This article is more than 1 year old
Ukraine's Victor Zhora: Russia's cyber 'war crimes' will continue after ground invasion ends
International laws needed 'to bring accountability' govt chief tells The Reg
Black Hat Ukraine's cybersecurity boss Victor Zhora says he expects Russia's online attacks against his country – including cyber "war crimes" – will continue long after the physical war ends unless increased international pressure is applied.
"Russia will continue to be dangerous in cyberspace for quite a long period, at least until a complete change of the political system and change of power in Russia, converting them from an aggressor to a country that should pay back for all they've done in Ukraine and also in other countries," Zhora told The Register.
"So definitely, even after the war ends on the battlefields and in kinetic aspects, more likely it will continue in cyberspace," he said.
Zhora, deputy chairman and chief digital transformation officer at the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine, today joined US Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly on stage to give a Black Hat conference keynote as the annual hacker summer camp kicked off in Las Vegas.
But before the Black Hat fireside chat, he sat down with The Register to discuss the world's first hybrid online-offline war and what the rest of world can learn from Ukraine's defenders, which Zhora said fend off an average of ten "major" cyber incidents per week.
This led to a record 2,194 such events last year. "And up to this moment, it's up to 11,002 incidents that we have faced since the war began," Zhora said.
Kremlin strategy
Russia has conducted five phases of cyber war, according to Zhora. The first started on January 14, 2022 — a month before the ground invasion — and involved a strain of info-destroying malware called WhisperGate hitting Ukraine's IT infrastructure and government websites defaced to tell Ukrainians to "be afraid and expect the worst."
"This attack was followed by a number of really huge, powerful DDoS attacks in the middle of February, and numerous cyber incidents in the day before the full scale innovation," including the Viasat satellite hack, Zhora said.
The second phase saw the use of more wiper malware and distributed denial of service (DDoS) attacks. Phase two saw the number of detected cyber incidents triple in March 2022 compared to a year prior, Zhora added.
"The third phase can be described as a decrease in the number of cyber incidents, but at the same time, increasing in their sophistication and technical advantage," Zhora told us. He cited Russia's unsuccessful attempt in April 2022 to shut down Ukraine's power grid and disable electricity substations.
During this period, Russian spies also attempted to disrupt Ukraine's telecommunications and other critical infrastructure, and targeted service providers, media, and public-sector orgs.
- Ukraine busts bot farm spreading Russian infowar propaganda and fraud
- As Russia wages disinfo war, Ukraine's cyber chief calls for global anti-fake news fight
- Ukraine's cyber chief comes to Black Hat in surprise visit
- Russia's Cozy Bear is back and hitting Microsoft Teams to phish top targets
The fourth phase of cyberattacks began in the latter-half of that year, and coincided with Russian cruise missile attacks on Ukraine's power grid and water system. "Numerous attacks, which were combined with kinetic strikes, and there was a very, very active period before New Year's Eve," Zhora said.
"But now, we're observing this shift from disruptive cyber attacks to phishing, data collection and cyber espionage," he said, referring to the fifth phase.
During all five phases, Russian operatives and troll farms have continued to run propaganda and disinformation campaigns to support the illegal invasion.
War-crimes investigation
In addition to fighting on the frontlines of the cyber battlefield, Zhora said Ukraine law enforcement agencies and researchers continue to push for war-crime charges to be brought against Russia for its cyberattacks.
"We continue analyzing evidence and proof of attacks that caused serious disruptions and impact in time of war, which we consider to be cyber war crimes or helped kinetic attacks to be more effective because of intelligence gained, or with the use of cyber weapons," he said. "Or, for instance: psychological impacts of cyber operations, which amplify the overall effects of kinetic strikes."
It's that time of the year again: The trinity of infosec conferences
READ MOREProsecution by international courts would serve as an example of "crime and punishment" — and deter Russia or other nations from using cyber weapons during future wars, Zhora said. However he acknowledged that it won't be easy to bring Kremlin-backed snoops and miscreants to justice if they continue to receive safe harbor in Russia or its territories.
"We understand that Russia violates all international laws, and they will keep their hackers in uniform, in Russia, even on any request to to prosecute them in the International Criminal Court," he said.
Because of this, it's imperative that the global community find "new approaches" to prevent cybercrime and cyberwarfare in the future, Zhora added. Measures he believes would be effective include new legislative and efforts to bolster cybersecurity of critical infrastructure and networks, both inside and outside of Ukraine.
"We should improve international cooperation, creating a kind of cyber coalition of states [advocating for] responsible behavior in cyberspace and proposing new approaches and new strategies of countering this aggression," he said. "Together, with changes in international legislation, this will bring accountability to these attacks." ®