Ukraine Cybersecurity Leader Shares Defense Insights From Cyber and Physical Front Lines

What is it like defending Ukraine in cyberspace at the same time the country fights a war on the physical battlefield? And what are the cyber lessons learned by Ukraine’s cyber defenders that every organization and every government can learn from?

Attendees at the ninth annual BlackBerry Security Summit — held Oct. 26 at the New York Stock Exchange — heard the answers firsthand. BlackBerry CEO John Chen interviewed one of Ukraine’s cybersecurity leaders, who joined the audience remotely from Kyiv.

Victor Zhora is deputy head of the State Service of Special Communications and Information Protection of Ukraine, which he says is similar to the Cybersecurity and Infrastructure Security Agency (CISA) in the United States.

The following is a partial transcript of the discussion, edited for brevity, between John Chen and Victor Zhora.

John Chen:

As I speak for the audience here, thank you very much for doing this. All of us represent various enterprises. We all believe that we are ready for a cyberattack. And we do a lot of tabletop exercises, I'm sure you guys do that, too.  

The question I have is — now that you have had to deal with it in reality, in the last year and a half to two years or maybe even longer, will you share your experience? Did the design work as you planned it or are there a lot of things you learned by being attacked on a continuous basis?

Victor Zhora:  

Thank you very much for inviting me to speak. We have electricity and it is calm right now, we have no air raid sirens. But as you can understand we are facing them day-to-day. And unfortunately, cyber challenges are not the only ones in our everyday life when we continue struggling for the right to exist.  

I'm just one of many, many volunteers, cyber defenders, cyber professionals and experts which defend our country — defend our digital infrastructures. There are many cyber security agencies, but our service deals with cyber protection. I supervise CERT-UA (Computer Emergency Response Team of Ukraine), an incident response team. I supervise the state cyber protection center and we have a lot of facilities that we were able to strengthen a lot, together with the help of our partners through all these years, because the aggression started 18 years ago, both on the land and in cyberspace.  

It started from the attack on the Central Election Commission during presidential elections in 2014. And then it was followed by a number of severe cyberattacks on the Ukrainian power grid in 2015 and 2016, and on Ukrainian media and government entities. [That was] followed with the most disruptive cyberattack in history, NotPetya. So with regards to cyber exercises that were real cyber exercises, we took a lot of lessons from all of these incidents, and after NotPetya — our country, our government, put a lot of attention to cybersecurity, and we were able to build a robust cybersecurity system, which consists of nine agencies with different areas of responsibility.  

We were able to build capacities to prepare the workforce to improve coordination and cooperation between agencies — and what is more important — with our international partners. And we did this together and got prepared for this cyber aggression and the war.  

One of the key elements of this preparation was training: training of professionals in our task forces in cybersecurity. We needed to do cyber exercises, hackathons and many other [activities]. And this is perhaps one of the key factors that helps us to ensure the cyber resilience of our country in these challenging times. But during the last eight months of war, we are facing cyber incidents and cyberattacks each day, and this is much more serious. We are concerned with life [while facing] very severe cyber aggression.  

Of course, we learned a lot from this. There are many factors [affecting] why Russians haven't reached their strategic goals in attacking Ukraine in [the] cyber sphere. But hopefully one of the factors is our preparedness, and our level of expertise, and all the power of the community force together with our partners — that we could offer to counter this aggression.

John Chen:  

Do you believe that Ukraine is gaining an upper hand or controlling the situation in this cyberattack?

Victor Zhora:  

Well, of course, we expected — and our friends expected — very active aggression and display of all the potential of the Russian “military hacking machine,” and there are many reasons…why it didn't happen in that way. But we expected attacks to our energy sector, to government entities, to media, to the telecom sector, to financial sector, to all critical infrastructures. And we were focusing on defending them.

There was a huge growth of cyber incidents within the first month of war and a lot of highly sophisticated cyberattacks in the end of March and the beginning of April, which were widely described in the media. But up to this moment, we see no particular strategy from our adversary. We see, rather, opportunistic behavior: The continuous seeking for vulnerabilities, trying to exploit these vulnerabilities, to obtain persistence, and then decide how they will use these systems.  

The absence of a strategy gives us the opportunity to just fix vulnerabilities, counteract and provide incident response, and defend our digital borders. This is the result of the systematic approach that we prepared to constrain this aggression. But at the same time, the adversary continues to be very dangerous. And even without serious cyber incidents [and] highly critical impacts, I think they can use this time to develop new tools, new technologies, or plan new cyber offensive operations against our country — and against other countries as well.

John Chen:

How scary is the Russian state effort in cyberattacks? Is it as scary as most people think — or the media thinks — in the United States? Do we have enough tools — do you have enough tools to address the situation?

Victor Zhora:  

I think the Russian military offensive potential was quite scary in previous periods. Because, for instance, the NotPetya attack was really huge. It affected not only Ukrainian targets, but global companies — global giants like Merck, Mondelez, FedEx and many others.  

And tools they used to hack the power grid were powerful, especially when we're talking about attacks on ICS SCADA in the power grid. For instance, with malware called Industroyer in 2016. And in April 2022, they used the modified code in Industroyer in the same kind of attack. So, we don't have time even to think about how scary attacks can be. We're just simply doing our best job to protect our country and hopefully we will be more successful than the attackers — as well, our armed forces will be [successful], and shall prevail.

John Chen:  

Victor, do you have any words of wisdom and advice to share?

Victor Zhora:  

There is one thought I would like to share as the former CEO of a private company. We've worked a lot with businesses here in Ukraine. And from being a part of a regulator, I understand how important it is to follow recommendations and to invest in cybersecurity.  

Because if a major cyber incident happens, like it happened with NotPetya in 2017, it's difficult for the government cybersecurity agencies to help everybody simultaneously. And that means that investing and building a cybersecurity system in your own company is the best investment to help contribute to cyber resilience of the state. This is from a business perspective.  

Ukraine is facing a lot of attacks and the wide use of wipers, because this is the most efficient scenario to bring impact to data, to infrastructures, to services. But in other countries, the biggest challenge is ransomware. And we know why: Because the adversary is seeking funding of offensive operations, and ransomware is one way to get this funding, from ransoms.  

So every country and every company can become a target of ransomware actors. We all need to be protected. And we all need to be united, because there is no country that can be protected by itself.  

We have four pillars in cybersecurity: People, processes, technology, and cooperation. And in a contemporary interconnected world, there's no chance to be isolated. [A] cyber coalition that can be created from countries with responsible behavior in cyberspace, exchanging information on threats, can be a most efficient scenario for building a robust cybersecurity ecosystem — which can counter these threats that Ukraine is facing, and which can appear in the future.

To watch the full conversation and listen to other government and industry experts sharing their insights, watch the 2022 BlackBerry Security Summit on demand.

Related Reading

• Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries
• Four in Five Software Supply Chains Exposed to Cyberattack in the Last 12 Months
• The Drone Cyberattack That Breached a Corporate Network
• Bundled Mobile Security: Is It Enough?