Ukrainian hackers turn on own government to make it care about cybersecurity

Photo: Katy Levinson 


Article by: Mykhailo Shtekel
Translated by: Peter Koropey

“The Ukrainian Cyber-Alliance”, a group of hackers which last summer published the contents of emails belonging to Vladislav Surkov, an advisor to Vladimir Putin, organized a flashmob against what they call the irresponsible cyber-security policies of Ukrainian state agencies. As part of this flashmob, activists used open access methods to uncover documents from computers belonging to law-enforcement, state energy-industry, and military officials and exposed them on social networks. Among the most recent “victims” of the flashmob were the Ministry of Defense and the state-owned business “EnerhoAtom.” In both entities an official investigation is currently underway. The hackers say that thanks to their “flashmob” other state agencies have secured several important cyber-vulnerabilities.

The protection of data in cyber-space has become, in the last several years, one of the most important themes of journalism across the globe. NATO has created a separate division for the fight against cyber-threats, and the Pentagon has spoken about defense against Russian and Chinese hackers. Ukraine itself has been the victim of hacking more than once. In the winter of 2015-2016 three Ukrainian power stations suffered cyber-attacks, leading to temporary power-outages in nearly 400 municipalities. FireEye, an international cyber-security company, even analyzed this incident in one of their reports. The last major cyber-attack occurred in the summer of 2017 – a virus struck several state agencies, including the management of the Boryspil Airport, as well as many private companies. Already today experts are warning against the possibilities of new cyber-attacks.

Activists of the “Ukrainian Cyber-Alliance” (UCA) determined to examine the security of Ukrainian state agencies. UCA is the same group of activists who last year published emails belonging to Vladislav Surkov, an advisor to the Russian President. Surkov’s emails referred specifically to the organization of the so-called “Russian Spring” in Ukraine’s east and methods of destabilizing the situation in Ukraine.

Nearly two months ago these activists began a flashmob called #FuckResponsibleDisclosure and since then they “reviewed” the workings of the websites and databases of the Ministry of Defense, the National Police, the Ministry of Internal Affairs, several Oblast administrations, the Constitutional Commission, the National Security and Defense Council, the State Service of Special Communication and Information Protection, as well as other state services and agencies.

The core effort of the flashmob consists in publicizing on social networks non-secret documents from official computers, demonstrating the unreliability of websites of separate ministries and official databases of state-owned businesses and critical infrastructure objects. The activists do not utilize typical hackers’ methods – usually they simply run searches on Google, according to Sean Brian Tonwsend, the pseudonym of UCA’s spokesperson, in his column on InformNapalm summarizing the flashmob’s results.

Sean Townsend (left) and colleague Dahmer (right) told Euromaidan Press why they hacked Surkov’s mailbox in 2016. Photo: Alya Shandra

In an intveriew with Radio Svoboda, Townsend related which groups quickly secure their own vulnerabilities, and which ignore the hackers’ discoveries. Thus, after the hackers’ “examinations” law-enforcement officials opened at least two criminal investigations, one of which relates to Russian hackers who were able to hack the email server of the Ministry of Internal Affairs (MVS).

“The National Police’s Kyiv Oblast press-service lost a hard disk with passwords for general access. The spokesman later announced that they had received no complaints before ours, but the Cyberpolice helped them newly rebuild their computer system. Employees from the Forensic Investigation Expert Criminology Center of the MVS cleaned up their computers and thanked us after television reports,” Townsend said.

Via open access one could previously find the database of the website of the MVS Academy, as well as emails of the Academy’s officers. Now this data is secured. The Academy commandant reacted quickly and the State Special Communication Service required five days to react to the report, after which they secured the vulnerabilities, UCA’s spokesman related.

The National Security and Defense Council site reacted quickly, Townsend said, as did the Constitutional Commission, to the hole in its website’s security. Dmytro Shmykiv, deputy head of the Presidential Administration, took part in the latter case.

Several state websites stopped working

Until only recently (20 December 2017) the website of the Ministry of Education and Science did not work. According to the hackers, this was because of their flashmob, which discovered open access holes to the Ministry’s database. Now (since 26 December 2017) the website functions, but the Ministry’s press service has not responded to questions regarding cyber-security measures.

In December, the hackers published documents from computers belonging to officers of the Ukrainian Armed Forces. Data from one document pertains to land mine clearance, and data from others pertains to armored fighting vehicles. The Ministry told Radio Svoboda that they are conducting an official investigation into what can actually be hacked. The hackers say that one of three officers responsible for the error has already been discovered, but no official confirmation has been given. The Ministry of Defense insists that the published documents contained no secrets.

Snapshots of documents published by the hackers

According to Townsend, this is not important. What does matter is that cyber security vulnerabilities, which Russian hackers could exploit, existed within the Ukrainian military, and that not all critical information is stamped “Secret” or “For Official Purposes.” Furthermore, UCA has not published all information which they were able to find.

“In each situation which we report, what is important is not the data, but the ability to access internal networks. I love to explain how we hacked the Data Processing Center of Orenburg Oblast (Russia) – we started at a veterinary clinic in one district and ended up at the governor’s system for connecting different government agencies and computers belonging to FSB agents. In the Ukrainian case, our starting position was much higher – having gained access to the network of the military or to a ministry, and we could have gone much further,” Townsend retold.

EnergoAtom Admits it was Hacked, but says that this was Not Critical

The last “victim” of the flashmob of Ukrainian hackers was the state-owned business EnergoAtom, which operates all four nuclear power stations in Ukraine. The basis for UCA’s review of EnergoAtom’s security was an October publication by CyberBerkut, a group of Russian hackers, of several documents regarding “a new Chornobyl” and a future cyber-attack on EnergoAtom. Later, representative of EnergoAtom announced on Facebook that Russian hackers had attacked the Ministry of Ecology, but not their business.

“From the beginning we publicized non-harmful documents from their contractor ‘Tonelspetsstroy’, in order to demonstrate their vulnerability. After that, while the company announced that we had not published anything and nothing had happened, activists uncovered yet two more EnergoAtom computers with reports from the Inventory Commission on the State of Nuclear Facilities. After this, the press-service changed their story, even if they still disputed the evidence of the problems with their cyber-security. And here we found four more unsecured EnergoAtom computers at the Zaporizhzhia Nuclear Power Plant. This is an open-network hard drive with countless gigabytes-worth of documents for official use, including documents dating back to 1984 with plans of the nuclear reactor,” Townsend explained.

Snapshots of documents from EnergAtom

As a result of the flashmob, the state-owned business EnergoAtom is carrying out an internal investigation. According to Oleksandr Lisovyi, EnergoAtom’s Direector of Information Technology, it must first be said that while activists succeeded in accessing official information, none of this information was confidential.

“In any situation there is a presence of a human factor in so-called cyber-hygiene. The data recently exposed due to the efforts of this flashmob was connected to concrete persons in concrete positions who did not practice cyber-hygiene. Fortunately, there was no general access to the critical segment of our local network. I am not speaking about the access to our technological system, which truly does influence the defense and state of security of critical infrastructure,” Lisovyi explained.

The business promises to improve its security measures, monitoring, and prevention, but a definitive decision awaits the conclusion of the official investigation. The individual responsibility of those who through their own incompetence or over-estimation of their own capabilities caused harm to a state business will, additionally, be determined.

“EnergoAtom is gradually introducing a generally acceptable approach of so-called ‘no punishment’ to receive information about possible incidents. We plan to carry out additional clarification work with these people,” Lisovyi said.

The flashmob “#FuckResponsibleDisclosure” helped expose problems, he admits, but the publications of data had negative effects.

“If someone wants to improve the situation with cyber-defense and exposes a problem, he should first of all contact the owner of the information system and try to solve the problem without inviting the real wrongdoers to exploit the weaknesses,” the IT director said.

He also recalled that EnergoAtom’s assets did not suffer from the virus-attack this past summer, in contrast to many other state structures.

According to a specialist from Comodo Group, an American cyber-security company, who earlier worked in several divisions of computer security for state agencies, problems with cyber-security of state structures are linked not only to a poor computer culture, but also to low salaries.

“Today the minimum salary for a specialist in cyber-security is nearly $1000. On the ‘Hacker market,’ one system vulnerability, such as a small password database, can cost $3500-$4000. If we’re talking about a ‘pre-ordered’ information dump, it’s not much more expensive. They can also offer a bribe of a few thousand dollars to open up an information port or to buy a hard disk with data on it,” the expert said.

Any official data which can be accessed publicly is critical

Dmytro Snopchenko, an expert on information security, told Radio Svoboda that any data which hackers publish on social networks can be called critical. The information may not be confidential, but the fact that it can be found through general access should call forth fears.

“The information which UCA published was gathered hastily. It still needs to be clarified whether there are still vulnerabilities or if they received some other documents. Even if they did not find confidential information, one can still use that data and those documents to put together a very interesting picture of those who work at one or another state agency,” Snopchenko said.

A few years ago, Snopchenko completed an order for several state structures – he fixed a network, performed an audit, looked for and found vulnerabilities in security software, in the network setup, and in the policy parameters for user access.

Snopchenko explained that the absolute majority of hacks in occur through individual users – instead of buying an expensive vulnerability from a hacker for a few thousand dollars, one can install a virus for five dollars on a computer belonging to an assistant or a secretary. By this method, the expert believes, Surkov’s emails were hacked – someone found his secretary, who didn’t care much for her own cyber-security.

Snopchenko feels ambivalent about the flashmob. One the one hand, this public criticism may gather attention from true hackers, who now will more actively search for vulnerabilities in state services. On the other hand, the flashmob helped expose cyber-security flaws, and after cyber-attacks methods of cyber-security are usually strengthened.

Hackers call their flashmob a democratic method

In last year’s interview with Radio Svoboda, Sean Brian Townsend said that UCA fights against Russia. And in response to a question, whether UCA is ready to hack Ukrainian politicians, he said that internal Ukrainian problems can be resolved through democratic means. He has not renounced his words today.

The so-called Full Disclosure which we are doing is a sufficiently democratic method which resolves the majority of technical problems. But inadequate responses to it is sometimes amazing,” Townsend argued.

Apart from the already mentioned state agencies, hackers say that they “stumbled upon” many others – websites for canals, the employment center in Kropyvnytskyi [formerly called Kirovohrad – Ed], the mobile operators Kyivstar and Vodaphone (however, these private companies secured their vulnerabilities in, literally, two minutes), two communal businesses in Kyiv, the Kherson Oblast council, the websites of the Chernihiv and Donetsk Oblast governments, the National Agency for the Prevention of Corruption (NAZK), the website for the Ministry of Health, and others.

Read also:

Translated by: Peter Koropey

Ukraine needs independent journalism. And we need you. Join our community on Patreon and help us better connect Ukraine to the world. We’ll use your contribution to attract new authors, upgrade our website, and optimize its SEO. For as little as the cost of one cup of coffee a month, you can help build bridges between Ukraine and the rest of the world, plus become a co-creator and vote for topics we should cover next. Become a patron or see other ways to support. Become a Patron!

Tags: , ,