Ukraine’s cyber defenders turn years of conflict into useful lessons for all

As the saying goes, “When life gives you lemons, make lemonade.” In this instance, however, it’s more a case of, “When life gives you harsh lessons in cyber warfare, you should turn them into real-world training exercises.”

That’s pretty much the backstory of a new training service recently announced by cyber security firm CYBER RANGES, which is based on the lived experience of Ukraine’s Computer Emergency Response Team, CERT-UA.

Russia’s build-up and execution of its so-called Special Military Operation – largely “special” these days for being the most costly and destructive conflict on European soil since the Second World War – saw a wave of cyber attacks unleashed across NATO countries and allies, but no nation has borne the brunt of those attacks like Ukraine has.

Just months after the Russian invasion, Ukraine was already facing unprecedented malicious cyber activity both in terms of its scope and sophistication, and it had already been engaged in defensive cyber operations since as early as 2013. This ongoing activity has the goal of degrading and disrupting both domestic and military targets, while also discrediting the Ukrainian government.

Even as early as June 2022, there were at least eight families of malware being used against Ukrainian networks, deployed via a range of methods and often conducted in tandem with traditional military operations.

As well as state-backed actors, often with close links to Russia’s Federal Security Service and other agencies, it’s also been the target of various pro-Russian hacktivist groups with varying degrees of sophistication in their operations.

Basically, long story short, Ukraine’s network defenders are probably some of the most experienced cyber security specialists on the planet right now, particularly when it comes to cyber warfare at scale.

VIEW ALL

Trident true tactics

That’s the expertise that TRYZUB – the Ukrainian word for trident, which is the country’s national symbol – draws upon for its training exercises, which are based on the activities of real Russian threat actors.

For instance, one of the exercises is based upon the activity of a hacking group known as Sandworm, which operates under the auspices of Military Unit 74455, which is itself part of the GRU, Russia’s military intelligence service. This particular drill focuses on a Sandworm attack against a Ukrainian internet service provider, which has the aim of both destroying and exfiltrating data using a range of malicious tools.

The aim of the exercise is to detect the intrusion, expel the attackers from the network and protect the data.

According to CYBER RANGES’ CEO, Doctor Al Graziano, it’s the real-world nature of these exercises, based on actual Ukrainian experiences, that make them so valuable to military units, law enforcement agencies, governments, and critical infrastructure operators.

“What if we could safely put our organisation through a real cyber attack, with real malware and artifacts and have that attack unfold in a high-fidelity sandbox environment where we can observe our teams respond to it?”, Graziano said of the launch of TRYZUB.

“What if we could experience the attack without the negative impact and play and replay it at will until our team has developed the necessary muscle memory to deal with it in the field? What if, besides the [indicators of compromise] and threat information, we could share the experience of dealing with the actual attack among our allies? Well, we have done it!”

Brigadier General Oleksandr Potii, head of Ukraine’s State Service of Special Communications and Information Protection, which manages CERT-UA and partners with CYBER RANGES on the exercises, calls TRYZUB a “shining example of a public-private partnership at the international level and a well-implemented win-win strategy”.

“The synergy of Ukrainian experience and American technologies makes it possible to make our common cyber space safer. The use of new scenarios will undoubtedly help train security officers in the most modern methods of countering cyber attacks.”

Mykhailo Fedorov, Ukraine’s Minister for Digital Transformation and Deputy Prime Minister for Innovation, Education, Science and Technology, said that what Ukraine is learning right now can inform and help to protect other countries.

“Governments, security and military organisations from other countries will learn how to counter cyber attacks based on Ukraine's experience,” Fedorov said.

“For the first time, the war in Ukraine is also taking place in cyber space, so our experience in this track can become the foundation for global cyber security.”

Far away lessons, local implications

Countries around the world, even those who are not directly involved in a current kinetic conflict, are already under increasing cyber attacks, and a state of near-continuous grey zone warfare seems to be the new normal – and cyber operations are a key part of that competition.

For instance, Chinese President Xi Jinping can talk about how relations with Australia have experienced a “turnaround” for the better in recent years, but it must be said that China is far from Australia’s best friend. Just this last September, cyber security agencies from the Five Eyes alliance dismantled a botnet – a group of internet-connected devices commonly used to spread malware or launch DDoS attacks – consisting of more than 260,000 infected devices, including 2,400 in Australia.

More recently, US authorities admitted they were unsure when America’s telecommunications networks would be free from Chinese cyber espionage operations. And China is just one nation engaging in such activity. North Korea and Iran are highly active when it comes to cyber crime, espionage, and influence operations, while conflicts in the Middle East have seen hacktivists going after any low-hanging fruit they can find to further their ideologies, and Australian companies and organisations consistently find themselves in the firing line.

The point is, that even in a time of peace in the region, Australia is facing a range of state-based cyber threats. If we get involved in any kinetic conflict – say, if China makes a grab for Taiwan and the US and its allies decide to make a fight of it – you can be sure that we will face a similar level of cyber activity as Ukraine is seeing now from Russia and its allies.