Cyberwarfare lesson learned in Ukraine

“Wifi or cheese are free only in mouse traps. This is especially true along the front line.”

The Ukrainian territory is one of the most appealing areas in the world from the perspective of cyberattacks and information warfare since the outbreak of the Russian-Ukrainian conflict in 2014. Ukraine has faced unprecedented attacks in the form of disruptions of critical infrastructure (e.g. BlackEnergy) as well as large scale attacks intended to paralyze the economy of the state (e.g. NotPetya). Therefore, the study of the Ukrainian cybersecurity domain is crucial for understanding current cyber threats.

For this reason, experts from CIMIB (Czech Institute of Information Security Managers), together with Visegrad Fund (, are supporting Team4Ukaine (T4U) cyber projects.

Recently, there was detected an organized crime group operating in Central Europe, whose members had no professional knowledge of IT. They bought a hacking tool and using it, they confused the ATM system to give out as much cash as desired. This is the way how old school crime groups are connected with new cybercrime. Cybercrime is an extensively used type of war as well. Information attacks precede old school artillery attacks; i.e. soldiers receive SMS “Give up and avoid death”. Factories and power stations do not necessarily have to be demolished; they just need to be taken out of service by enemy hackers. Team4Ukraine has noticed all the mentioned types of crime in Ukraine in recent years.

Ukraine became one of the most interesting places for experts to study the topic of cybersecurity and cyber warfare. Since the beginning of 2014, Ukraine has been the target of continuous cyberattacks that have brought some unique features recently identified during the attacks on other countries as well. Hence, the cybersecurity landscape of Ukraine is worth to study, especially for experts from the central European region, since the nature of threats is the same across the region. However, this statement is primarily valid for the Eastern regions of Ukraine, where the new and unusual types of cyber-attacks combined with other means of hybrid warfare (such as propaganda, information warfare, psychological operations against soldiers and civilians, and kinetic warfare) are used. Therefore, the findings made by Team4Ukraine (which is active in the region for the past four years) represent a valuable source of expertise for both experts and the public in the V4 countries.

The training lessons lead by T4U in the Donetsk and Luhansk regions of Eastern Ukraine confirmed that users in this area are more sensitive to cyber threats as they face them daily (especially in the case of politically active citizens). Thus, the security training courses provided in the framework of the T4U projects were highly appreciated.

The research conducted by T4U and funded by the Visegrad Fund provided valuable information on the cyber challenges faced not only by Eastern Ukraine but by Central Europe as well.

Cybercrime as an instrument of hybrid war

The Ukrainian cybersecurity landscape is significantly different from the Central European countries. Before 2014, it was closely related to the states of the former USSR, primarily the Russian Federation. One of the main aspects of this relation was the prevalence of cybercrime. Cybercrime in the former USSR countries reaches levels unseen in the West. For example, in 2017, Russian company Kaspersky Lab estimated that 75% of the ransomware (a prevalent type of malware at that time) came from Russian-speaking countries.[1]

This situation is a result of several aspects. Firstly, the societal and economic environment of the former USSR countries contributed to a particular merger between two distinct groups – IT experts and traditional organized crime members. While these two groups mostly remained distinct in the West since people with very different backgrounds make part of these groups, their merger on the territory of the former Soviet Union resulted to the creation of completely new fields of “industry”.

These new fields used both necessary IT expertise for the technical stuff and the techniques of traditional organized crime as well. Organized crime has not been nationalistic and indiscriminately included members from the whole region. The first example that supports this assumption has been the DDoS attack on Estonian infrastructure in 2007. The same means have been used several times since (e.g., Georgia 2008). According to the T4U’s analyses, the biggest outbreak came with the conflict between the Russian Federation and Ukraine in 2014.

Methods of cyber war

The cyberattacks against Ukraine started immediately after the outbreak of conflict with Russia. One of the first identified large-scale attacks was those against the first post-Maidan presidential elections in May 2014. The target of the attack was the server of the Ukrainian Central Election Commission. The aim was to artificially raise the number of votes for the leader of the right-wing organization “Right Sector” Dmitry Yarosh. The attack was detected by the Ukrainian Security Service (SBU), and thus it was not successful. Nevertheless, the main Russian TV “First Channel” presented the rigged results of the presidential elections with Yarosh getting 37% of the votes (in reality, he got less than 1%).[2]

Perhaps the most unprecedented cyber-attacks since 2014 were those focused on the energy distribution system. The first attack came in December 2015 in Ivano-Frankivsk oblast in the west of Ukraine. The attack demonstrated the possible ability to disrupt energy flux using malware named BlackEnergy. The realisation of the attack necessarily required a long-term preparation demanding thorough reconnaissance of the power grid infrastructure and information technology used. The attacker placed malware to the operator consoles and forced software update to the transformer stations across the region. That allowed to shut down the transformer stations simultaneously. At the same time, the hard drives of the operator consoles were wiped out, disabling the possibility of repairing the software of the stations remotely. Manual intervention was necessary to renew the supply of energy to circa 120,000 inhabitants. The cyberattack was followed by a DDoS attack on the call centrum of the distribution company, which was then unable to react to the requests of its customers.[3]

The particularity of this attack consists in the fact that the aim of this attack was probably focused on causing damages to the civilian population. There was no financial gain for the attacker. Almost a year later, in December 2016, a similar attack was repeated in the Kyiv region. Due to the preparedness of the Ukrainian side, the damages were significantly lower this time.[4] Similar attack was noted also in the Czech Republic; i.e. in December 2019 the hospital of Benešov faced the damaging cyberattack attack as well.[5]

Further attacks on Ukrainian critical infrastructure were focusing on the financial sector[6] or transport infrastructure[7]. The most damaging attack came then in June 2017. According to T4U’s findings, the malware called NotPetya was identified as ransomware. Although the attack was intended only to affect Ukrainian companies by using Ukraine-specific software, the spreading quickly went out of control causing damages in billions of dollars to many global companies.[8] According to T4U, the NotPetya attack gives a clear example of the necessity to study methods of cyberwar as the consecutive consequences have international impact.

Apart from the above-mentioned cases, T4U identified also the number of daily attacks on individualsThe users in the East Ukraine are targets of cyberattacks more often than users in the rest of Ukraine. The nature of attacks largely remains the same. An unproportioned number of users were targets of phone scams and social network account hijacking.

T4U detected that also phone frauds are widespread in all Ukraine. Usually, a person receives a phone call from “a friend” (or a relative) who informs a person concerning some troubles of its relative/friend (e.g., imprisonment), and the attacker requires sending money to a specific account. During the research activities, T4U also noted demoralizing and lying SMS sent to the soldiers on the front, and their relatives (e.g., “Your commander surrendered. Come home!”; “Your husband is dead.” or various vulgarisms, etc.) The mentioned findings confirm that this method is one of the usual instruments of information war as well.

Analogous approach has been detected also in connection with Russia aggression in NATO countries. Similar information attacks were carried out against families of pilots of Dutch F-16s participating in the Baltic Air Policing mission (patrolling Baltic air space during 2017). They had been receiving bothering phone calls. According to the damaged ones, the callers had Russian accents, and they were collected personal information about individuals deployed in the Baltic states to disseminate highly personalized disinformation or intimidation.[9]

Generally, the attackers are looking for personal data for using them in calls or SMSs, which adds credibility and looks even more frightening. One of the ways of stealing such information is the creation of controlled wifi in desired areas (e.g. front lines) with free access, no field registration and unlimited data. It shows that free wifi and free cheese are offered only in mouse traps, which is especially true along the front line.

Considering the above-mentioned findings and results of analyses provided by T4U’s cyber experts, training personnel in cybersecurity is essential. The research showed that higher attention should be paid to the problem of IT security closer to the eastern border of Ukraine. This finding contrasts with the attitude in the Central European countries which do not consider the issue of cybersecurity with such a priority. It illustrates that the Eastern Ukrainian situation with continuous cyberattacks and information warfare brings higher security awareness.

However, considering the T4U’s experience, the fact that people give higher importance to cybersecurity does not mean that they understand it correctly, i.e., the usual answer on the question regarding the most important aspect of cybersecurity was the presence of a specialized anti-virus program. The IT expert of T4U confirms that anti-virus is not, by far, the most crucial part of IT security and might be even harmful in some situations. An essential point for a standard user is possession of a system with as few known vulnerabilities as possible. Known vulnerabilities (already fixed by the vendor but not patched by user) are the most common objects of attack.

The second most crucial issue concerning the IT security of a standard user is a backup of data. In the opinion of IT expert of T4U, it helps to resolve attacks by ransomware because a user can recover the data from backup instead of paying the ransom.

The IT expert also underlines, that secure communication including sensitive information is crucial as well for the performance of public work in the contested areas as the use of e-mail encryption is hindered by the user’s un-friendliness of available tools. In this situation, the communicators (instant messengers) present a simple way to communicate safely.

Moreover, there are certain risks associated with the use of social networks, especially in a politically contested environment. The T4U’s expert stresses, that users should know that sharing some information on social media, they quit being owners of this data. The social network is free for use them and/or provide them to other entities or law enforcement. Limiting sharing to a particular group of people (friends) does not have the expected result. Friends can re-share and once shared information is considered public.

Information on social media remains available forever. The function of “delete” often does not have the expected functionality as the user deletes only the information from the original account but not from the other various places in the social network. Neither does it mean that the operator of the social network deletes the information and loses access to it. Moreover, any information considered funny in some situations (or age) may cause embarrassment several years later.

T4U’s IT expert also highlights, that unintentional sharing has to be kept in mind as well. Operators of social services do not collect only information that users decide to share, but a vast trove of other data about users is focused. They comprise location history (collected from mobile devices) or browsing habits (collected using third-party cookies).

In conclusion, it is necessary to stress out that the projects and training focused on education in the field of cybersecurity are important and should be considered with the highest level of priority by national governments in general. That is why the T4U is active in research activities concerning this area in Ukraine. The potential impact on Ukrainian citizens and infrastructure could be far-reaching.

PhDr. Petr Pojman, Ph.D.

and Team4Ukraine

Political scientist, Team Coordinator and Chairman of Team4Ukraine – in 2002 he joined the Institute of International Studies at Charles University in Prague. He has completed several study and research stages in Russia, Belarus, Ukraine, and Great Britain. In 2008-2009 he worked in the humanitarian project of Caritas Czech Republic (Magdala), which helps victims of human trafficking in the Czech Republic. Since 2010, he has been working as an independent consultant for the private, state, and non-governmental sectors. He cooperates with the Organization for Security and Cooperation in Europe on combating trafficking in human beings and election observation. In 2012 he became a founding member of the Czech Criminological Society, and since 2013 he has been a member of its Committee. In 2014 he finished his dissertation, comparing organized crime and its relation to politics in Russia and Ukraine. Petr Pojman has been working in Ukraine since 2014, making part of the projects of the Prague Security Studies Institute. He focuses on security, organized crime, and hybrid warfare methods. In 2015 he founded the non-profit organization Team4Ukraine.



Link2Ukraine is an independent source of analysis, news and expert opinion, written by academics, researchers, experts and journalist, and delivered direct to the public. Independent experts share their knowledge about Ukraine at a time when people need it (as the public space is full of fake news) in a way that all sources of the provided information are clearly specified.

© Všechna práva vyhrazena, Link2Ukraine