Tuesday, November 25, 2014

13 strategies Ukrainian hacktivists use in their cyber war. Legal or tolerated.

Several Ukrainian hacktivist groups were (are) active on the Ukrainian side of the battle this year in their ongoing conflict with Russia. As Eugene Dokukin and his "Ukranian Cyber Forces" are pretty open on what they are doing, let's look at their 13 stragegies, as there appear to be striking similarities to what CyberBerkut is doing on the Russian side. Also interesting to consider is how these groups manage to keep doing things that are more than likely illegal in their countries, and how the military can use them when needed.

Background: “Ukrainian cyber forces and individual pro-Ukrainian hackers have maintained online attacks on all Internet resources linked to insurgents in the eastern part of the country, whom the Kyiv (Kiev) government deems as terrorists. As of early November, the cyber forces claimed to have downed 46 sites belonging to the breakaway pro-Russian states of the Lugansk People’s Republic (LNR) and the Donetsk People’s Republic (DNR) via multiple denial-of-service (DDoS) attacks. The cyber warfare operation, titled “Retribution,” has been ongoing since mid-2014. Last month, pro-Ukrainian hackers leaked secret documents from the DNR, representatives of Russian nationalist organizations in Crimea, and representatives of government agencies from the Russian Federation. http://uadn.net/2014/11/17/pro-ukrainian-cyber-forces-take-down-46-separatist-sites-and-target-online-money-accounts/

Pro-Ukraine hackers target e-currency accounts. The anti-insurgency cyber campaign has also moved beyond site attacks, with hackers targeting the financial networks of the DNR and LNR. A hacker at the forefront of pro-Ukraine cyber warfare efforts, Yevgeny Dokukin, has announced on his Facebook page that he managed to convince Russian online payment service Yandex Money to block the e-wallet of a notable group of DNR and LNR supporters last month. “Via my actions, I managed to stop the financing of terrorism through the Yandex Money system,” noted Dokukin via social media. However, fellow Russian electronic currency service WebMoney refused to cooperate with his blocking request. http://uadn.net/2014/11/17/pro-ukrainian-cyber-forces-take-down-46-separatist-sites-and-target-online-money-accounts/
- screenshot with Ukrainian Cyber Forces logo from their Youtube channel.

In the article on uapress[.]info/ru/news/show/48475 Ukrainian Cyber Force leader Eugene Dokukin post 13 strategies his group was using in this cyber war during last 6 months.
  1. Hacking separatists and terrorists sites.
  2. Operation Retribution - blocking terrorists sites with DDoS attacks.
  3. Locking the accounts of terrorists in electronic payment systems.
  4. Operation CyberStorm – locking phones with short messages flood.
  5. Operation CyberHurricane - locking phones with calls flood.
  6. Operation “Restore the Truth” - editing Wikipedia to counter Russian propaganda.
  7. Operation “Blocked Freaks” - blocking blogs (particularly in livejournal) and sites of terrorists through support requests to livejournal and hosters.
  8. Operation Bender - calling terrorists with threats and misinformation.
  9. Operation “CyberStorm 2” - sending short messages with threats, disinformation and propaganda.
  10. Operation “Bond, James Bond” - espionage operation, which involves listening to and recording audio and video information from the various headquarters of terrorists and webcams in Donbass and Crimea.
  11. Operation “Turn off the Propaganda” - opposition to videos from terrorists on YouTube and other video hosting sites.
  12. Operation “Crimea is Ukraine” - the return of control over all the Crimean government sites (preferably all Crimean sites in the domain zone ua). And spreading propaganda in Crimea through these sites.
  13. Operation “Hunting for Trolls” - blocking accounts, pages and groups of terrorists and trolls in social networks.

As we can see some of these methods are copied from what (pro)Russian cyber forces were using earlier these year against Ukrainians. Like CyberShtorm, CyberStorm 2 and CyberHurricane are similar in effect to Telephony Denial of Service (TDoS) attacks that we reported earlier... Only this time it's the Ukrainian side which using it.

Eugene Dokukin is now open about his identity and gives interviews. When asked how they do things which are illegal according Ukrainian law he smiles: “Most of our work is legal. Closing accounts, websites and other resources of terrorists through complaints to electronic payment system, domain and hosting providers, etc. - it's all legal. The only question may arise about hacking: hacking sites, email and social network accounts, as well as DDoS attacks on websites terrorists. But officially, I don't know who of all of the fighters does it.” (http://uapress.info/ru/news/show/48475 - in Russian)

In general Eugene Dokukin says that there're three levels in his forces: those volunteers who do legal things like Wikipedia editing and writing complains to providers, those who do illegal but simple things like DDoS attacks and other flooding, and the highest level on his group are people who do real hacking.

Speaking about his enemies Eugene Dukinin cites SBU head Valentin Nalivaychenko information that in Russian
FSP 18th Special Center there are 1500 personnel working full day use automatic systems for social networks to send messages and texts spreading panic. (http://uapress.info/ru/news/show/48475 - in Russian)

Eugene Dokukin (Yevgeny Dokukin, Rus. Евгений Докукин) aka MastLive

He has a “white hacker” background (http://www.interpretermag.com/hackers-join-in-the-struggle-for-crimea/). Before creating Ukrainian Cyber Forces Eugene Dokukin was active in March fighting Russian invasion. He hacked Crimean Parliament site and posted  "The referendum is canceled. Crimea continues to be a part of Ukraine. Everyone can go home, and Russian troops can return to their country." A few days later Dokukin also “dismissed” pro-Russian Crimean leaders Aksenov (prime-minister) and Konstantinov (speaker). Ukrainian Cyber Forces recent efforts to block pro-Russian financing claim to close 128 terrorists accounts with over 1 Million $. (http://uapress.info/ru/news/show/48475 - in Russian)

Ukrainian law enforcers know Eugene Dokukin and his group. They don't give him visible troubles for his activities which are not according to law. Neither they confirm he is working for the government. But speaking anonymously one of the law enforcers said to Focus.UA: “Intelligence agencies often use the services of hackers in exchange for a guarantee of immunity. This does not mean that it's how things are in the Dokukin's case. But one can easily frame him: the bank will order a security audit - "network vulnerability pentesting" and the contract is made. But one security officer in the bank is told about it, others - no. The latter, seeing the external interference, scanning and active attempts to crack, report to authorities about unauthorized access to the system. And then the hacker will be "proving long and tedious that he is white and innocent." ( http://focus.ua/country/319358/ - in Russian)

Posted by Wapack Labs EURASIA desk

Nov 25, 2014 9:35:58 PM

Monday, November 24, 2014

NATO cyber exercises & regional tensions

Wapack Labs tracks cyber activities between Ukraine and Russia with the idea that that there will be lessons that we can all learn from, taking those lessons to our defenses. This piece was published by an analyst in Wapack Lab's EURASIA analysis effort. The analyst, a non-English speaker has a rough writing style but the content always offers amazing insights. 


NATO cyber exercises & regional tensions

Published 11/24/14

Annual NATO cyber exercises "Cyber Coalition 2014" attracted a lot of attention: NATO estimates global cyber crime makes a profit of $1 TRN a year - equivalent to the narcotics trade. NATO's computer servers are detecting 200 million suspicious cyber events every single day, the alliance has revealed. On average the military organisation is the victim of five major cyber attacks each week and that has increased "significantly" since Russian aggression in Ukraine started. https://uk.news.yahoo.com/natos-cyber-war-games-amid-surge-attacks-020403587.html

NATO carried out its biggest ever cyber security exercise involving hundreds of computer analysts. The three-day event, taking in 28 nations, was held on a former Soviet base in the city of Tartu, close to the Russian border. Estonia, the host nation, was attacked by Russian hackers in 2007. Banking systems, newspaper production and national websites were all affected. Since then the country has invested heavily in cyber capability and is now one of the leading nations in NATO. Estonia's president Toomas Hendrik told Sky News his country had notice a surge in attacks since Russian aggression increased in Ukraine. He also revealed there had been a recent major attack on the country, but declined to reveal specifics. https://uk.news.yahoo.com/natos-cyber-war-games-amid-surge-attacks-020403587.html

The three-day cyber defence exercise Cyber Coalition 2014 tested the Alliance’s ability to defend its networks from the various challenges. It involved over 670 technical, government and cyber experts operating from dozens of locations from across the Alliance and partner nations. For the first time, representatives from academia and industry had been invited as observers. https://ccdcoe.org/centre-contributes-natos-largest-ever-multinational-cyber-defence-exercise.html

Financial Times in the article “Nato holds largest cyber war games” gives the idea of exercises and connection to Russian-Ukrainian military conflict:

From barracks in Tartu, a team of around 100 soldiers and intelligence officials on Monday began throwing sophisticated technical attacks at NATO teams across Europe and North America: Troops’ android phones were hacked after a downloadable app turned out be hiding sophisticated malware; an imaginary supplier of military equipment was found to have had its own manufacturing process compromised, with security loopholes built into its computer chips; a Nato emergency response team was flown to Greece after one scenario in which the attackers succeeded in seizing control of the systems running Nato’s Awacs surveillance aircraft – one of the alliance’s most prized possessions.

In a particularly lurid cyber storyline, a senior NATO officer had his family kidnapped and was then blackmailed into stealing huge amounts of classified data from the alliance’s secure military networks.

“Eventually,” said Luc Dandurand, deputy director of the exercise, “[the participants] work out that all these attacks are coming from a single entity – it’s all from one nation state.”  Officially, the attacker was meant to be disrupting a Nato mission in a fictitious, war-torn state in the Horn of Africa. In reality, the scenario was a thinly disguised version of the threats confronting the alliance as a result of the crisis in Ukraine. Russia, though never mentioned, loomed large.  In one simulated attack, for example, the classified communications of the general in charge of the fictitious Nato deployment were hacked. The hackers then leaked the information to a global newspaper, which promptly published the Nato military chief’s private declaration that the war was unwinnable.

That was eerily reminiscent of an episode in Kiev in February when a candid conversation between US assistant secretary of state Victoria Nuland and Washington’s ambassador to Ukraine, Geoffrey Pyatt, was secretly recorded and leaked to the press.