour in the national context. the existing talent gap between nations needs to be addressed. For example, Russia has three times more computer science experts than India, even though India has ten times as many inhabitants. [Pat 17]

Further findings were that there are three basic components to achieve cyber-defence on a global scale:

  • First, cooperation is important as technology spreads across national borders. Cybersecurity requires a collective response from all groups who need to proactively work together. It is the task of the global actors to exchange information.

  • Secondly, it is important to set international laws and standards for technologies, so that there is at least a floor on how people behave and act. As an example, more IoT devices from different manufacturers and firmware with different security protocol types will be used. These devices often serve attackers as backdoor for the company itself or as in the case of NotPetya as gateway to other companies. A good policy must be established that promotes innovation while enforcing security for devices.

  • The last point is deterrence: Businesses and government organizations must be willing and able to impose costs on entities and groups that use offensive cyber weapons and malware for illegal purposes.

“These steps won’t eliminate all vulnerabilities, but they will drive down hacks and slow down proliferation”. Antony Blinken - Former US Deputy Secretary of State [Pat 17]

6. Policy Consequences

This section proposes conclusions that can be taken over to reduce risks and increase protection against cyber-activities with references to the ISO standard series. The protection against this cybercrime involves a set of security layers. Companies should look towards not only technology, but also people and process-like solutions.


Contact with special interest groups - Control A.6.1.4

As mentioned before the fight against cyberweapons is a global challenge. The events that have taken place in Ukraine can help to make systems safer in the future. Information exchange with special interest groups or other specialist security forums and professional associations shall be maintained to remain abreast with emerging threats & vulnerabilities.


Access to Networks and Network Services - Control A.9.1.2

Companies should implement controls using the concept of least privilege. By limiting the permissions and access of privileged accounts, companies can reduce the impact of credentials theft. As an example, Domain Admins should be limited to only being able to authenticate to the Domain Controllers. In the same design, a group of server admins should be created and should only be able to authenticate to servers that they need to administrate.


Information backup - Control A.12.3.1

As described in the objectives of this control, “Backup copies …shall be taken and tested regularly.” The ransomware has the ability to spread up to network drives and security copies. Back up data to multiple locations, ensuring proper segmentation. Validation of these copies is essential to ensure the success of restore when necessary.


Segregation in networks - Control A.13.1.3

The rapid proliferation of file encryption on the network caused by ransomware can be locked if the network is organized by segments, rather than being accessible all together. As an example, the backup system should have a specific account that it can use to access the systems it is protecting, but no account from those systems should have access to the backup server. This way credentials that are stolen from production systems will not be able to be used to destroy the backup data.


Controls against malware - Control A.12.2.1

Nevertheless, it is not possible to prevent every type of malware that can attack a company, but anti-malware software is getting better at recognizing and fighting ransomware attacks.


Event logging - Control A.12.4.1

As I mentioned, this is a sophisticated malware. The system’s behaviour analysis may be crucial for its timely detection. Monitoring capability allows teams to detect attackers earlier in the attack chain and respond more effectively. This control suggests not only the creation of event logs, but also regular reviews.

7. Conclusion

Based on the attacks that have taken place in Ukraine, the technical progress of cyber-attacks can be examined very well. NotPetya was able to spread itself automatically and thereby cause enormous damage. Looking at technological progress, such as artificial intelligence and the networking of IoT devices, it becomes clear that these technologies are also well-suited for destructive purposes. In the future, self-learning- and spreading cyber weapons can be one of these results. As a result of the variety of problems, there is not a single organization, government or company that can provide the right solution to this problem. The best way to protect from future challenges is observe, analyse incidents and discuss them on a global scale.

References

[LpB 19] Ukraine-Konflikt - Nervenkrieg um die Ukraine, Landeszentrale für politische Bildung BW, Web, last access: 26.10.2019, URL https://www.lpb-bw.de/ukrainekonflikt.html

[Pat 17] Dan Patterson, Ukraine is a test bed for global cyberattacks that will target major infrastructure, TechRepublic, Web, Web, last access: 16.10.2019, URL https://www.techrepublic.com/article/ukraine-is-a-test-bed-for-global-cyberattacks-that-will-target-major-infrastructure/

[SK 17] Julia E. Sullivana and Dmitriy Kamensky, How cyber-attacks in Ukraine show the vulnerability of the U.S. power grid, The Electricity Journal, Web, last access: 16.10.2019, URL https://www.sciencedirect.com/science/article/pii/S1040619017300507

[Bae 18] Marie Baezner, Hotspot Analysis: Cyber and Information warfare in the Ukrainian conflict, CSS CYBER DEFENSE PROJECT, Web, last access: 16.10.2019, URL https://css.ethz.ch/content/dam/ethz/specialinterest/gess/cis/center-for-securities-studies/pdfs/20181003_MB_HS_RUS-UKR%20V2_rev.pdf

[BBC 17] BBC News, Ukraine power cut ‘was cyber-attack’, BBC News, Web, last access: 26.10.2019, URL https://www.bbc.com/news/technology-38573074 [Cer 19] Laurens Cerulus, How Ukraine became a test bed for cyberweaponry, POLITICO, Web, last access: 29.10.2019, URL https://www.politico.eu/article/ukraine-cyber-war-frontline-russia-malware-attacks/

[MSD 17] Microsoft Defender ATP Research Team, New ransomware, old techniques: Petya adds worm capabilities, Microsoft, Web, last access: 25.11.2019, URL https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc

[Chi 17] Alexander Chiu, New Ransomware Variant “Nyetya” Compromises Systems Worldwide, Talos Threat Source Newsletters, Web, last access: 25.11.2019, URL https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

[Gor 14] Michael R. Gordon, NATO Commander Says He Sees Potent Threat From Russia, The New York Times, Web, last access: 26.10.2019, URL https://www.nytimes.com/2014/04/03/world/europe/nato-general-says-russian-force-poised-to-invade-ukraine.html

[AL 15] Michael J. Assante and Robert M. Lee, Information Security Reading Room: The Industrial Control SystemCyber Kill Chain, SANS Institute, Web, last access: 05.15.2019, URL https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297

[Sui 17] Matt Suiche, Petya.2017 is a wiper not a ransomware, Web, last access: 05.12.2019, URL https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b

[Gre 18] Andy Greenberg, The Untold Story of NotPetya, the Most Devastating Cyberattack in History, WIRED, Web, last access: 27.11.2019, URL , Web, last access: 27.11.2019, URL https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/#

[Kub 19] Ondrej Kubovič, EternalBlue Exploit seit WannaCryptor‑Ausbruch populär wie nie, welivesecurity, Web, last access: 27.11.2019, URL https://www.welivesecurity.com/deutsch/2019/05/17/eternalblue-exploit-peak-wannacryptor/

[Wed 15] Jen Weedon, Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine, NATO CCD COE Publications, Web, last access: 30.10.2019, URL https://ccdcoe.org/uploads/2018/10/Ch08_CyberWarinPerspective_Weedon.pdf

[Sam 15] Robert J. Samuelson, Could an attack on the electric grid mean cybergeddon? Washington Post, The Washington Post, Web, last access: 05.12.2019, URL https://www.washingtonpost.com/opinions/could-an-attack-on-the-electric-grid-mean-cybergeddon/2015/12/06/52371aa2-9ace-11e5-8917-653b65c809eb_story.html