Why Ukraine Has Already Lost The Cyberwar, Too

Don’t wait for cyberwar between Ukraine and Russia to break out ahead of the actual shooting. Ukraine already lost that, too. Russia may have unfettered access into the Ukrainian telecommunication systems according to several experts. It’s access that Russia can use to watch Ukrainian opposition leadership, or, in the event of an escalation in the conflict, possibly cut off telecommunications within Ukraine.

The ongoing situation in Ukraine has been marked by bloody protests, sieges of government buildings, ethnic clashes and misinformation campaigns. In cyberspace, relatively low-level exchanges between hacker groups have taken the form of temporary website attacks called displacements and distributed denial of service, or DDOS, which flood sites with phony traffic rendering the site inaccessible. (For a quick timeline of Russian and Ukrainian hactivist cyber-volleying, check out Ukraine Investigation’s coverage here.)

Russia has no need to attack that which it already owns, say several experts. “Russia already had access [to the Ukrainian telecommunications infrastructure] for years. That's true for almost all of the Commonwealth of Independent States. They all rely at some point on Russian technology,” Jeffrey Carr, CEO of the cyber-security firm Taia Global and of the author of Inside Cyber Warfare: Mapping the Cyber Underworld, told Defense One.

Russia’s access stems from two factors. The first: Ukraine’s communications intercept system, which allows the Ukrainian government to tap into civilian electronic communications, very closely resembles the Russian intercept system called SORM. SORM was developed by the Russian KGB as a means to surveil electronic communications within the Soviet Union. Essentially SORM serves as a backdoor for intelligence spooks to listen in on electronic communications. Think of the NSA’s PRISM program, but far more robust in terms of capability and with far fewer legal restrictions on its use. The current iteration, SORM 3, allows the Russian Federal Security Service, or FSB, backdoor access into landline, mobile and email communications.

Ukraine has its own SORM system modeled after Russia’s. But, as Russian journalists Andei Soldatov and Irina Borogan explained in Wired in 2012, Russian companies such as IsKratel manufacture equipment that Ukraine uses to maintain its system. Other manufacturers of SORM equipment include Juniper Networks, Huawei, Cisco and Alcatel-Lucent out of France. The simple fact that SORM equipment manufacturing firms are a matter of public record suggests vulnerability to hacking. The same technology that allows Ukraine’s Intelligence Service to eavesdrop in Ukraine may give Russia the same amount of access into Ukrainian communications.

“With local Ukrainian media sources reporting Ukrtelekom outages, it is unclear what reach Russia has into the Ukraine due to its use of the SORM standard,” Scott Donnelly, open source analyst with Recorded Future, told participants of an online webinar on Thursday. “While multiple additional pieces of information are necessary to definitively conclude Russia has a backdoor into the Ukrainian telecom system, it is clear the telecom equipment and layout are quite familiar to Russian military and intelligence officials operating in the cyber arena.” Ukrtelekom is the primary landline phone operator in Ukraine, servicing 80 percent of the country’s users.

Additionally, Russian telecom firms Vimpelcom and MTS do considerable  mobile business in Ukraine. MTS reportedly has 22.4 million subscribers in the country as of September 2013, making it the second largest mobile player. “It’s Russian companies that are providing the mobile services. That gives the Russians an avenue in,” James Andrew Lewis, director and senior fellow of the Strategic Technologies Program at the Center for Strategic and International Studies, told Defense One. “There’s an advantage to having ownership, having insight, knowing the legacy system and having relationships, and being physically present in adjacent areas. That all makes it easier for them.” Russian dominance into the Ukrainian mobile space was on full display back in January when protestors taking part in street demonstrations against the pro-Russian regime of then-President Viktor Yanukovych received ominous text messages reading, “Dear subscriber, you are registered as a participant in a mass disturbance,” according to the New York Times.

A similar phenomenon occurred in the first week in March, as reported by Reuters, just before the Russian incursion into Crimea, when Ukrainian security chief Valentyn Nalyvaichenko revealed to journalists "I confirm that an.... attack is under way on mobile phones of members of the Ukrainian parliament for the second day in a row."

Private Russian companies colluding with the Russian government to give Vladimir Putin a backdoor into clients’ systems is a practice that falls in line with the way the Putin government exercises influence over sectors of the Russian economy.

“These companies invested in Ukraine to make money. But now, if their friends from the FSB show up, say ‘Can you give us a hand? Tell us about the networks that you invested in. Give us some of the technical details or specifications?’ [The companies are] not well-placed to say no to that request. The companies did this for commercial reasons, but because [the companies] are subject to Russian control, that means that at any moment when its in Russia’s interest to extend that control, they can do so,” said Andrews.

Russia has other levers to pull in exerting control over communications in Ukraine, besides technological, as demonstrated by the strange story of Ukrtelekom, which was purchased in 2013 by Ukraine’s richest man, Rinat Akhmetov. Akhmetov, a coal and mining magnate, is a native of the region of Dombass, which has been a hotbed of separatist protests and police clashes. He was a staunch ally of Yanukovych. But not long after the former President fled the country, Akmetov made a series of public comments stating his intention to use his power and resources to keep “Donbass and Ukraine are together forever.”

He may be earnest in that promise, or simply aligning himself with what he perceives to be the winds of change bellowing through Kiev. But his coal mining operations in the Donbass region, the chief source of his wealth, are extremely vulnerable to Russian meddling. Not long after Akmetov issued his statement, a deputy of the State Duma of the Russian Federation, speaking to a Russian newspaper, said that if Russia were to annex Donbass, most of the Donbass coal mines would be shut down.

Wherever Akmetov’s true loyalties rest, he’s not averse to quickly shifting sides to protect his interests.

On Friday, Feb. 28, armed gunmen broke into the Ukrtelekom’s operation center in Crimea and were able to cause phone and Internet disruptions. Western media treated the incident as unremarkable. But the annexation of Crimea probably improved Russia’s ability to derive signals intelligence from Kiev—exponentially—according to Andrews. “Where they were getting ten messages before, now maybe they’re getting 70,” he said.

Does unfettered Russian access over the communications space in Ukraine necessarily mean that Russia could stage a telecom blackout?  

The company Renesys, which monitors Internet services globally, has called the possibility of a fast Russian takedown of Ukrainian telecommunications and infrastructure unlikely. John Bumgarner, chief technology officer at the U.S. Cyber Consequences Unit agrees. “Ukraine has approximately six [trunk lines] running through the country. Most of the telecommunication points were going through Kiev.”

It’s a subject of continual dispute among experts, (see this article in Newsweek for background,) but history suggests that Russia is holding back considerably. In 2008, pro-Russian forces successfully attacked key web sites of Georgian groups, such as the site for the Ministry of Foreign Affairs as well as several news sites.  Russian groups were able to launch a similar, coordinated cyberwar campaign against Estonia in 2007. When asked if Russia could stage a Ukrainian version of the Georgia cyberattack in 2008, Andrews replied that Russia “could probably do something similar to what they did to Georgia."

Bumgarner disagreed. “In Georgia, there were only two primary access points, one was through Moscow and the other through Turkey.  The Kremlin was able to control data flowing through both of these access points, thus squeezing Georgia's presence on the Internet.  Russia would have a difficult time controlling the full cyber spectrum in Ukraine,” he told Defense One.

Andrews added that he thought that a takedown of Ukraine’s telecommunications infrastructure was unlikely, not because of technological limitations, but because a blackout wasn’t in Russia’s immediate interests. “They already have total intelligence dominance. And they have achieved their political ends, they don’t need to do much more,” he said.

Carr, Taia Global’s chief, was less equivocal. “The bottom line is that if the Russian government wanted to shut down Ukraine's power and telecommunications, they could do so at will. If this becomes a full-scale war, you can expect a definite interruption of services - strategically planned. And there's nothing that Ukraine could do to stop it,” he said in an email. Such an assault would signal a departure from the stealth-invasion tactics Russia has employed to great effect so far.

Recorded Future’s analysis said that heavy DDoS activity around a few upcoming events may signal conflict escalation. On May 1, NATO will expand its air-policing mission in the Baltic. On May 11, the Eastern cities of Donetsk, Luhansk, and Kharkiv face possible referendums. Most importantly, on May 25, the Ukrainian presidential election.