Russia’s Chilling Cyber Aim in Ukraine: Digital Files
BOSTON — Russia’s relentless digital assaults on Ukraine may have done less damage than many had anticipated. But most of his hacking focuses on a different goal that gets less attention but has some frightening potential consequences: data collection.
Ukrainian agencies breached on the eve of the Feb. 24 invasion include the Interior Ministry, which oversees the police, national guard and border patrol. A month earlier, a nationwide database of car insurance policies was raided in a distracting cyberattack that defaced Ukrainian websites.
The hacks, coupled with pre-war data theft, likely armed Russia with extensive details about much of Ukraine’s population, according to cybersecurity and military intelligence analysts. This is information that Russia can use to identify and locate Ukrainians most likely to resist an occupation, and potentially target them for internment or worse.
“Extremely useful information if you’re considering an occupation,” Jack Watling, a military analyst at Britain’s Royal United Services Institute think tank, said of car insurance data, “knowing exactly what car everyone drives and where they live. and all that .”
As the digital age evolves, the dominance of information is increasingly used for purposes of social control, as China has shown in its crackdown on the Uyghur minority. It was no surprise to Ukrainian officials that a pre-war priority for Russia was compiling information on citizens.
“The idea was to kill or imprison these people at the start of the occupation,” said Victor Zhora, a senior Ukrainian cyber defense official.
Aggressive data collection accelerated just before the invasion, with hackers serving the Russian military increasingly targeting Ukrainians, according to Zhora’s agency, the State Service for Special Communications and information protection.
Serhii Demediuk, deputy secretary of Ukraine’s National Security and Defense Council, said in an email that personal data continues to be a priority for Russian hackers as they attempt new breaches of the government network: “Cyber warfare is really in the hottest phase these days.”
There is no doubt that political targeting is a goal. Ukraine claims Russian forces have killed and kidnapped local leaders where they seize territory.
Demediuk was stingy with details, but said Russian cyberattacks in mid-January and early in the invasion were primarily aimed at “destroying government agencies’ information systems and critical infrastructure” and included data theft.
The Ukrainian government says the January 14 car insurance hack led to the theft of up to 80% of Ukrainian policies registered with the Motor Transport Bureau.
Demediuk acknowledged that the Interior Ministry was among the government agencies breached on February 23. He said data was stolen but wouldn’t say from which agencies, only that it “did not result in significant consequences, particularly with respect to military or volunteer data.” Security researchers from ESET and other cybersecurity companies working with Ukraine said the networks had been compromised months earlier, leaving ample time for the stealth theft.
Collecting data through hacking is a long-term job.
A unit of Russia’s FSB intelligence agency that researchers have dubbed Armageddon has been doing so for years since Crimea, which Russia seized in 2014. Ukraine says it sought to infect more than 1,500 computer systems in the Ukrainian government.
Since October, Microsoft has attempted to breach and maintain access to government, military, judicial and law enforcement agencies as well as non-profit organizations, with the primary goal of “exfiltrating sensitive information” , Microsoft said in a Feb. 4 blog post. This included anonymous organizations “essential to the emergency response and ensuring the security of Ukrainian territory”, as well as the distribution of humanitarian aid.
After the invasion, hackers targeted European organizations that help Ukrainian refugees, according to Zhora and cybersecurity firm Proofpoint. Authorities did not specify which organizations or what may have been stolen.
Another attack on April 1 paralyzed Ukraine’s national call center, which operates a hotline for complaints and inquiries on a wide range of topics: corruption, domestic violence, people displaced by the invasion, benefits for veterans. Used by hundreds of thousands of Ukrainians, it issues COVID-19 vaccination certificates and collects callers’ personal data, including emails, addresses and phone numbers.
Adam Meyers, senior vice president of intelligence at cybersecurity firm CrowdStrike, believes the attack may, like many others, have a greater psychological impact than intelligence gathering, aimed at degrading Ukrainians’ trust in their lives. institutions.
“Fear them that when the Russians take over, if they don’t cooperate, the Russians will find out who they are, where they are and come after them,” Meyers said.
The attack took the center offline for at least three days, center director Marianna Vilshinska said: “We couldn’t work. Neither the phones nor the chatbots were working. They broke the whole system.”
Hackers calling themselves the Cyber Army of Russia claimed to have stolen personal data of 7 million people in the attack. However, Vilshinska denied breaching the database with users’ personal information, while confirming that a contact list the hackers posted online of more than 300 center employees was genuine.
Spear phishing attacks in recent weeks have focused on military, state and local officials, aiming to steal credentials to open troves of government data. Such activity relies heavily on Ukraine’s cellular networks, which CrowdStrike’s Meyers says are far too intelligence-rich for Russia to want to shut down.
On March 31, Ukraine’s SBU intelligence agency said it seized a “robot farm” in the eastern region of Dnipropretrovsk that was remotely controlled from Russia and sent text messages to 5,000 Ukrainian soldiers, police and SBU members. urging them to surrender or sabotage their units. . Agency spokesman Artem Dekhtiarenko said authorities were investigating how the phone numbers were obtained.
Gene Yoo, CEO of cybersecurity firm ReSecurity, said it probably wasn’t difficult: Subscriber databases of major Ukrainian wireless companies have been available for sale by cybercriminals on the dark web for some time. time, as is the case for many countries.
If Russia succeeds in taking control of more of eastern Ukraine, the stolen personal data will be an asset. The Russian occupiers have already collected passport information, a senior Ukrainian presidential adviser recently tweeted, that could help organize separatist referendums.
Ukraine, for its part, appears to have carried out extensive data collection – quietly assisted by the US, UK and other partners – targeting Russian soldiers, spies and police, including wealthy geolocation data.
Demediuk, the top security official, said the country knows “exactly where and when a particular serviceman crossed the border with Ukraine, in which occupied settlement he stopped, in which building he spent the night , stolen and committed crimes on our land”.
“We know their cell phone numbers, the names of their parents, wives, children, their home addresses,” who their neighbors are, where they went to school and the names of their teachers, he said. .
Analysts warn that some claims about data collection on both sides of the conflict may be overstated.
But in recordings posted online by Ukraine’s Digital Transformation Minister Mikhailo Fedorov, callers are heard phoning the estranged wives of Russian soldiers and impersonating Russian state security officials to say that the packages sent to them from Belarus were looted from Ukrainian homes.
In one, a nervous-looking woman admits to having received what she calls souvenirs – a woman’s bag, a keychain.
The caller tells her that she shares criminal responsibility, that her husband “killed people in Ukraine and stole their things.”
She hangs up.
AP data reporter Larry Fenn in New York and Inna Verenytsia in Kyiv, Ukraine contributed to this report.