[Column] Learning from Ukraine’s cyber defense

Kim Min-seok

The author is an editorial writer and senior researcher at the Institute for Military and Security Affairs at the JoongAng Ilbo.

“Be afraid and wait for the worst!” a text read when Ukrainian government websites and those of other institutions were hacked before Russia attacked the neighbor on Feb. 24. The warning was posted on Jan. 14. The digital offensive stoked terror across Ukraine before Russia carried out the invasion. It was a type of psychological warfare designed to unsettle and demoralize Ukrainians going into a war with a global power like Russia.

Russia stole personal information of Ukrainian government officials through hacking to threaten them with e-mails. The hackers then brought down the websites of government offices and institutions to prevent them from warning the people about an imminent invasion.

Ten months into the war, Ukraine has been holding up with arms and defense resource assistance from the United States and other members of the North Atlantic Treaty Organization (NATO). In the meantime, Russia under West-led sanctions has been struggling amid shortages, such as artillery. Russia is currently bombarding energy infrastructure in Ukraine to cause greater pain for civilians in winter.

Cyber warfare has become a crucial component in the Russia-Ukraine war. We have never seen such a methodical application of cyber warfare.

The war on cyberspace puts South Korea on alert in its confrontation with North Korea, a country with the world’s second or third best cyber war capabilities. As South Korea is arguably the world’s most connected society, heavily relying on internet and IT infrastructure, the country could suffer colossal damage if it does not fully ready itself against cyberattacks from North Korea.

Russia planned a three-staged hybrid war with Ukraine, starting with cyberattacks and a propaganda campaign before commencing full-scale combat operations. In the first stage, it destabilizes the administrative network through electronic intrusion and hacking. In the second stage, it spreads disinformation through manipulation of the IT network in Ukraine to demoralize the Ukrainian people. It then deploys troops and finishes the war as quickly as possible.

The cyberattack had three missions: first, disconnecting and crashing Ukraine’s power and telecommunications networks within 24 hours; second, making Ukraine’s judicial system dysfunctional to prevent law enforcement from arresting pro-Russian citizens or agents; third, disabling websites of the presidential office, the Joint Chiefs of Staff, the legislature and the cabinet to interfere with war operations. If North Korea invades South Korea, it can use such tactics nearly in the same way.

Russia planned the cyber operation meticulously. According to AO Kaspersky Lab, Russia planted a destructive malware called WhisperGate from Dec. 21 to 23 in 2021. Five days later, a similar data-wiping malware, called Hermetic Wiper, broke into systems in Ukraine.

On Jan. 13 this year, Russia spread WhisperGate to some networks of government offices in Ukraine. The attack spilled over from the following day. Government websites were manipulated. Mobile apps and bank ATM system crashed.

Russia’s advanced persistent threat (APT) even attacked foreign missions in Ukraine. By mid-February, Ukrainian bank and military websites came down from Russia’s denial-of-service (DDoS) bombardment. Russia has denied any involvement.

On Feb. 23 — a day before the war — a swarm of malware was unleashed to invade government, military, financial institution, airline and IT service networks. Texts with fake news were sent out to Ukrainian citizens. On the invasion day of Feb. 24, most websites of Ukrainian government networks came under ruthless hacking. Local media organizations and European government officials fell victims to DDos attacks and phishing campaign.

In mid-March, Russia hacked into a Ukraine TV channel to broadcast a statement claiming to be from Ukraine President Volodymyr Zelensky calling on the people to surrender and put down their arms. Chinese state media reported the news and came under suspicion of helping Moscow’s propaganda campaign.

But Ukraine did not easily give into the broad-scale cyberattack. The country learned lessons from Russia’s cyberattack in 2014, when it invaded Crimea. The Ukrainian government has since moved all sensitive data and servers to safe places.

The Ukrainian government also rounded up a voluntary digital army. Its hacktivists moved to attack the Russian government and institutions. They hacked the railway network system of Belarus, an ally of Russia, to impede the movement of Russian ground forces. The hackers went so far as to disrupt the telecommunications service of Russia’s Black Sea fleet and obtained sensitive files from Russia’s FSB security agency.

The U.S. and NATO backed Ukraine’s defense on the cyber front. The U.S. government offered a “cyber shelter” to protect Ukrainian websites facing DDoS attacks. The U.S. Defense Department responded to the request in just 15 minutes and installed defense software onto the Ukrainian police server within eight hours. Such quick assistance would not have been offered if Ukraine had not been thoroughly prepared.

Microsoft has been running an intelligence center for months to keep watch on contamination in Ukraine’s IT system. Poland, Estonia, the Netherlands among others dispatched rapid cyber response teams under NATO guidelines. SpaceX has been providing Starlink terminals to Ukraine to help normalize social media services based on the satellite network.

Global hacktivists like Anonymous also joined the cyberwar. After forming an alliance against Russia, they broke into 90 out of Russia’s 100 key databases to degrade Russia’s IT systems. The Russian cyberattack that seemed to be successful from the outset was not so successful. Moscow only invited a slew of counterattacks from Ukraine.

As its intelligence warfare flopped, Russia’s military operation also faced setbacks. Morale of Ukrainian military and civilians was uplifted. Russian tanks and armed vehicles were stopped in the face of strong resistance from Ukrainians in many part of the country.

What if South Korea comes under a full-scale cyberattack from North Korea? Kim Jong-un has likened cyber capabilities to an “all-purpose sword as effective as nuclear weapons.” His declaration means Pyongyang could deploy cyber artillery along with weapons of mass destruction like nuclear missiles against South Korea.

Pyongyang has actually attempted multiple hacking campaigns on the South Korean government, military, financial institutions, media organizations, defense firms and individuals since 2009. It is suspected of stealing cryptocurrencies to finance its weapons development. The country has been accused of theft of more than $600 million in digital assets this year alone.

The Yoon Suk-yeol administration and military authorities must strengthen national-level readiness against cyberwarfare. They must draw up detailed guidelines on dealing with mass-scale cyber provocations from North Korea. Cyber resilience should be enhanced to minimize damage. By learning from the Ukrainian experience, we must seek a closer alliance with the United States, Japan and others, not to mention forming a civilian cyber IT army.

Legal grounds must be set for national cybersecurity. Since the related decrees are presidential level, there is a limit to their execution. A private-public intelligence sharing system must be established to defend civilians effectively against cyber threats from North Korea. The commander of the Cyber Command in our military also must be elevated to three-star general level to enhance operational capabilities.