Chilling Russian invasion aim: cyber dossiers
Hackers reap trove of information for targeting civilians
BOSTON — Russia’s relentless digital assaults on Ukraine may have caused less damage than many anticipated. But most of its hacking is focused on a different goal that gets less attention but has chilling potential consequences: data collection.
Ukrainian agencies breached on the eve of the Feb. 24 invasion include the Ministry of Internal Affairs, which oversees the police, national guard and border patrol. A month earlier, a national database of automobile insurance policies was raided during a diversionary cyberattack that defaced Ukrainian websites.
The hacks, paired with prewar data theft, likely armed Russia with extensive details on much of Ukraine’s population, cybersecurity and military intelligence analysts say. It’s information Russia can use to identify and locate Ukrainians most likely to resist an occupation, and potentially target them for internment or worse.
“Fantastically useful information if you’re planning an occupation,” Jack Watling, a military analyst at the U.K. think tank Royal United Services Institute, said of the insurance data, “knowing exactly which car everyone drives and where they live and all that.”
As the digital age evolves, information dominance is increasingly wielded for social control, as China has shown in its repression of the Uyghur minority. It was no surprise to Ukrainian officials that a prewar priority for Russia would be compiling information on committed patriots.
“The idea was to kill or imprison these people at the early stages of occupation,”
Victor Zhora, a senior Ukrainian cyber defense official, alleged.
Aggressive data collection accelerated just ahead of the invasion, with hackers serving Russia’s military increasingly targeting individual Ukrainians, according to Zhora’s agency, the State Service for Special Communications and Information Protection.
Serhii Demediuk, deputy secretary of Ukraine’s National Security and Defense Council, said via email that personal data continues to be a priority for Russian hackers as they attempt more government network breaches: “Cyberwarfare is really in the hot phase nowadays.”
There is little doubt political targeting is a goal. Ukraine says Russian forces have killed or kidnapped local leaders where they grab territory.
Demediuk declined to give specifics but said
Russian cyberattacks in mid-January and as the invasion commenced sought primarily to “destroy the information systems of government agencies and critical infrastructure” and included data theft.
The Ukrainian government says the Jan. 14 insurance hack resulted in the pilfering of up to 80% of Ukrainian policies registered with the Motor Transport Bureau.
Demediuk acknowledged that the Ministry of Internal Affairs was among government agencies breached Feb. 23. Security researchers from ESET and other cybersecurity firms that work with Ukraine said the networks were compromised months earlier, allowing ample time for stealthy theft.
The data collection by hacking is a work long in progress.
A unit of Russia’s FSB intelligence agency that
researchers have dubbed Armageddon has been doing it for years out of Crimea, which Russia seized in 2014. Ukraine says the unit sought to infect more than 1,500 Ukrainian government computer systems.
Since October it has tried to breach and maintain access to government, military, judiciary and law enforcement agencies as well as nonprofits, with a primary goal of “exfiltrating sensitive information,” Microsoft said in a Feb. 4 blog post. That included unnamed organizations “critical to emergency response and ensuring the security of Ukrainian territory,” plus humanitarian aid distribution.
Post-invasion, hackers have targeted European organizations that aid Ukrainian refugees, according to Zhora and the cybersecurity firm Proofpoint. Authorities have not specified which organizations or
what may have been stolen.
Yet another attack, on April 1, crippled Ukraine’s National Call Center, which runs a hotline for complaints and inquiries on a wide array of matters: corruption, domestic abuse, people displaced by the invasion, war veteran benefits. Used by hundreds of thousands of Ukrainians, it issues COVID-19 vaccine certificates and collects callers’ personal data including emails, addresses and phone numbers.
Adam Meyers, senior vice president of intelligence at the cybersecurity firm CrowdStrike, believes the attack may, like many others, have a greater psychological than intelligence-gathering impact — aiming to degrade Ukrainians’ trust in their institutions.
“Make them scared that when the Russians take over, if they don’t cooperate, the Russians are going to know who they are, where they are and come after them,” Meyers said.
Hackers calling themselves the Cyber Army of Russia claimed to steal personal data on 7 million people in the attack. However, center director Marianna Vilshinska denied they breached the database with users’ personal information.
She confirmed that a contact list the hackers posted online of more than 300 center employees was genuine as well as a spreadsheet with employee passwords. But she said other files the hackers posted — listing 3 million names and phone numbers and 1 million addresses — were not from the center.
Spear-phishing attacks in recent weeks, focused on military, national and local officials, have aimed at stealing credentials to open government data troves. Such activity relies heavily on Ukraine’s cellular networks, which Meyers of CrowdStrike said have been far too rich in intelligence for Russia to want to shut down.
Ukraine, for its part, appears to have done significant data collection — quietly assisted by the U.S., the U.K., and other partners — targeting Russian soldiers, spies and police.
Demediuk, the top security official, said the country knows “exactly where and when a particular serviceman crossed the border with Ukraine, in which occupied settlement he stopped, in which building he spent the night, stole and committed crimes on our land.”
“We know their cellphone numbers, the names of their parents, wives, children, their home addresses,” who their neighbors are, where they went to school and the names of their teachers, he said.
Analysts caution that some claims about data collection from both sides of the conflict may be exaggerated.