The whole world is currently following closely what is happening in Ukraine since February 24th, which is most understandable given the seriousness of the events. Together with the military actions, several specialists and newspapers raised the implication of cyberspace in the war being waged. Contrary to what this growing interest in the cyber contribution seems to suggest, this implication is not breaking news since Ukraine is suffering from a long lasting cyberwar since 2014.
An extended definition of war
War is commonly defined as an armed conflict between different groups or countries. This definition fits perfectly within the realms of the current situation between Russia and Ukraine, due to the invasion of Ukrainian territory on February 24th. However, war nowadays has a wider scope which doesn’t only limit to the physical grounds. The Cold War confronting the US and the URSS first introduced the economic influences to this definition. In a few years, we can also add cyberspace to the scope of actions within a war. Indeed, the recent military conflict that broke out between Russia and Ukraine is a follow-up to a long lasting cyberwar led against Ukraine.
A political trigger – 2014
After the overthrow of the pro-Russian Ukrainian president Victor Yanukovych in 2014, Russia started to support cyberattacks against Ukraine. At first, Distributed Denial of Service attacks, better known as DDoS attacks, were mostly performed. In this case, many computers are used as a means to overwhelm a service (e.g. phone customer support) by sending a large number of requests that cannot be handled by the system. Most of the time, the computers’ owners are not even aware of their contribution to such attacks, since it is performed remotely by a malicious hacker. This kind of attack results in the disruption of the service until recovery. Rather troublesome than really critical, DDoS attacks were not the most harmful to Ukrainian structures and services. As a matter of fact, the most damaging cyber incidents between 2014 and today were the following two: BlackEnergy3 malware against the Ukrainian electricity provider Kyivoblenergo and NotPetya ransomware against the Ukrainian financial program MeDoc. It is important to mention that most people agree on the likely involvement of Russia in those two major attacks. However, given the complexity of cyberspace, it is difficult to trace the source and thus the attribution can be subject to controversy.
BlackEnergy3 malware – 2015
On December 23, 2015, after several months of surveillance and preparation, an attacker sent, to the employees of the electricity provider Kyivoblenergo, a malicious email introducing himself as a trusted entity (the minister of Ukraine energy), a technique better known as phishing. The employees who downloaded the content of the email allowed BlackEnergy3 (a particularly sophisticated malware designed for cyber espionage and crime war) to step inside the company’s network. The malware had subsequently spread across the whole network in a few hours, gathering private information like credentials. Lastly, it made most of the machines inoperable and deleted critical data, resulting in a three hour long black-out for hundreds of thousands of customers, both individuals and companies. As a critical infrastructure, the damages caused by the disruption of a power grid could have been significant, but were fortunately mitigated thanks to emergency generators located in the critical areas (e.g. hospitals) depending on the supply of Kyivoblenergo. Nevertheless, the company itself was highly injured in terms of economic losses, data losses and an impact on its reputation.
NotPetya malware – 2017
If the name NotPetya sounds familiar, it is because this malware has spread all over the world, broadly trespassing the area of its main target: the Ukrainian company MeDoc. As well as in the case of BlackEnergy3, NotPetya was introduced in MeDoc’s network thanks to a successful phishing campaign in June 2017. This malware has two states. First, it remains dormant in order to perform its expansion under the radar. Then, it shows itself as a ransomware, but this is only a facade as it is in fact deleting the data in the background. As a matter of fact, once installed into MeDoc’s network, NotPetya remained dormant for 5 days, until the eve of Ukrainian constitution day, which is the celebration of independence from Russia. Then, the first fake ransomware started to show up while the malware was expanding to the organizations working with MeDoc. As a financial program, those partners were numerous and it affected a lot of third-party companies such as Ukrainian banks but also European and American organizations. Aside from the important loss of data, the financial loss is assessed to amount to more than $10 billion.
It should be noted that, given the nature of the phishing performed, BlackEnergy3 and NotPetya were targeting Kyivoblenergo and MeDoc on purpose.
Impact on Ukraine nowadays
The recurring DDoS attacks together with the two main incidents that were mentioned previously affected Ukraine’s economy by targeting leading Ukrainian organizations. Furthermore, some studies have reported more than 150 attacks (mostly DDoS) against Ukraine since the invasion by Russia. Other malicious cyber actions have been performed such as the creation of a fake government website which, combined, greatly contributes to creating chaos. Therefore, the cyberspace is not negligible in the war against Ukraine, since it helps to weaken the country, in a way that John Arquilla and David Ronfeld had already sensed: “We anticipate that cyberwar may be to the 21st century what blitzkrieg was to the 20th century.”
Author: Charlotte Arnaud
B.Cyber 
Leave a Reply