Why Ukraine Has Already Lost The Cyberwar, Too

Why was there no cyberwar in Ukraine? Because Russia has no need to attack that which it already owns.

A pro-Russian militant stands guard in front of the occupied Ukraine Security Service building on April 21, 2014 in Slovyansk, Ukraine.
National Journal
Patrick Tucker, Defense One
Add to Briefcase
Patrick Tucker, Defense One
April 29, 2014, 10:31 a.m.

Don’t wait for cy­ber­war between Ukraine and Rus­sia to break out ahead of the ac­tu­al shoot­ing. Ukraine already lost that, too. Rus­sia may have un­fettered ac­cess in­to the Ukrain­i­an tele­com­mu­nic­a­tion sys­tems ac­cord­ing to sev­er­al ex­perts. It’s ac­cess that Rus­sia can use to watch Ukrain­i­an op­pos­i­tion lead­er­ship, or, in the event of an es­cal­a­tion in the con­flict, pos­sibly cut off tele­com­mu­nic­a­tions with­in Ukraine.

The on­go­ing situ­ation in Ukraine has been marked by bloody protests, sieges of gov­ern­ment build­ings, eth­nic clashes and mis­in­form­a­tion cam­paigns. In cy­ber­space, re­l­at­ively low-level ex­changes between hack­er groups have taken the form of tem­por­ary web­site at­tacks called dis­place­ments and dis­trib­uted deni­al of ser­vice, or DDOS, which flood sites with phony traffic ren­der­ing the site in­ac­cess­ible. (For a quick timeline of Rus­si­an and Ukrain­i­an hact­iv­ist cy­ber-vol­ley­ing, check out Ukraine In­vest­ig­a­tion’s cov­er­age here.)

Rus­sia has no need to at­tack that which it already owns, say sev­er­al ex­perts. “Rus­sia already had ac­cess [to the Ukrain­i­an tele­com­mu­nic­a­tions in­fra­struc­ture] for years. That’s true for al­most all of the Com­mon­wealth of In­de­pend­ent States. They all rely at some point on Rus­si­an tech­no­logy,” Jef­frey Carr, CEO of the cy­ber-se­cur­ity firm Taia Glob­al and of the au­thor of In­side Cy­ber War­fare: Map­ping the Cy­ber Un­der­world, told De­fense One.

Rus­sia’s ac­cess stems from two factors. The first: Ukraine’s com­mu­nic­a­tions in­ter­cept sys­tem, which al­lows the Ukrain­i­an gov­ern­ment to tap in­to ci­vil­ian elec­tron­ic com­mu­nic­a­tions, very closely re­sembles the Rus­si­an in­ter­cept sys­tem called SORM. SORM was de­veloped by the Rus­si­an KGB as a means to sur­veil elec­tron­ic com­mu­nic­a­tions with­in the So­viet Uni­on. Es­sen­tially SORM serves as a back­door for in­tel­li­gence spooks to listen in on elec­tron­ic com­mu­nic­a­tions. Think of the NSA’s PRISM pro­gram, but far more ro­bust in terms of cap­ab­il­ity and with far few­er leg­al re­stric­tions on its use. The cur­rent it­er­a­tion, SORM 3, al­lows the Rus­si­an Fed­er­al Se­cur­ity Ser­vice, or FSB, back­door ac­cess in­to land­line, mo­bile and email com­mu­nic­a­tions.

Ukraine has its own SORM sys­tem modeled after Rus­sia’s. But, as Rus­si­an journ­al­ists An­dei Sold­atov and Ir­ina Borogan ex­plained in Wired in 2012, Rus­si­an com­pan­ies such as IsKra­tel man­u­fac­ture equip­ment that Ukraine uses to main­tain its sys­tem. Oth­er man­u­fac­tur­ers of SORM equip­ment in­clude Ju­ni­per Net­works, Hua­wei, Cisco and Alc­a­tel-Lu­cent out of France. The simple fact that SORM equip­ment man­u­fac­tur­ing firms are a mat­ter of pub­lic re­cord sug­gests vul­ner­ab­il­ity to hack­ing. The same tech­no­logy that al­lows Ukraine’s In­tel­li­gence Ser­vice to eaves­drop in Ukraine may give Rus­sia the same amount of ac­cess in­to Ukrain­i­an com­mu­nic­a­tions.

“With loc­al Ukrain­i­an me­dia sources re­port­ing Ukr­telekom out­ages, it is un­clear what reach Rus­sia has in­to the Ukraine due to its use of the SORM stand­ard,” Scott Don­nelly, open source ana­lyst with Re­cor­ded Fu­ture, told par­ti­cipants of an on­line we­bin­ar on Thursday. “While mul­tiple ad­di­tion­al pieces of in­form­a­tion are ne­ces­sary to defin­it­ively con­clude Rus­sia has a back­door in­to the Ukrain­i­an tele­com sys­tem, it is clear the tele­com equip­ment and lay­out are quite fa­mil­i­ar to Rus­si­an mil­it­ary and in­tel­li­gence of­fi­cials op­er­at­ing in the cy­ber arena.” Ukr­telekom is the primary land­line phone op­er­at­or in Ukraine, ser­vi­cing 80 per­cent of the coun­try’s users.

Ad­di­tion­ally, Rus­si­an tele­com firms Vimpel­com and MTS do con­sid­er­able mo­bile busi­ness in Ukraine. MTS re­portedly has 22.4 mil­lion sub­scribers in the coun­try as of Septem­ber 2013, mak­ing it the second largest mo­bile play­er. “It’s Rus­si­an com­pan­ies that are provid­ing the mo­bile ser­vices. That gives the Rus­si­ans an av­en­ue in,” James An­drew Lewis, dir­ect­or and seni­or fel­low of the Stra­tegic Tech­no­lo­gies Pro­gram at the Cen­ter for Stra­tegic and In­ter­na­tion­al Stud­ies, told De­fense One. “There’s an ad­vant­age to hav­ing own­er­ship, hav­ing in­sight, know­ing the leg­acy sys­tem and hav­ing re­la­tion­ships, and be­ing phys­ic­ally present in ad­ja­cent areas. That all makes it easi­er for them.” Rus­si­an dom­in­ance in­to the Ukrain­i­an mo­bile space was on full dis­play back in Janu­ary when protest­ors tak­ing part in street demon­stra­tions against the pro-Rus­si­an re­gime of then-Pres­id­ent Vikt­or Ya­nukovych re­ceived omin­ous text mes­sages read­ing, “Dear sub­scriber, you are re­gistered as a par­ti­cipant in a mass dis­turb­ance,” ac­cord­ing to the New York Times.

A sim­il­ar phe­nomen­on oc­curred in the first week in March, as re­por­ted by Re­u­ters, just be­fore the Rus­si­an in­cur­sion in­to Crimea, when Ukrain­i­an se­cur­ity chief Valentyn Na­lyvaichen­ko re­vealed to journ­al­ists “I con­firm that an”¦. at­tack is un­der way on mo­bile phones of mem­bers of the Ukrain­i­an par­lia­ment for the second day in a row.”

Private Rus­si­an com­pan­ies col­lud­ing with the Rus­si­an gov­ern­ment to give Vladi­mir Putin a back­door in­to cli­ents’ sys­tems is a prac­tice that falls in line with the way the Putin gov­ern­ment ex­er­cises in­flu­ence over sec­tors of the Rus­si­an eco­nomy.

“These com­pan­ies in­ves­ted in Ukraine to make money. But now, if their friends from the FSB show up, say ‘Can you give us a hand? Tell us about the net­works that you in­ves­ted in. Give us some of the tech­nic­al de­tails or spe­cific­a­tions?’ [The com­pan­ies are] not well-placed to say no to that re­quest. The com­pan­ies did this for com­mer­cial reas­ons, but be­cause [the com­pan­ies] are sub­ject to Rus­si­an con­trol, that means that at any mo­ment when its in Rus­sia’s in­terest to ex­tend that con­trol, they can do so,” said An­drews.

Rus­sia has oth­er levers to pull in ex­ert­ing con­trol over com­mu­nic­a­tions in Ukraine, be­sides tech­no­lo­gic­al, as demon­strated by the strange story of Ukr­telekom, which was pur­chased in 2013 by Ukraine’s richest man, Rinat Akh­met­ov. Akh­met­ov, a coal and min­ing mag­nate, is a nat­ive of the re­gion of Dom­bass, which has been a hot­bed of sep­ar­at­ist protests and po­lice clashes. He was a staunch ally of Ya­nukovych. But not long after the former Pres­id­ent fled the coun­try, Ak­met­ov made a series of pub­lic com­ments stat­ing his in­ten­tion to use his power and re­sources to keep “Don­bass and Ukraine are to­geth­er forever.”

He may be earn­est in that prom­ise, or simply align­ing him­self with what he per­ceives to be the winds of change bel­low­ing through Kiev. But his coal min­ing op­er­a­tions in the Don­bass re­gion, the chief source of his wealth, are ex­tremely vul­ner­able to Rus­si­an med­dling. Not long after Ak­met­ov is­sued his state­ment, a deputy of the State Duma of the Rus­si­an Fed­er­a­tion, speak­ing to a Rus­si­an news­pa­per, said that if Rus­sia were to an­nex Don­bass, most of the Don­bass coal mines would be shut down.

Wherever Ak­met­ov’s true loy­al­ties rest, he’s not averse to quickly shift­ing sides to pro­tect his in­terests.

On Fri­day, Feb. 28, armed gun­men broke in­to the Ukr­telekom’s op­er­a­tion cen­ter in Crimea and were able to cause phone and In­ter­net dis­rup­tions. West­ern me­dia treated the in­cid­ent as un­re­mark­able. But the an­nex­a­tion of Crimea prob­ably im­proved Rus­sia’s abil­ity to de­rive sig­nals in­tel­li­gence from Kiev — ex­po­nen­tially — ac­cord­ing to An­drews. “Where they were get­ting ten mes­sages be­fore, now maybe they’re get­ting 70,” he said.

Does un­fettered Rus­si­an ac­cess over the com­mu­nic­a­tions space in Ukraine ne­ces­sar­ily mean that Rus­sia could stage a tele­com black­out?

The com­pany Renesys, which mon­it­ors In­ter­net ser­vices glob­ally, has called the pos­sib­il­ity of a fast Rus­si­an take­down of Ukrain­i­an tele­com­mu­nic­a­tions and in­fra­struc­ture un­likely. John Bumgarner, chief tech­no­logy of­ficer at the U.S. Cy­ber Con­sequences Unit agrees. “Ukraine has ap­prox­im­ately six [trunk lines] run­ning through the coun­try. Most of the tele­com­mu­nic­a­tion points were go­ing through Kiev.”

It’s a sub­ject of con­tinu­al dis­pute among ex­perts, (see this art­icle in New­s­week for back­ground,) but his­tory sug­gests that Rus­sia is hold­ing back con­sid­er­ably. In 2008, pro-Rus­si­an forces suc­cess­fully at­tacked key web sites of Geor­gi­an groups, such as the site for the Min­istry of For­eign Af­fairs as well as sev­er­al news sites. Rus­si­an groups were able to launch a sim­il­ar, co­ordin­ated cy­ber­war cam­paign against Es­to­nia in 2007. When asked if Rus­sia could stage a Ukrain­i­an ver­sion of the Geor­gia cy­ber­at­tack in 2008, An­drews replied that Rus­sia “could prob­ably do something sim­il­ar to what they did to Geor­gia.”

Bumgarner dis­agreed. “In Geor­gia, there were only two primary ac­cess points, one was through Mo­scow and the oth­er through Tur­key. The Krem­lin was able to con­trol data flow­ing through both of these ac­cess points, thus squeez­ing Geor­gia’s pres­ence on the In­ter­net. Rus­sia would have a dif­fi­cult time con­trolling the full cy­ber spec­trum in Ukraine,” he told De­fense One.

An­drews ad­ded that he thought that a take­down of Ukraine’s tele­com­mu­nic­a­tions in­fra­struc­ture was un­likely, not be­cause of tech­no­lo­gic­al lim­it­a­tions, but be­cause a black­out wasn’t in Rus­sia’s im­me­di­ate in­terests. “They already have total in­tel­li­gence dom­in­ance. And they have achieved their polit­ic­al ends, they don’t need to do much more,” he said.

Carr, Taia Glob­al’s chief, was less equi­voc­al. “The bot­tom line is that if the Rus­si­an gov­ern­ment wanted to shut down Ukraine’s power and tele­com­mu­nic­a­tions, they could do so at will. If this be­comes a full-scale war, you can ex­pect a def­in­ite in­ter­rup­tion of ser­vices - stra­tegic­ally planned. And there’s noth­ing that Ukraine could do to stop it,” he said in an email. Such an as­sault would sig­nal a de­par­ture from the stealth-in­va­sion tac­tics Rus­sia has em­ployed to great ef­fect so far.

Re­cor­ded Fu­ture’s ana­lys­is said that heavy DDoS activ­ity around a few up­com­ing events may sig­nal con­flict es­cal­a­tion. On May 1, NATO will ex­pand its air-poli­cing mis­sion in the Balt­ic. On May 11, the East­ern cit­ies of Don­etsk, Luhansk, and Kharkiv face pos­sible ref­er­en­dums. Most im­port­antly, on May 25, the Ukrain­i­an pres­id­en­tial elec­tion.

What We're Following See More »
Trump to Begin Covering His Own Legal Bills
1 days ago
Steele Says Follow the Money
1 days ago

"Christopher Steele, the former British intelligence officer who wrote the explosive dossier alleging ties between Donald Trump and Russia," says in a new book by The Guardian's Luke Harding that "Trump's land and hotel deals with Russians needed to be examined. ... Steele did not go into further detail, Harding said, but seemed to be referring to a 2008 home sale to the Russian oligarch Dmitry Rybolovlev. Richard Dearlove, who headed the UK foreign-intelligence unit MI6 between 1999 and 2004, said in April that Trump borrowed money from Russia for his business during the 2008 financial crisis."

Goldstone Ready to Meet with Mueller’s Team
1 days ago

"The British publicist who helped set up the fateful meeting between Donald Trump Jr. and a group of Russians at Trump Tower in June 2016 is ready to meet with Special Prosecutor Robert Mueller's office, according to several people familiar with the matter. Rob Goldstone has been living in Bangkok, Thailand, but has been communicating with Mueller's office through his lawyer, said a source close to Goldstone."

Kislyak Says Trump Campaign Contacts Too Numerous to List
1 days ago

"Russian Ambassador Sergey Kislyak said on Wednesday that it would take him more than 20 minutes to name all of the Trump officials he's met with or spoken to on the phone. ... Kislyak made the remarks in a sprawling interview with Russia-1, a popular state-owned Russian television channel."

Sabato Moves Alabama to “Lean Democrat”
2 days ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.