Whodunnit? The Case of the Ukraine Cyberattacks

As the festive season approached in Ukraine last year, a time of peace, warmth, and friendship seemed a powerful respite for the conflict-ravaged state. However, as Christmas rounded the corner, Ukraine was hit by a new attack— this one hidden and ambiguous, yet just as powerful.

Image courtesy of Wil C. Fry © 2014, some rights reserved.

Image courtesy of Wil C. Fry © 2014, some rights reserved.

The electricity grid that serves a large portion of Western Ukraine’s population mysteriously dropped out on 23 December, cutting power to over 80,000 households across a vast area of the country. Baffled by the sudden shut down, the grid managers grappled with the fact that the computer system set to regulate the electricity infrastructure was acting of its own accord, seemingly possessed and unstoppable. After six hours without power, the grid companies managed to manually gain control of the systems and reinstate power— solving the short-term problem, but leaving many with questions about what had happened, and why?

As the utility companies struggled with these very questions, it became clear that an unknown ‘third party’, as they put it, was involved. Computer analysts dived into the issue, finding a complex and sophisticated web of software facilitating the attack on the grid. An unknown and undetected user had hacked into the central computer system of the regional electricity provider, achieved access to the grid circuit breakers, and flicked the master switch. Adding to the impact of the attack, and the confusion of the engineers, was the fact that the hackers had installed malware to mask what they were doing— obscuring the hack from even the most technically-minded controller.

Undoubtedly, this was a sophisticated and complex event. However, it is one that we know very little about. In the tradition of many ‘attacks’ in cyberspace, working out what actually happened, let alone hazarding a guess as to the culprits of the incursion, is a complex guessing game. Cyber-threats are new, and events like this are still dealt with in an unstructured— perhaps even erratic— manner. Outlining the scramble to define what happened in Western Ukraine, technology security consultancy Sans ICS claimed: ‘We assess with high confidence based on company statements, media reports, and first-hand analysis that the incident was due to a coordinated intentional attack’.

Making claims of intentionality is dangerous. We do not have the understanding, nor vocabulary, to conceptualise cyber-threats outside of traditional conflict narratives— meaning the language we do use has real repercussions. Following the thought process we have evolved for physical threats, we instantly ask ‘who’ perpetrated the attack and why? This is a difficult thing to answer in cyberspace, where there is often very little evidence of what was carried out, let alone by whom. With technology to mask computer identity or location, and a lack of digital fingerprint to attribute activities, we can’t really tell if an attack is the work of a state military, non-state cyber-militia or even a vitamin-D deficient teenager eager to disrupt. With this, analysis often becomes no more than forceful finger pointing.

As part of an ongoing conflict involving complex ethnic cleavages stoked by national and regional interests, this loss of power in Ukraine was instantly thrown into a well-trodden narrative of Russia, NATO and Cold War revision. The cybersecurity firm iSight, who analysed the data from the attack, professed that— although ‘many details of the event remain unknown… [due to] the use of destructive malware’— the software used bore strong resemblance to the tactics of Russian-based hacker group ‘Sandworm’. This is one hypothesis, but we do not yet know its validity. Despite this, it was a guess picked up on by the mainstream press: Foreign Policy magazine’s report was headlined ‘Did Russia Knock Out Ukraine’s Power Grid?’ and Reuters’ ‘Ukraine sees Russian hand in cyber attacks on power grid’. With very little evidence as to which group perpetrated the attack, and even less tangible a link between the hackers and the Kremlin, hypotheses take the helm, and fuel a fear about the potential of a cyber-enhanced reiteration of the Cold War.

Despite this, some analysts preach caution going forward. Ralph Langner, an expert who uncovered the work of the Stuxnet virus in Iran, notes that nothing which has been salvaged from the data proves there was cyber-weaponry used in Ukraine, let alone that the Sandworm group was involved. The link between Sandworm and Russia is also tangential at best, with merely the use of Russian language being the key evidence behind the headlines. It is this which has caused U.S. Intelligence and Security officials to stop short of attributing blame to Russia or the Russian government. However, this hasn’t stopped reporting and pontification in many directions— many of them towards a narrative of Cold War sabotage.

Attacks and incursions in cyberspace are complex, dangerous and invisible. Undoubtedly this breeds fear, but we must be wary of how far we run with a thesis. If it turns out that pulling the plug on Western Ukraine was, indeed, the outcome of malicious attacks perpetrated through cyberspace, it will form a seminal moment in the progression of cyberattacks. However, our caveats must be strong: We can’t see who pulls the trigger in cyberspace. Attributing blame can be irresponsible and end up being severely dangerous. Discussion should be measured and facts put in context, helping us tread carefully and understand the complexity of cyberspace in a fruitful and even-handed way.