When the emails of Vladimir Putin’s top advisor Vladislav Surkov were leaked on the internet in 2016, some journalists supposed this was a CIA retaliation for the hack of the Democratic Party servers, so big was the scope of the event. The contents of the leaks revealed fascinating details of Russia’s hybrid war against Ukraine and were at the basis of an eponymous report published at the RUSI Institute. However, it was no CIA but a coalition of Ukrainian hackers – the Ukrainian Cyber Alliance – that was behind the leak.
At the time, Euromaidan Press made an interview with two hackers from the Alliance. Wearing masks and requesting a voice alteration, they were very careful to conceal their identities and stated that they are “hacktivists” working in the interest of Ukraine:
“Our interests are written in the Constitution: each citizen of Ukraine must defend its independence and territorial integrity at all costs.”
Accusations of displaying Greta at the Odesa airport
Fast forward three and a half years and the masks are lifted. But the occasion isn’t a happy one. At a press conference on 26 February 2020, four unmasked members of the hacker coalition announced they were ceasing collaboration with the Ukrainian government. A police raid of the homes of three cyber activists on 25 February is the reason.
Andriy Baranovych (commonly known as Sean Townsend), Oleksandr Halushchenko, and Andriy Pereveziy were accused of participating in interfering with the information board of Odesa international airport. It was hacked on 16 October 2019, and a photo of environmental activist Greta Thunberg with the words “Fuck you, Greta” appeared in place of the arrivals.
It is unclear what made the Ukrainian police and Security Service (SBU) suspect the cyber activists as being implicated, but no less than a SWAT team, along with police investigators of Odesa along, the SBU and cyber police officers from Odesa and Kyiv, searched the Kyiv residences of the three Ukrainian Cyber Alliance (UCA) members and seized their equipment.
At the press conference, the UCA members stated that the search was held with multiple violations. According to the law, the police officers had to copy the information that they were interested in, but instead, they confiscated a part of their equipment, including a non-operational laptop and a child’s telephone. One of the members even had his internet router confiscated and internet cable severed, and his entrance door was broken.
Vadym Kolokolnykov, the lawyer of the UCA activists, said that it appeared as if the SBU was attempting to compromise the members of the organization. He also informed that the UCA would complain to the State Bureau of Investigation about the excess of powers of the National Police officers and to the court with a request to return the seized property.
As a result of the raid, the activists announced they would no longer help the Ukrainian government tighten up its cybersecurity.
“We are stopping all of our activities in this country until justice is served, the absurd accusations are lifted off our members and we receive an apology. We demand satisfaction from the law enforcement and government representatives,” UCA co-founder Tim Karpynskyi said at the press conference.
“There will be no publications now, no night calls, we won’t be helping the state authorities, everything has stopped,” cyber expert Oleksandr Halushchenko added.
Andriy Pereverziy explained that UCA members were indeed involved with the Odesa airport – in 2018, they helped reveal a critical safety vulnerability in the airport and passed on this information to the airport and SBU. One week before the information board was hacked, Andriy Perverziy discovered that a batch of internal airport documents was freely accessible on the internet. Again, the airport and SBU were informed of this cyber vulnerability. Apparently, nothing was done to fix the vulnerability; a week later, the UCA was blamed for the hack.
UCA denies any guilt and claims that they always act within the law.
“The Cyber Alliance’s goal is to help the government, to revive and create cybersecurity at the level of the state,” Perverziy stated at the press-conference.
Tim Karpynskyi stressed that for the third year in a row, the Cyber Alliance members volunteered their knowledge and time to locate vulnerabilities in Ukraine’s critical infrastructure that could be a target for cyberattacks and notify the SBU, NSDC, or cyber police. This is the first time that any kind of accusation is levied against them, he said, adding that the mere thought of top-level cybersecurity experts wasting their time to display an obscene phrase over a teenager on a screen is preposterous.
Andriy Baranovych aka Sean Townsend said that the police searching his house were not interested in the Odesa incident as much as his private correspondence.
Making Ukraine’s government care about cybersecurity
UCA’s announcement of ceasing to help the government with revealing cybersecurity holes may have serious consequences. The hacktivist group is best known for its hacks of Russian figures involved in the war against Ukraine (apart from the Surkov Leaks, there were the Frolov Leaks exposing the Russian Orthodox Church’s role in Russia’s hybrid war, leaks of the Russian defense ministry, banking information of the “Donetsk People’s Republic,” Russian MP Konstantin Zatulin, etc). But their activities directed at Ukraine are no less important. For the last three years, they have been leading a campaign titled #FuckResponsibleDisclosure to point out Ukraine’s cyber vulnerabilities to the state organs.
The campaign included identifying a leakage of personal data of all candidates for state positions, the database of the website of the Academy of the Ministry of Internal Affairs, as well as emails of the Academy’s officers being available in open access, leakages in Ukrainian army documents, bad cyber hygiene of Ukraine’s state-owned nuclear power operator EnergoAtom, etc. (read more about these and other incidents here and here).
The activists maintain that the Ukrainian government is slacking when it comes to cybersecurity, which leaves the country open to Russian attacks. One of the most famous examples is the devastating NotPetya attack of 2017, which affected Ukraine’s Boryspil airport, the state post and telephone operators, the Ministry of Infrastructure and several banks. In the campaign, the cyberactivists identify vulnerabilities, report them to the relevant authorities, and post information about them online after obscuring the critical details which could allow malevolent hackers to penetrate the objects.
This publicity aspect of the campaign has been criticized for “inviting the real wrongdoers to exploit the weaknesses,” but UCA hacktivists claim that without it, state officials would fix them slower, if at all. “And it’s not even about vulnerabilities, we’re talking about information that’s available in open access,” UCA member Sean Townsend explained. “You just open your computer, open google, enter a search query, and find this information because it’s just lying there, without any passwords or registration.”
Government collaboration stops but not UCA activities
In an interview with RFE/RL, Sean Townsend told that the hacktivists had always tried to establish a dialogue with the Ukrainian authorities:
“Because we have a common interest: national security. The war with Russia is ongoing for the sixth year and we try to do what we can to help secure our country. We understand cyber defense and always try to establish a dialogue. But very often, instead of dialogue, representatives of the authorities simply go into denial: it’s not ours, it’s old, it doesn’t matter, it’s not interesting. But for some reason [the Odesa airport] informed the police and SBU that [they] were hacked. How they manage to say that it doesn’t matter and complain to the police at the same time is beyond me. We did manage to establish communication with some state representatives, and they are slowly starting to clarify the state of the country’s cyber defense for themselves, especially after the devastating Russian attack by the NotPetya virus. But all this happens slowly, and now with such excesses, when instead of gratitude, special forces break into your home.”
The cyber activist group had made progress in enhancing Ukraine’s state cybersecurity: it was invited to join a working group of the NSDC and is in touch with the Computer Emergency Response Team of Ukraine, which, Townsend claims, had started reacting to the exposed vulnerabilities.
Townsend can’t understand why the goverment turned on them and thinks that the SBU and police used the Odesa aiport incident as a pretext to search their homes, seize their equipment, and try to find something there.
“One year ago, we warned the airport management and corresponding services that the enterprise’s network is not protected, which may cause big problems. But instead of fixing the vulnerabilities, they decided to punish the messenger.”
Nevertheless, the UCA is not going to stop its activities – it will continue to search for Russian cyber vulnerabilities:
“Essentially, we have no choice, because I am deeply convinced that it is simply impossible to reach an agreement with the Russian Federation, regardless of the position taken by our president or other government agencies. The war is ongoing. Since we are serious about the Constitution of Ukraine, which says that protecting the country is the responsibility of every citizen, naturally we will continue to follow up on the sources of information that we have, and maybe even publish something in urgent cases. But after what happened the day before yesterday, I just don’t understand how to communicate with the state structures. They believe that they don’t need all this, that somehow it will settle down all by itself, and I believe that this is a tremendous mistake.”
