Cyber ​​frontline in the Ukraine conflict

In the early days after Russia launched its campaign in Ukraine, Illia Vitiuk and her colleagues feared the worst: the collapse of Kyiv.

Vitiuk, head of the cyber division of the Ukrainian Security Service (SBU), the country's top counterintelligence force, said that they had been fighting Russian hackers and spies for years. But on February 24, 2022, the SBU was given a different task. They had to move servers and critical technical infrastructure out of Kyiv to protect them from attacks from Russia.

"The missiles hit Kyiv and people rushed to evacuate the city. We tried to contact several agencies and managers of critical infrastructure but sometimes received answers like 'the system administrator is away because his family is in Bucha and he needs to get them out of Bucha'," Vitiuk recalled.

"Kyiv was then in danger of being surrounded," he continued. "Therefore, we needed to move the most critical databases and hardware out of Kyiv."

Ultimately, thanks to Vitiuk and his "cyber warfare" experts, Russian hackers were unable to destroy Ukraine's digital infrastructure in the early days of the conflict.

However, Ukraine has suffered a series of cyberattacks, totaling nearly 3,000 this year, according to Vitiuk.

Along with missile and drone attacks, cyberattacks conducted by Russian hackers have significantly weakened Ukraine's infrastructure, particularly its power grid. Russian hackers have also obtained sensitive information to support Moscow's campaign.

Starting around December 2021, cyberattacks from Russia increased dramatically, causing many in the private sector to fear the worst-case scenario was imminent.

Around the same time, representatives from the US Cyber ​​Command arrived in Kyiv to help inspect critical components of Ukraine's cyber infrastructure that they believed would be "targets of attacks," Vitiuk said.

"And that's exactly what happened," he said, adding that the US also provided hardware and software that the Ukrainian government still uses today to protect its network infrastructure.

Russia subsequently deployed a number of cyberattack tools targeting around 70 Ukrainian state facilities and shutting down dozens of government websites. They claimed to have infiltrated Diia, a digital application used by Ukrainians to store documents, as well as interfering with a range of other online services. In February 2022, Russian hackers attacked financial services to make Ukrainians believe they would be unable to access their money in an emergency.

Vitiuk said it appeared that the Russian hackers were at the time "experimenting and preparing for something big."

Things became more tense than ever on the night of February 23, 2022, just before the conflict broke out. "We started experiencing a series of cyberattacks," Vitiuk recounted. "We had to fend off a psychological campaign they launched."

Several attacks brought down ViaSat, the satellite communications system used by the Ukrainian military at the time. Unable to prevent the Ukrainian armed forces from communicating with each other, Vitiuk said Russia appeared to have mobilized all its cyber forces to attack, targeting media outlets, communication service providers, local government websites, and ministries.

"From the very beginning, we clearly saw that they were trying to use all the cards they had in their hand," he said.

For Ukraine, the main challenge during that period was coordinating with cybersecurity experts at government agencies and other critical organizations, many of whom were facing life-threatening situations due to artillery fire. This is when the SBU began moving its servers out of Kyiv.

When asked whether the initial attacks would have a long-term impact, Vitiuk said that only some systems were damaged and a small amount of data was stolen.

"No key systems were damaged," he said. "We work 24/7. We resolved the issue fairly quickly."

Following the failure of the quick-strike campaign, Vitiuk said the SBU had observed Russian hackers shifting tactics, primarily focusing on intelligence gathering and disrupting the power grid.

"Since the summer, they've understood that this conflict will last longer and they need to move on to something more serious," he said.

According to Vitiuk, Russia also attempted to infiltrate Ukraine's military operational planning systems, including the Delta platform. The SBU recently released a detailed report on Russian military intelligence officers on the front lines attempting to obtain Android tablets used by Ukrainian officers in order to hack into Delta and gather intelligence, as well as the Ukrainian military's use of Starlink mobile communication equipment from Elon Musk's SpaceX company.

In this way, Russia can pinpoint the location of certain devices linked to Starlink and better target them for missile attacks.

The SBU claims it has successfully prevented Russia from accessing Delta and similar programs, but Vitiuk admits it has still lost some information.

When conflict broke out, almost all Ukrainian citizens volunteered, donated money, or worked directly with the government to support the fighting effort. Among them was the information technology (IT) community.

Many are working part-time as consultants for government agencies, while others are involved in more active roles. Most notably, the IT Army, supported by the Ukrainian Ministry of Digital Transformation from the very beginning of the conflict, focuses primarily on developing software and tools for citizens to carry out denial-of-service (DoS) attacks against Russian targets, and developing automated software to assist the government in intelligence gathering.

Joining this effort are groups such as the Ukrainian Cyber ​​Alliance, Hackyourmom, a project initiated by Ukrainian cybersecurity entrepreneur Nykyta Kynsh, and Inform Napalm, a website specializing in investigating leaked data and identifying Russian hackers.

Many groups publicize their activities, but others operate more secretly.

However, cybersecurity experts warn that attacks carried out by volunteers, sometimes random and often lacking lasting effectiveness, may do more harm than good to covert operations.

Despite the concerns, Vitiuk argued that every skill of the volunteers is valuable to a certain extent. "This is like defending our territory online," he said. "Our job is to monitor and learn about the volunteers, guide them, or give them advice on how to work more effectively."

When asked about future cyber threats from Russia, Vitiuk predicted that attacks would continue with the same intensity as the previous year, especially as winter approaches.

The attacks could become more sophisticated, but increasing the intensity would be challenging for Russia given its limited current number of skilled specialists. "They need more people," Vitiuk said.

Vitiuk said the SBU is focusing on winter preparations, working with the Ministry of Energy and other experts to protect the grid based on lessons learned from last year.

He acknowledged that despite all their successes, they still needed help to continue strengthening their critical infrastructure. This need was particularly urgent at the local level, where resources were fewer.

At a recent conference in Estonia, Vitiuk urged cybersecurity companies to come to Ukraine to help assess the country's needs, from technical infrastructure to hardware and software, and to directly send equipment instead of transferring money.

He expressed concern about corruption in the country. "We don't need money. We need a system that is as transparent as possible," he emphasized.

Vitiuk believes that even after the conflict ends, cybersecurity will remain a top priority. "New doctrines will be written and applied based on what happened in Ukraine, based on our experience," he said.

Vu Hoang (According to NPR )