Risky Business - Feature Interview: How Sandworm prepared Ukraine for a cyber war
Episode Date: August 20, 2023In this joint Risky Business and Geopolitics Decanted feature interview, Patrick Gray and Dmitri Alperovitch talk to Illia Vitiuk, the Head of the Department of Cyber an...d Information Security of the Security Service of Ukraine (SBU) about the cyber dimension to Russia’s invasion. From turning off Ukraine’s power grid with a cyber attack in 2015 to the Viasat hack in 2022, Russia’s intelligence services are world renowned for executing creative destructive cyber campaigns. Despite this, after a year and a half of Russia waging war on Ukraine its power grid is up, its telcos are functioning and its banks are still processing transactions. How has Ukraine been able to withstand Russia’s onslaught in the cyber domain? Vitiuk joins us to reveal insights into how Russian intelligence services are operating in Ukraine, and how the SBU is countering them.
Transcript
Discussion (0)
Welcome to a special joint episode of Geopolitics Decanted and Risky Business.
I'm your host, Dimitri Aparovic, Chairman of Silverado Policy Accelerator, a geopolitics
think tank in Washington, D.C.
And today, I'm co-hosting this episode with my good friend and longtime Geopolitics Decanted collaborator, Patrick Gray, the host of the Risky Business Cybersecurity Podcast.
Today's guest is Ilya Vityuk, head of the Cybersecurity Department of the Security Service of Ukraine, the SBU.
And we're going to be discussing what Ilya and his team have observed in the cyber domain prior and during this latest Russian aggression
against their country, as well as Russian adversary tactics, techniques, and procedures,
what has worked so well for Ukraine and the SBU in this fight, and what their needs are
going forward.
We hope you enjoy it.
Ilya, maybe we can start with your role.
Our listeners have certainly heard about SBU, the intelligence agency of Ukraine,
and you've been in the news recently. Your director has spoken about using drones,
naval drones in the Black Sea against Gorge Bridge and other targets. But what is the
cyber department that you lead at the SBU? What is your role and your scope of responsibilities?
So Security Service of Ukraine is the main counterintelligence body of the country.
And it's both counterintelligence and law enforcement body.
And Cyber Department is responsible for everything connected with cybersecurity, critical IT infrastructure, and what we call information security, meaning countering malign disinformation campaigns, specifically from Russia today.
So we counter every aggressive and dangerous influence from special services in the area,
in cyber realm and information realm, I would call it that way.
So kind of maybe a mix of NSA and FBI, right, for our listeners in the US?
So actually, Security Service of Ukraine, probably if comparing to the United States
of America most closely, this is FBI.
But also what we do as cyber department, we have also some functions of CISA. So partially we are both like counterintelligence, law enforcement,
and also as cybersecurity subject. So we also have our own unit that acts as a third team.
We operate security operational center. We install security event informational systems.
We install telemetry sensors.
So we look at this data.
We conduct incident response.
We conduct attribution and investigation, but also criminal investigation.
So we put all these things about cyber attacks into criminal cases and then bring them to
court. And of course, we
look at our critical IT infrastructure about all the systems that are being built, whether there is
or possibly could be a Russian software there, whether system administrators, for instance,
have some relatives in Russia and may be used by Russia in order to conduct
some kind of subversive activity, we look whether there are some kind of embezzlements
while some systems are being built.
Because if there are embezzlements, that means that systems could be prone to cyber attacks.
They could be less protected.
They could be not needed at all.
So, and this money could go into some better places in order to ensure our cybersecurity.
So, a big scope of responsibility. And we have both field officers that conduct
like operative work and we have technical specialists. So, a wide range of responsibilities, starting from detection, incident response, investigation,
overseeing, if we can call it that way, all the processes of digitalization in terms of protecting
them, our digitalization against special services, especially from Russia Federation today.
It's a very broad mission. And obviously, you've been very busy, not just since the war began,
but even pre-war when I was in Kiev and we were meeting, you said something
that I thought was really interesting, which is that the Russians really prepared you well
for what has taken place since February 24th, 2022, because of the various attacks they had
launched, of course, for many years, but in particular back in January of 2022.
Can you talk a little bit about that, what you were seeing before the war and why you actually
found that to be useful in preparing you for what has come since then? Well, first of all,
it is very important to understand that for us, before the war, it was before 2014 because the war not such a full scale but actually the
war started since 2014 and especially if we speak about what we call now cyber war it also started
in 2014 so first cyber attacks destructive cyber attacks started back then. And we gained a lot of experience since 2014, so it means like
eight years before the actual full-scale invasion. And there were many prominent or notorious cyber
attacks like Industroir, like Black Energy. These were first attacks, destructive attacks on our power grid. And back in 2015, by the way,
there was the first attempt that caused
a quarter million people without electricity for six hours.
So at that time it was something very much surprising.
Then again, in Dostoyevsk in 2016,
then there was an attempt to penetrate
our train railroad control system, and this
actually could cause a collision of the trains. We just in time switched to manual mode and avoided
this. Then there was Notbeta in 2017, this world-known attack, because like around 60 countries suffered from it. So these were all our lessons. And we,
during that time, we improved our legislation, we adopted new cyber security strategy, we invented
tools and techniques that are actually effective countering these Russian aggressive cyber
potential cyber attacks. But even more than that after the
beginning of the full-scale work we we've got new knowledge how to use all
this experience into critical in critical circumstances so meaning when
you or your objects of cyber critical infrastructure that you need to protect is under shell when
your city is about to be surrounded, when system administrator is gone because he needed
to take his family out of Irpin or Bucha.
So when you put to survival mode, you know, you have some extra skills and knowledge, so how to use everything, very effective.
And we need to understand that the massiveness of these cyber attacks have been constantly growing.
So back in 2020, we as security service dealt with around 800 cyber attacks and critical cyber incidents that we consider were stemmed from
Russia and we thought that that was a lot. Then in 2021 the number was 1400 and then in 2022
the number was 4500 cyber attacks and critical cyber incidents. So you see that the demands grow three times more than back in 2021.
And when you need to deal with such a massiveness,
we on average have 10, 15 serious events that we need to react on per day.
So, of course, that makes you more focused
and you know what to do and how to do it quickly.
We've established and developed mechanism of working together
between different subjects of cybersecurity subjects.
So because we have like, it is called SSS-CAB, this is analog of CISA.
We have national police, we have national security council.
So a lot of bodies, minister of defense,
for instance, and we need to interact very, very quickly and react on cyber attacks.
And of course, you've mentioned the cyber attacks at the beginning of previous year. It was on
January and on February. So these were two big combinations of cyber attacks that happened simultaneously.
And for us it was like a dress rehearsal before the actual invasion and before the full-scale war.
In January, it was January 13-14, it was a mixture of everything, defacing websites, using wipers, lockers, DDoS attacks, and also
psychological disinformation campaign that actually was also launched simultaneously
in order to make people panic that all of their data were stolen and will be exposed
and that all the IT infrastructure will be wiped away.
So that was the idea because around 70 state websites were defaced in the morning of January
30. And you know for us it was another big big experience. Like literally for a couple of days everyone who is somehow attached to
cyber security they were all standing on on their ears you know because we needed to cope with all
that problems and indeed most of the resources were fully restored like in a couple of hours
there were only a couple of ministries that indeed were damaged
more serious and we needed more time to bring it back to normal. And there was another
combination of cyber attacks in February, probably around one week before the invasion, roughly 10 days or one week, something that so and for us it made it made us even
more confident more prepared so and nothing could make us surprised anymore and what happened in
on February 24th actually even one day earlier because the attacks, actual attacks, they started in the evening of February 23,
and they attacked a number of resources, most prominent was, of course, Viasat,
satellite communication system, because they wanted to attack our military, because they knew
that we used that satellite for communication. However, we coped with that problem rather quickly,
and until probably 5 or 6 o'clock in the morning on February 24th,
most of the possible damage that these attacks could produce,
we already sorted it out.
So this is to speak very briefly about those long eight years before the full
scale and they... Now, I just wanted to jump in there earlier, because I'm very glad you mentioned
what happened in 2015, because this is really well studied stuff, even outside of Ukraine.
It's not every day that an adversary manages to disrupt power infrastructure. Entire books have
been written about this.
But I find it very interesting that we had this trajectory where Russia was doing all of this
incredibly aggressive and damaging stuff, targeting industrial control systems and whatnot.
And then in the lead up to the invasion, of course, we had the Viasat hack, which was
very widely reported on and is regarded as the most, I suppose, interesting thing that Russia
has done with cyber throughout this more recent escalation in the invasion. But you also spoke
about more recently dealing with things like wipers and website defacements and information
campaigns, which is not really what people were expecting.
They were expecting more of this big, scary stuff from Russia,
attacks against control systems, attacks against the banking sector,
you know, attacks that would actually achieve some sort of effect.
Why is it that we haven't seen that in Ukraine?
Is that because you had time to adapt your defenses or is it because
Russia has just planned all of this so badly? Well, you know, it's not only because Russia is
not that good as probably the world suppose it is in terms of cyber, but also because of this experience we had and because we are far better
than probably most of people in the world supposed before.
Because when you are constantly on the cutting edge, when you constantly see and feel all
these TTPs, it is very important to say that we deal with special services. They are in charge
of all the attacks. They conduct these cyber attacks. They orchestrate these cyber attacks.
So these are not about some talented youngsters that are in search of easy money.
So this is not about ransomware. This is about professionals. they have laboratories, they have research institutes, institutes to develop specific malware, custom malware for specific systems.
And so they did it all the time.
And there were a number of attacks, you know, but probably not known to all the world, that we stopped on initial stages and understood what
methodology they actually used so of course yes the knowledge that we gained
during those eight years like I said probably what was a crucial thing that
that didn't let Russians to do what they what we wanted to be speaking about
attempts there were and are a number of attempts to conduct
destructive, serious destructive attacks. For instance, just recently, they tried to attack
one of our telecom operators, and we have three of them. So, and it means that even causing damage and they were believe me they were very very deep but luckily
we we managed to stop and so no damage has been produced it was starting from starting from
eavesdropping and finishing with leaving like around 40 percent of the population without
communication and if one telecom operator stops operating,
the other two, they will be overloaded. So it will be impossible for them to cope with the
problem. So meaning hitting one means hitting all three. So this is just recently, it was a couple
of months ago, for instance. And something like this is happening all the time. So they tried,
but they just couldn't... It was very difficult for them to come to success. And by the way,
another mission they had last autumn, they tried to coordinate and to conduct simultaneously cyber attacks with
missile strikes on our power grid. So there was a serious growth and there were a number of attempts
that we blocked and stopped on initial stages, hitting our power grid, our power plants,
distribution companies, and so they wanted to penetrate Skoda
and they wanted to switch off the light using cyber tools.
So it's not that they didn't try.
It's because they could manage to do that.
And of course, we need to understand that their resources,
Russia's resources are limited.
Not in terms of money.
No, they have money, they have laboratories.
But in terms of professionals that will cover all these cyber activities against all the
infrastructure of Ukraine. Because our infrastructure is huge. Ukraine is a very
big country. And it's not that easy to cope with everything, with communication, with power grid, with conducting
psychological campaigns, with ministries, state administrations, etc. etc. etc. And apart from
that they also conduct cyber attacks on countries that support Ukraine. So somebody also has to do
it as well. Of course, we understand that these are usually low-profile actors that they use, because most of the most dangerous and aggressive cyber potential,
it goes here in Ukraine, and we digest it. But nevertheless, somebody has to do this.
And you understand that it's not that easy to take a ransomware guy and make somebody who attacks ukrainian infrastructure
with destructive attack just in a in a couple of fantasy and or it may be in a couple of years
because they were all focused on infrastructure in united states of america in canada in
europe so different tools different methodology so it is difficult for them to bring enough
people, you know, professional people that will cheat our... I got to confess too, Ilya, I don't
quite understand their strategy, right? Because, you know, you've spoken about this and there's
been some debate in cyber circles about whether or not these attacks against things like power
facilities at the same time that they're being struck with missiles and struck kinetically about you know what Russia is really trying to
achieve with the cyber component there other than just keep everyone on the defending side quite
busy like there's no deeper strategy there might be coincidental targeting as in okay everybody
we're attacking this place today, or we're attacking this
facility. But there doesn't seem to be any sort of combined arms approach or thinking going into
doing this sort of stuff. I mean, you know, I'm certainly an outsider in all of this.
But what do you think about this idea that Russia's strategy just seems to be
to cause as much chaos as they can, and there's not really anything deeper to it than that.
First of all, it is very important to know how military systems and, let's say, post-Soviet
military systems work with a lot of bureaucracy, with a lot of people in this chain of command, and it's very difficult to make things work as the order is.
So meaning you order to do this, do the combination, and let it be effective.
But in the end, it's not that effective,
just because of all the problems Russia has,
not understanding how we defend ourselves already.
So it doesn't mean that the idea was to create chaos. The idea was... it's like with missile attacks. So
having this air defense we have now,
thanks to our partners, we still need a lot. But nevertheless the
accuracy of Russian missile attacks today is a little higher than 80 percent,
sometimes I mean lower than 20 percent out of 100, yeah, sometimes 10 percent. So it means that you
try everything you can and something will hit. So that's how they worked with power plants and
the exact situation they tried to do with cybertech. So meaning's how they worked with power plants and the exact situation they
tried to do with cybertech. So meaning that, I don't know, maybe there will be a cyber attack
or a missile coming there, but in the end the overall effect... So they're throwing everything
in and hoping something will do the job, right? Absolutely. But it seems like the cyber component
of this, you know, this is actually something that Ukraine has been able to withstand quite well. This is the first actual cyber war, meaning that there are two countries, Russia as an aggressor, we protecting ourselves and also conducting counter-offensive already.
I won't hide it.
So, yeah, of course, we also conduct specific operations because we have all the right to do that.
Not we are the aggressors and of course
we need to make them busy of course we need to penetrate their systems we need to get the
important intelligence in order to make our victory happen faster but so these are two countries
not hesitating to conduct destructive attacks you know So this is the first example, so right example,
and that's probably so many things that happened for the first time.
So nobody had experienced like this before,
and now this is a testing ground for this,
and Ukraine is a testing ground for Russia's cyber weapon,
what I say, and now we see how it works here
in the country that was prepared for eight years before. But saying that they are not effective,
it's very important to understand that you cannot predict what would be if Russia would attack
another country, not Ukraine, some European country, some small European country.
That's not prepared in the same way because it hasn't had the experiences yet.
And, you know, I do believe that the consequences could be indeed very, very serious. a problem that cyber attacks can actually cause when they are conducted in a destructive manner,
like what they do here in Ukraine now. I mean, it's interesting because it seems like you're
agreeing with a theory that I've heard before, which is that Russia made a strategic mistake
in 2015 by launching these types of attacks against Ukraine, because it forced
policymakers, it forced leadership in Ukraine to take this extremely seriously and get prepared,
which may have made it much more difficult to do these sorts of things again during this phase of
the war. So it sounds like you're agreeing with that and that Russia's prior behavior
helped to prepare you. Even more than that, you mentioned 2015, but let's not take
that long. For instance, if we say about the cyber attacks in the beginning of the year,
like January and February, I do believe that this was a great mistake because they did have good access
to our systems and they could use them simultaneously on February 23, all together.
And, you know, because like I said, we had this dress rehearsal and we could be more sort of
relaxed, you know, and because indeed, January, February,
and then after the invasion,
probably in the first week or two,
they used most of the aces that they had in their sleeves.
So they'd done the preparation,
they'd got the access,
they pulled the trigger,
and then after that, they didn't really have,
you know, I mean, and this seems to be a
consistent theme which is russia didn't have a plan b they had a plan where they expected to to
achieve their objectives in in ukraine very quickly and when that didn't happen they they
didn't really have a backup plan i mean it that seems to be the narrative right absolutely and
you know yeah and they started to run out of fuel, because indeed they supposed it to be a blitzkrieg.
And then after a couple of weeks, when they understood that this is for a long time,
so they just started to attack everything they could with all the potential they had.
So they even attacked toy stores.
What does that mean?
That there was an order that you need to attack,
and then you look, okay, what can I attack?
I need time in order to get a good access to good systems,
so I will attack what is easier to attack.
So like toy stores, like pizza stores, etc.
Anything vulnerable, I think, is the point, right?
Yes, anything that they could find.
So this was during the first time.
Then after a couple of, I don't know, a couple of months, probably, they understood that
this tactic won't lead them to do anything.
And they changed it.
And they started to be more focused on reconnaissance.
So they understood that now they need to know more about our plans.
Yeah, now they need a plan B, but they're going to have to come up with it while they
do it.
Absolutely.
Yeah, absolutely.
So this plan B, it emerged after a couple of weeks or even months because of all this
bureaucracy after the actual invasion.
Yeah, that's for sure.
And of course, back in 2015, you said that this was a
mistake. This was a mistake, but I do believe that this is about strategic leadership. I don't think
that everyone in Russia in 2015 understood and knew what is about to happen and that the full
scale war is about to happen, you know, so that that also something we need to consider.
And Ilya, do you have any theories for why they launched these attacks so early? I'm talking
about January and February before the full scale invasion. Do you think that was a lack of
coordination between their cyber forces and their military forces? Maybe they thought that they
would go earlier than they ultimately did? Why sort of use up your ammunition, if you will,
before you actually start? Well, my theory is that they wanted to
execute these cyber attacks. And the idea was that with these massive cyber attacks,
they will, first of all, they will wipe out a lot of infrastructure and make people panic, make people more vulnerable, and they will prepare people.
Most of the things that it was about psychology of our people,
like what will happen in a couple of weeks, we're speaking about, or months,
because actually nobody knew when the invasion is about to start.
You remember there were a number of dates. So
started in January and then, okay, February. So a new date was coming every time, meaning that
probably this was a cyber attacks and everywhere, everyone would be so shocked with what would
happen. It would be easier for them to to come you know and break the our people
mantle so i do believe that that was the idea but we coped with them and even showed okay look how
strong we are we cope with that kind of attack so so it it played a bad bad job with them but i do
believe that the idea was like that because even on february 24 the morning, the main focus of their attacks was on this psychological
point.
There were a lot of Telegram channels, they tried to attack websites of local state administrations
in order to leave people without information and without the understanding of what is going
on.
I do believe that probably you cannot imagine
what happened here on February 24th.
This is something, no matter that there were some kind of warnings
that they were about to start,
but actually nobody thought that this would be from all sides,
you know, such a full-scale thing.
And it was chaos.
And when there's chaos, when there is
fear, people always are searching for information. So it's vital and important. And you know,
this disinformation campaign is that Kharkiv is already surrounded, Sumy is already surrounded. And that wasn't true. That was their initial focus back on February 24th
for a couple of days. To break people's will to resist and to make them surrender. So I had to
believe that this series of attacks would show people that look what we do with your IT infrastructure and when the operation would
start actual full-scale work they would say surrender otherwise you will have even more
dramatic effects than what you have seen a couple of weeks or a couple of months ago so I do believe
that the idea was like that and this is the idea of special services, of GRU, of FSB.
That's how they play things.
Because military people, they have a little bit more plain understanding of how to make people surrender.
So Ilya, you mentioned GRU and FSB.
So there are, as our listeners know, three major intelligence services in Russia that conduct cyber attacks.
GRU, the military intelligence, FSB, the domestic and kind of near-abroad intelligence service,
and then SVR that does the foreign intelligence mission.
Which ones have you seen in Ukraine?
Is it all of them?
Which ones are most aggressive?
And do you see any cooperation between any of these agencies
or they're all operating on their own? So we witness all three of them. If to speak about
most dangerous, these are GRU and FSB. I don't know who will be the first. Probably, in my opinion,
it will be GRU. These are APT28 and Sandvor. However, FSB has also strong APT groups,
for instance Gamma Radon group and Turla. But I do believe that, especially in the beginning,
that GRU was for a short period of time they were put in charge of all the operations because we have the information that some accesses to our
systems that our special services had they gave these accesses to GRU in order for them to conduct
simultaneous and planned operation however after that when things turned out in a different way as they planned,
they all started to work separately. And today, we mostly see GRU and FSP,
they are more active than SVR. However, SVR is also leased.
I just want to jump in there earlier and ask you,
you know, it seems like Ukraine has done well under the circumstances when it comes to defending
itself against these attacks, right? You know, you're talking about, as you pointed out, a large
country, lots of infrastructure, a fairly small economy. What do you attribute your success to?
You know, what were the things that you did that worked
because i'm sure there's a lot of people both in in industry and in policy who are listening to this
who would love to know like if you had to describe the secret of your success uh you know what would
that be there is there can be a simple answer to this question but probably probably, first, like I said, this is experience. We had time to be prepared.
And not only our professionals, how to counter the attacks, I mean, on technical level,
but also about policy, about strategies, about law. Again, this is our communication and our cooperation with our partners.
These are both, I'm speaking about state and non-state entities, special services.
So we've studied a lot.
We've studied our people abroad.
We've seen best practices that were in the world at that time.
So we received a lot of help we received a lot of financial help
hardware and software and all other kind of stuff during that time and you know the more cyber attacks
we had the more notorious cyber attacks we had the more help we received during that time and of course in terms of
in terms of money this is a very big problem because the id infrastructure of ukraine is huge
it's a big huge and it is very difficult to protect everything but it's very good that we have
algorithms already so like we know what to do was something bad is happening so and we have algorithms already. So like we know what to do was something bad is happening.
And we have possibility to react. We know how to react quickly. But nevertheless, a lot of
systems still in Ukraine, they have to be built from scratch. A lot of things that we still need
to do. And this is also one of the priority of our country and security service
of ukraine as we are responsible for this cyber security that we need to make our objects of
critical infrastructure not just well protected but i do believe that we need to make them a gold
standard in cyber security.
So because most of cyber potential, the most aggressive cyber potential that exists in the world now, we digest it.
And our walls need to be as strong because we take this cyber potential and it cannot
go further. Because once our defense would fall, once our cyber defense would fall,
you understand that this potential would be used elsewhere in other countries in the world.
So I do believe that this is not only our mission, but it's also the mission of the whole democratic world to make our systems protected and to make it possible for us to cope
with all the possible cyber attacks Russia is about to conduct further. It is very important
to say. So these are both mixture of experience, of knowledge, of understanding best practices,
of getting all kind of financial support and of all kind of
intelligence support as well so because we get information from special services from cyber
security companies that make all kind of different investigations and we understand what infrastructure
can be used what malware can be used, what possible victims here in
Ukraine we have.
So this is all the combination and understanding how to use this information quickly and in
the most relevant way, probably this is the key to success.
And of course, after the full-scale invasion started, you know, it seemed like there were
a lot of Western companies that wanted to volunteer products and services.
I mean, we've heard stories of, I think it was one of the companies that makes FIDO2 keys,
sending over 30,000 of them and things like that,
and Microsoft helping out with things like 0365 access.
How helpful has that stuff been?
And are you still getting what you need?
And what else do you need?
We've got a lot of industry listening to this.
So yeah, what has helped in that round?
And what else do you need?
Well, indeed, like I said, a lot of things that we've received.
You mentioned already some companies, and this was in both, in Microsoft and Cisco.
So you probably know that what we did was cloud migration just before the war,
and it was extremely helpful because we managed just to save our most important data from missiles,
because a lot of our infrastructure,
we understand, was virtually occupied.
So when we managed to bring and to store
this very important information, it grew.
But apart from this, if we speak about cybersecurity,
we received a lot of tools free of charge from different companies, like, for instance, from Mende and from Cisco, specific telemetry sensors. probably around 11 o'clock, and they said you have unlimited access to all our products.
So meaning they have this specific XDR, extended detection and response,
decisions sensors we spread along our object of critical attention infrastructure, and they also
gave us dedicated teams of people who will analyze the information from these
telemetry sensors and to help us to cope with cyber attacks. So this was
extremely important at SysTodium, the same for instance. So it was extremely
important for us because we had additional hands to cope with these
cyber attacks in the very beginning. Then, for instance, US Cyber Command, they came to Ukraine in December
2021 and together we inspected a couple of objects of critical infrastructure that we believe
will be, that Russia will focus the attention on, supposedly. And it happened just like that. So
together we inspected that and then they provided
us with some specific hardware and software. And it helped us a lot because just after the
invasion they started to attack these objects. So these are just some examples of the help
we received. And then the help from cybersecurity companies when we constantly received the flow
of their investigations about Russian APT groups, about their TTPs, about what they are doing
and working with malware, etc. So the combination of these helped us a lot. However, like I said,
our IT infrastructure is huge and it's a very important question today. A lot of
people, companies, countries, they ask, what do you need? Probably the thing I want to ask now,
I ask for the cybersecurity companies to come to Ukraine right now. And we have a special
group of everyone who is involved in cybersecurity.
We have a vice prime minister further in charge.
We have security service representatives there.
We have MODs representatives there.
We have armed forces representatives there,
a national security council.
So we all sit together and any cybersecurity company
comes, we say, okay, you go to that ministry. There's a list where you decide
that here are 20 ministries, 20 state entities that are top priority for
now. You can go here or there and inspect. You understand that we need
like sometimes maybe weeks in order to understand what are the needs of the particular state entity,
the object of critical infrastructure.
And then after that, we have a project for every object.
And this project goes to a transparent platform where you just enter and see what exactly you need.
And then Google says, okay, I donate
amount of money. Cisco says, I donate money and servers. Canada says, I donate money. They all
understand what we need and it is stamped and approved by somebody who has credibility.
But Ilya, it sounds like you're trying to replicate what has been done on the military side, where there is this mutual conversation with allies of what artillery
systems you need, what tanks, what armored vehicles, and you're trying to create that list
on the cyber side as well, and then see who can contribute to that. Is that right?
Absolutely. But the only difference is that here in cybersecurity, it's a little bit more difficult.
Why?
Because when we say about military, we know how many rounds, how many shells we need.
We know how many tanks or planes or jets we need. And here we still don't know how many servers, how many XDRs, how many
security operational centers, how many CM systems we need. So we still don't have the full
understanding of what exactly we need. So this stage is also very important and when we speak about military,
this stage can be omitted. But the idea is the same. We have this system that is called
Karawai. It was built on... So there is a NATO system, Lokfas, so we use this system and
rolled this Karawai and so our partners are attached to this system
and they see, gosh, how many tags we need,
how many, all the stuff, and they donate.
So yeah, the idea is like that,
but a little bit deeper
because of this preparation level
we still need to do in cyber.
Well, that's very helpful.
And for those in cybersecurity industry
that are listening to us,
you can get in touch with us,
either Patrick or myself,
and we'll get you connected. If you want to donate your expertise come to ukraine it's it's a great
country to visit i was just there and you're obviously doing a great cause if you do so
now ilia i want to wrap up by asking you about a recent report you guys released on this android
malware that you guys discovered in your networks that
seems to be a little bit different from the cyber attacks we've just talked about. They're targeting
your infrastructure. This one was focused on collection of intelligence from battlefield
systems. Presumably you guys use a lot of battlefield management software on Android
devices. I know there's a system called crapiva that focuses on artillery
coordination and bringing resources to bear on the right targets how do you assess that that
particular operation by the gru this android attack do you think it's particularly sophisticated
you mentioned that they were able to also potentially write this malware by collecting
devices from the battlefield and understanding how they work and target them more specifically?
Yes, we do believe that this is a very, very sophisticated attempt.
We in Yun, that military systems were among top priority of our enemy.
Like I said, they started to focus more on reconnaissance.
And this was first of all the business military systems.
This was our logistics and transportation.
It was important for them to understand about how this weapon we received from our partners,
what are the routes and how it is been deployed
and of course they tried also to penetrate our what how they call it decision-making centers
so these are our ministries and our residence office etc etc in order to get the most important intelligence about our plans, about
the weapon, and all that stuff.
And, yeah, indeed, it is very interesting, and this is something that for sure will be
used by our partners.
This is how effective we use military situational awareness systems. And we have a number of them.
Most popular and most prominent are Delta and Krofiva,
but a right number of others.
And they were focusing their attention
specifically on this system all the time.
So we've seen a number of decks on Delta, for instance.
They created... And it's very important to understand all the time. So we've seen a number of attacks on the Delta, for instance, they created.
So it's very important to understand. I do believe that not everybody from our listeners, they understand. So Delta, the thing is that when you penetrate the system, you cannot see the whole
pitch. So it's like multi-layered and so every user he sees a
small percentage only what he needs in order to conduct operation. It's to
briefly describe. So what they did they created fake website of Delta
and that's how they managed to get people's login and passwords.
And they tried to log into as many accounts as it's possible to see the big picture.
This was their first attempt.
But speaking about Kropriva, indeed, another important thing that we've witnessed
how they put their hacker groups
closer to the front lines.
So there are hacker groups working in Donetsk, for instance.
In the very beginning, we thought, why was that?
So what was the point?
But then we understood,
because first they have better cooperation with military,
and they have quick access to devices.
And they also have access to infrastructure, our infrastructure on occupied territories.
So in the Donetsk region, Zaporizhia region, Kherson region, so there is infrastructure of our operators, of our providers, other systems that were there. So they can use this infrastructure
and they can get quick access to devices
because all these systems like Delta and Cropiva,
they are installed whether you're on your phone
or on your tablet, for instance, or on your computer.
But the thing is that why Android?
Because iPhone is more expensive, of course course and we do understand that when we speak
about the regular people and military usually they will have chinese phones so more not that
expensive they are and they are on android in that way so and they were that focused, that speaking about this Kropyva, we defined and thought at least seven mailwares, as we understand, in their research institutes they
had in GRU, because this was conducted by GRU. So they took this malware and penetrated. And
there were, you know, why it was also sophisticated. So they tried to avoid detection.
There were a number of backdoors, so alternative backdoors,
in order to get the information from the system. And why it was also very dangerous? Because
it's not that you will get the information from Kropiva from this attacks. You will get the access
to devices, so you will see pictures, you will see everything that's on your whatsapp telegram and
whatever messages you use so everything that's inside your phone could be exfiltrated and that
was extremely extremely dangerous and apart from that one of the one of the sample of the malware
was used in order to get the information about Starlink
so if it is connected to Starlink the configuration would go there meaning
that they would have the possibility also to coordinate their artillery
shelling or missile attacks because they will see the coordinates of Starlink
that this or that device is attached to. So you will see a
multiple number of devices with important information on it and with
Starlink just is recording so you understand where probably the high-rank
military officials are situated. So that was another important and very
dangerous stuff. And the preparation took a lot of time. So you need to first, you need to inspect this system.
Then you need to produce this custom malware.
Then you need to get inside Penetrate.
So it took months for them to try.
And luckily we stopped it on initial stages.
And according to our partners, special services
and our partners from NATO,
they say that
this is the first very bright example of military cyber defense operation.
We conducted this operation with armed forces, of course, because we needed to take and clean
up all the devices that were, so we needed to take this copyw get inside and we found how they managed so we used the specific port
5555 in order to penetrate the enjoyed devices so we we got this information
we fixed it and fixed all the problems and cleaned all the devices. And so this was a long operation.
So just to be clear, these devices had an open port, did they, on 5555?
So the Cropiva had this open port.
Yeah, yeah.
I mean, that is an oversight, right?
Like, it is lucky that you caught that,
because that would have enabled them to spread that malware
to those devices fairly easily.
That's exactly, you got the point. But the thing
is that you always can, almost always, you can find something. It might be this port or something
else. The thing is that how focused you are and whether you have professionals that are able to
find this problem and then to build this malware, you know, and then to do,
to conduct the penetration. So this is what I'm saying, that these are not about ransomware guys,
you know, just phishing email and then walking your computer.
I mean, I read the report as well. I mean, this was the smartest thing we'd seen from them in a
while. I mean, you would probably agree with that, right? It was the most creative thing we'd seen from the Russians
in a little while. I would say this is one of the most creative things because there are a number of
other things that we are still investigating and we just don't make it public. But believe me,
this is not the only attack that we would call very sophisticated unfortunately
all right uh ilia vichuk thank you so much for uh joining dimitri and i to have this conversation
uh you know i'm i'm full time on on cyber and have been for 20 years and this was just a
fascinating discussion uh thank you so much and and all of the best with your uh with your mission
thank you very much bad Patrick. Thank you, Vinit Singh. Thank you, Ilya.