Ukraine: The First Cyber Lessons
As Russian forces pushed toward the Ukrainian capital, Kyiv, two tasks topped the agenda: to relocate vital servers and data storage and to move some information resources outside the country.
Few knew the war started well over a month before the first Russian tank crossed the border. In fact, the cyber war began 41 days before February 24—the date the kinetic war started.
“The cyber attacks, which started on January 14, were so severe, were continuous, together with [distributed denial-of-service] attacks and with a number of disruptive attacks,” said Victor Zhora, chief digital transformation officer at the State Service of Special Communication and Information Protection of Ukraine. Zhora’s agency is tasked with coordinating cybersecurity and cyber resilience in the country.
Zhora, together with actors from the public and private sectors around the world, was directly involved in all cyber actions since the beginning.
As experts saw unprecedented levels of aggression, deep worries shook the routine of government work. Questions revolved around the essence of a 21st-century country’s data: who votes, pays taxes, is in the military and owns real estate and financial assets. The answers to these questions are discovered only through consulting databases. In the case of Ukraine, the country was transitioning to virtual ID cards; therefore, keeping servers connected meant that millions of refugees could access basic benefits and services worldwide with their phones.
“Closer to the full-scale invasion ... it became clear that the risk of losing this data in case of attack on Kyiv, or even potential occupation, was very high,” Zhora said.
Ukraine received funds and technical assistance from the United States to deal with Russian cyber threats. Since 2016, the country has received $83 million and was pledged $37 million more, according to the Ukrainian Ministry of Foreign Affairs.
Two weeks before the invasion began, protecting critical data and the servers that store it became a top priority. “The first task was to physically relocate servers and data storage to a data center somewhere in more safe places on the territory of Ukraine,” Zhora said.“The second task was to allow the storage of some of the information resources outside of the country.”
This job was not easy as local laws prohibited the use of servers overseas to host the most important data.
A series of actions were ordered to protect the integrity of the country’s most relevant information sets and services. Prior to the invasion many followed the Kremlin’s line that there would be no war and that this was only another military exercise.
Still, early attacks proved to be heightened cyber bullying from Moscow in a much longer campaign.
“[Ukraine] has been attacked by Russia since, basically, they took Crimea in 2014,” said Marcus Murray, CEO of Truesec, a cybersecurity company with interests in Ukraine and Eastern Europe that was involved in moving digital assets out of the country in the early days of the war, according to two separate Ukrainian cyber experts. One early move from Kyiv gave enough room to operate, as they “prevented themselves from being too dependent on single points of failure,” Murray explained.
Nevertheless, this was on another scale.
“It is clear that it was prepared in advance, and the key goal of this attack is to destabilize, to sow panic, to do everything to create a certain chaos in the actions of Ukrainians in our country,” Mykhailo Fedorov, minister of digital transformation, said in mid-February of 2022 as these preparatory actions took place.
Given these circumstances, the government was already taking cyber actions before the tanks advanced.
“On February 23rd, having at least another copy for backup of important data was crucial for our public sector,” Zhora told SIGNAL Media in an interview.
And copies were not enough, as it was assumed the enemy knew the location of physical infrastructure.
This was confirmed on March 1, 2022, when a cruise missile hit a data center, according to Zhora.
Therefore, servers were placed in containers on trucks to scatter targets and to allow a speedy escape in case Russian forces threatened the buildings where they were located. This created a dilemma, as infrastructure was mobile and, therefore, more difficult to hit by a kinetic attack. Even so, the data had to stay online, and it remained vulnerable to hackers and enemy cyber warriors.
The solution was the cloud, but it was illegal at the time.
“We proposed a draft of law of relocating the encrypted backups abroad,” Zhora said. It was a time when minutes, not hours, counted as the government teamed to legally mobilize data.
On February 23, hours before Russia mobilized, while diplomats were hoping for the best, Ukraine’s cyber policymakers were feverishly preparing for the worst.
“We proposed this [regulation] in three or four hours, so it took the morning for us to develop this draft law, which was later put into the basis of full-scale law on the measures taken to save Ukrainians’ important data,” Zhora said.
During these difficult hours, Amazon, Microsoft, Google and Oracle, as well as the Polish government, lent advice and offered alternatives, according to Zhora. As Russians advanced, help rushed in, and “there were a lot of private calls from all around the world,” the official said and excused himself as most of the information is classified.
Despite global goodwill, there was a language barrier. Only those who could speak Russian or Ukrainian well enough to communicate with engineers in the country could lend valuable help, according to Murray, who explained he had been involved in this specific migration.
Ukraine learned cyber lessons the hard way. Still, some of the conclusions underscore international practices, while others suggest cyber warfare needs further development.
Shifting digital assets to the cloud could be time-consuming. This was a concern as Russian troops were closing in on Kyiv, where most relevant servers were physically located. But this procedure highlighted the importance of having more than one version of the functioning system to allow movement, “so you can easily switch off one and then move it to a new location while the second is working,” Zhora said.
Engineers from Ukraine and cloud suppliers had no sleep for almost two weeks, according to Zhora. “You have no idea how many terabytes that was, but it was a lot of data,” Murray said.
These systems proved key to preventing a greater humanitarian crisis. Most refugees went to Poland, where virtual identification cards were accepted. Thus, most people leaving the country could accredit their identity by using their cellphones.
“The different [registeries] where people could get information, especially for those people who had no documents, they could restore these documents from electronic forms, from [registeries] and use all these services, including governmental services,” Zhora explained.
International banking systems were also kept up, to guarantee that those who had left could use their savings to support themselves and their families.
The scope of the humanitarian crisis is hard to calculate had these two services been offline. But not all data could stay up. There were reasons to fear the Russians had done a reasonable job infiltrating systems and were ready to attack at will.
Government systems were so intimately linked to their servers that they could not be moved into the cloud, and these computers could not be taken from their buildings. Defending them posed a challenge that had not been predicted. These had to be switched off, waiting for better times to put them back online, Zhora explained. Many were offline for months.
The fear that Russia would have a “red button” to close off all digital activity in the country, according to Zhora, was real. But once Kyiv was no longer under imminent threat, and physical as well as cybersecurity could be guaranteed, more systems were restored.
Zhora was expecting a refined attack from within the networks. As the battle raged on all fronts, cyber warriors were preparing for an onslaught that never came.
“The expectations of Russian cyber power were overstated,” Zhora said.
