How Ukraine holds the front line in cyberspace

NATO 2016 summit recognized cyberspace as an area of military operations on par with land, sea, air, and outer space. We spoke with Yuriy Vyhodets, head of the Cyber Police Department of the National Police of Ukraine (NPU), about Ukraine's cyberspace defense before and since russia's full-scale invasion, whether we have time to "repel electronically" now, and whether we have enough strength to counter cybercrimes.

Cyber offensive before the full-scale war

russia's hybrid war against Ukraine began long before a full-scale military invasion. And it was especially noticeable in cyberspace. The enemy actively spread disinformation in the mass media and social networks, promoted its narratives through propaganda, conducted information and psychological operations (IPSO), and cyber attacks on critical infrastructure facilities and government bodies. However, until now, it happened on a somewhat smaller scale.

"Before the introduction of martial law, the cyber police focused more on countering crimes in the illegal content circulation and telecommunications sphere. It also detected criminality in the banking industry and the computer systems field and exposed various online frauds. Personnel was trained for these tasks, in particular with the participation of international partners. The team was strengthened by experienced IT specialists trained by British experts. And in 2019, conceptually new units of highly specialized combat against cybercrime appeared," Yuriy Vykhodets says.

But with the beginning of the large-scale offensive of the russian federation, the department's work was restructured. In particular, new special functions were added so that the country could successfully counter russia's aggression. Already in March 2022, the directive of the commander-in-chief of the Armed Forces of Ukraine involved the Cyber Police Department in providing cyber defense and performing tasks related to cyber combat against russia's armed aggression. Yuriy Vykhodets explains:

"Having a significant potential in countering cybercrime, the unit has switched from documenting and uncovering this type of crime to active action in the web space against the occupier.

"New challenges include combating pro-russian hacker groups and detecting and responding to anti-Ukrainian propaganda on the Internet. Also — the identification of collaborators and development of systems and mechanisms for a quick and complete collection of information from open sources about military personnel and mercenaries from illegal armed formations of the russian federation. Cooperation has been established with the General Staff of the Armed Forces of Ukraine, the Ministry of Defense, the Main Directorate of Intelligence, and other specialized structures."

Last year alone, the Cyber Police Department resolved more than 530 cyber incidents, most of which were stopped at the preparation stage. However, the head of the Cyber Police Department of the NPU emphasizes that protection on the information and cyber front still needs to be strengthened.

How do cyber police officers work?

Cyber police face many challenges in their daily work. To effectively combat cyber threats, they need considerable motivation, proper training, and technical support in order to stay one step ahead of nefarious actors.

"Technologies are constantly being upgraded, but criminals are improving at the same time." 

"The most difficult thing in this work is to stay ahead of criminals who use advanced means of conspiracy. It is a personal challenge for each of us to keep our competence in good shape. On the other hand, the significant demand for IT specialists in the non-state sector and the high level of wages in the industry add to the difficulties in recruiting qualified personnel.

"However, international partners, trainings, studies abroad, in particular with OSCE funding, and acquisition of best practices help maintain the competence level. By the way, our Western allies do not skimp on the latest software and technical solutions and recommendations," Yuriy Vykhodets explains. 

Ukraine's cyber police are actively supported by international partners — the EU Advisory Mission Ukraine (EUAM Ukraine), the Organization for Security and Co-operation in Europe (OSCE), the European Union, and the law enforcement officers of the USA, Great Britain, and Germany have repeatedly provided material and technical assistance. With the help of the Estonian Academy of e-Government and the EU, the department received a $2 million software license from the USA, which provides a faster and better search for information on cyber criminals and allows to conduct analyses of their crimes. 

We also cooperate with the Global Cyber Cooperative Center. This is an example of an effective private-public partnership, thanks to which software worth more than 60 million hryvnias and equipment worth 5 million hryvnias were transferred to Ukraine. Such support makes it possible to effectively counter cybercrime and aggression of the russian federation in cyberspace, adds Mr. Vykhodets.

The results of the last National Defense Hackathon among relevant bodies and IT experts confirm that the cyber police team has excellent specialists. It took place within the framework of the knowledge exchange project of the "NATO-Ukraine" Trust Fund. At the hackathon, Experts in cyber security and combating disinformation, software engineers, and designers competed in developing innovations that would help Ukraine defeat russia in cyber warfare. The Ukrainian cyber police won two nominations. The team received a certificate for participation in the NATO TIDE Hackathon 2023, which will take place on February 20-24 in Poland.

It is interesting that ours were the first in the field of IPSO. A great result of our boys and girls, which was highly appreciated by the National Police and the Ministry of Internal Affairs leadership, Vykhodets adds.

Volunteers join Ukraine's cyber army

After February 24, 2022, many IT specialists united around the idea of protecting Ukraine in cyberspace. Cyber volunteers came to save the state while refusing high salaries in the private sector.

Two of the main projects cyber volunteers played a role in, according to Yuriy Vykhodets, are the Telegram channel "Mriya," created at the beginning of the full-scale aggression, and the Telegram bot "Narodnyi Mesnyk," where users can send reports if they witness enemy troop movements, collaborators, and providers that distribute russian propaganda content. More than 350,000 cyber volunteers joined the work of "Mriya" alone.

"Each of them can be called a hero. We pass the received information to the Armed Forces of Ukraine and other relevant departments, and everyone was able to see the initiative's first "hot" results during the defense of Kyiv," concludes Yuriy Vykhodets. Even before full-scale aggression, in January 2022, active cyber attacks began on critical infrastructure and authorities. At the same time, the national police created a unit that protects the relevant infrastructure of the department and the entire National Police.

Shadow economy, cryptocurrency, and cybercrime 

Thanks to the public-private partnership, Ukraine's cyber police have managed to solve more than 50% of all detected criminal offenses in 2022, the object or means of which was cryptocurrency. This result was made possible by the cooperation of the cyber police with Crystal Blockchain — a global blockchain analytics company; the department cooperates with it within the framework of a separate memorandum. For example, blockchain analytics helped trace the movement of virtual assets associated with illegal activities.

Cryptocurrency is now key in the shadow economy. Before the full-scale war, about 13% of Ukrainians owned cryptocurrency – ranking first in the world, according to the Global Crypto Adoption Index.

Yuriy Vykhodets explains that this shows that Ukraine has gone far ahead in understanding the cryptosystem, cryptocurrency. People are very interested in it. Because of the war, many Ukrainians were left without work and a stable and sufficient income. Therefore, cryptocurrency is attractive as an economic stabilizer. Criminals also understand this — they seek to use hyped demand in their schemes. This became the reason for creating a department to combat crimes related to virtual assets, as the number of claims about fraudulent actions with crypto assets has increased.

Combating fakes and bot farms

russia is still active in Ukraine's media space. Ukraine's cyber police recently exposed several bot farms working to promote russia's propaganda narrative  in the media space and social networks.

"Combating fakes, propaganda, and kremlin narratives are among the main aspects of our work. The enemy regularly tries to sow "betrayal" and discord in our society. The main task here is to prevent the enemy from doing this. Bot accounts are used to discredit the Ukrainian Armed Forces, our government, to justify russia's aggression, to spread illegal content, to conduct IPSO to manipulate public opinion," Yuriy Vykhodets says.

Enemy bot farms were active long before the invasion of the russian federation, but previously their activities were sometimes "covertly" aggressive in nature, and this made their detection and neutralization much more difficult.

"During the last operation, which ended more than a month ago, we conducted 25 searches at the bot farms locations and seized more than 300 GSM gateways and about 150,000 SIM cards used to register bot accounts. This is a good indicator. Implementing such preventive measures is included in the further Cyber security strategy at the system level.

"Together with the Internet community and volunteers, we worked out the mechanism of destroying enemy propaganda Telegram channels and resources, blocking the kremlin's zombie content.

"Every day it becomes more and more difficult for the kremlin's curators to conduct information operations among Ukrainians. Preventive work with our citizens and their observance of cyber hygiene (practices for ensuring the safe handling of critical data and for securing networks — ed.) also plays an important role," Vykhodets explains.

Internet fraud during wartime

Bot farms are not the only danger from the russian federation in Ukrainian cyberspace. The fight against phishing and online fraud is more relevant than ever because, with the appearance of millions of refugees, IDPs, wounded, volunteers who help the front, and various social benefits, scammers have appeared who seek to defraud such citizens and take advantage of their vulnerable situation.  Just last month, cyber police officers, in cooperation with the State Special Communications Service, discovered and blocked more than 100 phishing web resources:

"As part of the "Botoferma" operation, 28 web resources were blocked in the country, which functioned to register accounts that could be used in the process of anti-state activities.

"An algorithm for round-the-clock documentation of illegal actions by providers and telecommunication service operators has already been developed. Despite state bans and restrictions, they do not block the broadcast of russian content. Moreover, they configure the equipment so that users can freely access information products of the russian federation or pseudo-republics," the head of the Cyber Police Department says.

Vykhodets confirms that new types of internet fraud have appeared since the beginning of the full-scale war. These are attempts to capitalize on the desire of thousands of people to flee from dangerous or occupied territories. The head of the Cyber Police Department recalls a story when the whole family died under shelling in Mariupol. They expected that the people who promised to take them out for the already paid money would come to the rescue. This swindler, who can be called a murderer, never showed up. He did not even plan to do this — he had already received money for transportation. Cyber police and investigators worked with the suspect, and he was brought to justice, but the people could not be brought back.

Another type of military fraud can occur when criminals posing as volunteers claim to be collecting funds to help the Armed Forces, wounded defenders, or their families. Phishing is one of the most common scams. Since the beginning of the invasion of the russian federation, the villains have mainly used phishing links in schemes with payments that are somehow war-related.

"We know all the methods used here. And we can counter them even at the planning stage. The more citizens must observe cyber hygiene rules, the less fraudsters can earn. The same applies to resistance to enemy propaganda," Yuriy Vykhodets concludes.

How to prove cybercrimes?

Modern criminologists need to consider both physical and digital evidence to investigate crimes. Yuriy Vykhodets explains:

"Compared with previous years, our criminologists increasingly participate in the work of international investigative groups, interstate police operations, and adopting best practices. This also applies to modern means of overcoming the encryption of information carriers and user messages. For comparison, until now, such encryption has prevented law enforcement officers from accessing data on smartphones.

"At the same time, digital evidence creates difficulties in authentication due to the volume of available data, the speed of its creation and transmission, instability, and vulnerability to unauthorized interference. And this causes certain difficulties during forensic examination. Unfortunately, the issue of using digital evidence and its admissibility is still open in the context of Ukrainian legislation."

It's about the identification signs sufficient for the court: this particular person has this particular device and, at that time, used it in the illegal activity of which they are accused. With the participation of Ukrainian criminologists, the creation and implementation of the procedure for the collection, verification, storage, and use of digital evidence, as well as the consolidation of concepts in legislative acts, is ongoing. It is also logical to increase the competence of prosecutors and judges in this area. For this purpose, international and national programs are implemented in Ukraine.

CPD's head shares that there is a department that specifically deals with the review of digital evidence, computer equipment, and Internet resources. Currently, CPD is involved in developing changes to the legislation in the digital forensics area.

The cyber police have a lot of work ahead. But Ukrainians are holding their ground and doing everything to make life in Ukraine safer, including in cyberspace.