14 4 24.
April 24, 2014 Nowadays information has very serious impact on society, especially – in extreme situations. One of the best examples are the latest events on the territory of Ukraine. While the war started on the ground, the aggression was also felt on the virtual battlefields. Sure, the digital war is not as devastating as the one going on the streets but it also plays a vital role in the war itself. Disinformation, hacker attacks and so called trolling do not only influence servers and sites directly by overloading and disabling them for a certain period of time but they also fire up the aggression between people with different thoughts and political believes.The digital war is not new but it had shown its best during the events on Maidan and current situation in Crimea and Eastern regions. Russian and pro-Russian groups try to do their best to disable all the possible information sources who are interested in providing people with adequate and truthful information. Instead, they share false facts about various events, misinform people and involve them in trolling conversation. Not only this does not lead to any solution and cooperation between two sides but also increases the trolling impact on the site and people. Why Russian hackers are better? During the events on Maidan and Russian Invasion on the territory of Ukraine, Ukrainian government proved that was not ready to that serious flow of cyber attacks. After all, Russian resources, in all senses, are better than Ukrainian and here are a few reasons for that: - Russia has more human resources than Ukraine. It may sound like a simple reason but it plays a very important role in the digital war. Russian hackers outnumber Ukrainian in all possible meanings, including quantity and quality. Also, human resources involved in the digital war do not have to be professionals in hackings. Instead, they can be used for trolling purposes to destabilize patriotic feelings, misinform people and load sites with useless, aggressive and offensive content. - Russian special digital forces are better prepared than Ukrainian. Russian special forces, main Intelligence Directorate in particular, have been training professionals for years. Russian government invests billions in military sphere and informational war is a part of the investment program. Russian hackers are trained better, they have better equipment and are supported by government in all possible ways. Though, if Russian special forces are low on hackers. They can always buy more by recruiting them with money or use compromising materials and blackmail them. - Russia works on all front. Together with the Russian hackers, Russian secret services also recruit Ukrainian specialists in IT sphere who are motivated either by believes, money or threats. The trick is that a lot of people in the eastern and Southern regions have pretty much pro-Russian believes and are ready to help. Besides, this opens a window and a breach in security system when Ukrainian portals block foreign traffic. Working from Ukraine allows to access Ukrainian sites without any problems. Why Russian hackers attacks succeed. One of the main reasons why Russian hackers are so successful in their tasks is that Ukrainian government, as well as forces responsible for digital protection, are very weak. While Russian digital protection started evolving since late 90s of XX centuries after numerous attacks on Russian banks, Ukrainian government was not interested in doing the same. Mostly because of bad economic conditions but also because back then that does not seem like a real threat. Though, as the recent Russian hacker attacks showed, the importance of informational protection is very and very vital. One of the best examples was the attack on the official site of the Ministry of Internal Affairs back in November 31, 2013, just when Berkut attacked peaceful protestants on Maidan for the first time. It was a quick response from Ukrainian hackers, who attacked the site to show the government that they are ready to resist them on all levels, including the digital one. Ukrainian hackers community took all responsibility and said that they won’t stop on this attack only. In the official message they mentioned that “Now it’s time to show your protest on the web. We are talking about things that already have been done by many of us. And yes, I mean DDoS attacks on sites of our enemies from the government.” If a number of hackers can take down the whole site of the Ministry in less than a day, it means that the system has to be very vulnerable or that people whose job is to protect the site, are not good enough to do that right. Yes, this attacks were performed by Ukrainian hackers but if Ukrainians managed to do that, we can only imagine how tough it would be if the Russian hackers started attacking administrative sites. The problem of system vulnerability leads us to the other weak element of the system – the lack of quality specialists. The answer to this problem is really simple – money. The money Ukrainian government offers for being a computer specialist are simply ridiculous. Instead, working for an international company or as a freelancer, a person has a lot better chances to earn more and live better. So, only really enthusiastic or really incompetent people can expect to work for the system. Anyone else would prefer to hack sites for great money than to protect them from hackers’ attacks. Sure, it does not mean that there are no competent people who work for the ministry of defense of the ministry of Internal affairs, but the problem is that they simply can’t cope with the tasks given, especially when we talk about major attacks from the outside. The question of money and perspective also creates another hole in the digital defense. If money is the only motivation, a person, be it a Russian or Ukrainian citizen, will more likely start working for the side who’s paying more. In this case – Russian FSB. The chronology of Russian digital war: Maidan period. Sure, internet trolling has been on the web for years but it started growing rapidly together with the Maidan events. One of the main aims of digital wars is to disable the enemy and overflow the web with misinformation. Independent Ukrainian sites and channels like Hromadske, Esspesso TV, 5 Channel or Ukrains’ka Pravda have been known for providing quality content from Maidan events. As far as police forces, including Berkut, were not interested in letting the journalists behind their lines to cover the news from both sides, most of the channels were forced to cover the events from the side of protestants. This argument was used against them, meaning that these are pro-USA channels and that they are not telling truth. Together with the heavy trolling activity, Russian hackers started powerful DDoS attacks on Ukrainian information sites and not only. These attacks began days before the first attack on peaceful protestants on Maidan and continue until these days. The first ones to suffer were:- Ukrains’ka Pravda, November 24-25: DDоS attack; - Hromadske.tv, November 26: they confirmed information that their site is being stormed by DDоS attack at 20 Gbit; - Censor.net, November 26: hackers hacked and vanished all information on the site; Also, during that period, lots of social network accounts of the famous people like Klychko, Sarhan (Lucenko’s spokeswoman), Soroka (Tymoshenko spokeswoman) have been hacked. Later on a few more Ukrainian news sites joined the list of portals who were attacked by Russian hackers. In most cases these were DDоS attacks. - 5 Channel News, December 07: 5 Channel news authorities confirmed that their site has been under hackers’ attacks since December 30 but hackers managed to totally take it down only on January 07. “At first they used bots on infected computers, who physically were located abroad. In order to make the site work, our administrators started blocking foreign traffic. After that hackers started using intellectual resources that changed hacking tactics constantly. Attacks were the worst on December 6” - said 5 Channel. - Official site of Greek-catholic in Ukraine, January 16: they confirmed that their site was stormed with DDоS attacks. “6 000 simulations connections,” said Yaciv. They think it was all because of the service they gave in one of the tents on Euromaidan. - Maidan.ua.org, January 09: servers of the site are being stormed with DDoS attacks on the night from on January 9. Site administrators think that this particular attack was connected with the All-Ukrainian Euromaidan Forum that took place in Kharkiv. All information about the forum was on the servers of the site. - Esspresso.TV, January 28: site servers are being stormed with DDoS attacks. This all started at around 10 AM when Verhovna Rada of Ukraine was supposed to open the Session. According to the founder of the site Kolodko, “this was the first time for 4 years we had such a problem.” By all means, it does not mean that after these DDoS attacks everything went find later on. These are just reported to be the most powerful and dangerous DDoS attacks that almost took down the sites. As you can see, all sites are somehow connected with pro-Ukrainian believes. Most of the channels broadcasted live from Maidan barricades and from the hottest parts of the clashes between police and protestants. How Ukrainian fight Russian hackers and trolls. Sometimes, it is not easy to survive the DDoS attack and if the problem requires rapid solution, site owners move their activity to the social networks until the site is revived. This might not be the best idea but when it is impossible to fight back and when you know for sure that the site will be down in a few minutes, moving your activity to social networks can save the situation. Lots of sites, including Maidan.ua.org, did that to be able to provide people with fresh information. Of course, this won’t last forever but in a situation when you can stop working or can continue working but with some issues, you usually pick the second one. Unfortunately, moving to social networks only won’t save the situation and it is important to be ready for everything. Technically, there are two circles of digital defense in Ukraine. One of them is official and, of course, is interested in protecting official sites only. The other one is a community based circle and is not only interested in protection public sites but also has more aggressive intentions. One of the biggest issues is that these two do not work together the way they should. Circle 1: The Security Service of Ukraine, Cybernetic Protection Department. Unfortunately, this unit is not effective at all and can only manage minor attacks. As it was mentioned before, one of the main reasons is that IT personal is not qualified enough to resists heavy hacker attacks, including the DDoS ones. Also, the lack of investment did its job and currently the unit is more nominal than practical. A great example is the attack on the site of the Main Prosecutor’s Office on April, 9. It shows that even serious sites like this one are not protected enough. Circle 2: Community groups and independent hacker organizations. The biggest difference between official cybernetic protection unit and community hackers is that official IT stuff is supposed to protect official sites only and community groups have an opportunity to both protect community sites and fight back. Sometimes, Ukrainian hacker communities team up for more productive defense and offense services, but usually, when the threat is not that urgent, they work separately. So far there are two Ukrainian hacker groups who show pretty serious activity and continue doing their job even now. Cyber Hundred. This hackers’ community was registered officially on Facebook on February, 14. Their main function is to clear the Ukrainian web from trolls and to protect Ukrainian sites from Russian hackers’ attacks. They also teach people how to fight trolls, how to block bots and inappropriate users and what to do in case of hacker attacks. At the same time, they claim to work only in the frames of law. Null Sector is another group of Ukrainian hackers but unlike Cyber Hundred, they support a bit more radical ways of fighting enemies. They propose to fight enemies with their own weapon and from time to time respond to Russian attackers with the very same DDoS attacks. Here’s the list of pro-Russian and Russian sites that might be stormed by the Null Sector in the closest future: kpu.ua; sevastopol.su; kaskad-ua.ru; dikoepole.net; day.zp.ua; oper.ru; glagol.in.ua; ukraine2014.ru; predatel.net; 3rm.info; www.rada.crimea.ua; novoross.info; e-news.in.ua; vognebroda.net; vybor.ua; kv-journal.info; oplotclub.com; oplotmma.com; politikym.net; rusinform.net; imhoclub.lv; ungu.org; sevastopol.info. Null Sector officially registered their community on March 6, 2014 in response to Russian aggression in Crimea and the increasing number of hacker attacks on Ukrainian sites. The activity of Ukrainian hackers. Like all good hackers should do, Ukrainian IT professionals try to stay in the shadow and do not talk about their achievements and successful hacking operations. Though, Ukrainian media services did confirm a number of successful attacks on Russian and pro-Russian sites. Here are the best examples: - “Ukrainskaya Pravda”, December 04, 2013: Ukrainskaya Pravda is a pro-Russian version of the popular Ukrainian site “Ukrains’ka Pravda”. They sound alike and very often mislead readers when they search for a reliable source of information. That was one of the first recorded attacks on the site of pro-Russian activists. The site itself shared lies about Maidan activists and very often described them in very bad light. IT was taken down with DDoS attacks. - rg.ru, March 07, 2014: according to Russian sources, Cyber Hundred attacked the official Kremlin site rg.ru and disabled the servers. Hackers also left materials that criticized Russian government and signed as Cyber Hundred. Though, the Cyber Hundred community itself says that this was not their work: “we are flattered with the words but that was not our work. We do not act outside the frames of law because attacks like these are illegal. Though, we have nothing against this kind of activity.” - The official site of Russian President and The Bank of Russia, March 14, 2014: heavy DDoS attacks on the official site of Russian President Putin and the official site of the Bank of Russian; for a few hours both sites were not working. - Lenta.ru, March 14, 2014: One of the most popular Russian news portal was stormed with the DDsoS attack. No one took responsibility for the attacks.- State Duma, official site, April 10, 2014: State Duma is the lower house of the Federal Assembly of Russia. Its official site was stormed with the DDoS attack. Ukrainian hackers broke on the site and posted anti-Russian information on the page regarding problems in the North and Far East. They also signed this information as if it had been written by a member of communist party Kharytonov. Here’s a part of the message: “There will be a day when your county will crash down and you will be buried under its fragments. We will start killing you from the bushes, we will shoot you in the back, just the way you deserve it. We want everyone, who works in FSB (former KGB), courts and other gangs alike, to know that nothing will save you. […] the county is in ruins. Society is in ruins. Look around! People drink. The whole country is going down!” - sevispolkom.info, April 3, 2014: hackers broke onto the site of the Coordination Council of Sevastopol and uploaded information on the main page. According to the new message, people interested in getting Russian passports, could call the short number 565 and receive information regarding Russian citizenship. Though, the short number 565 is the unique number that collects 5 UAH from every number that calls for the needs of Ukrainian army. Together with the hacking activity, Ukrainians IT specialists try to involve people in trolling resistance. They encourage them to block trolls on the web, kick them from sites and pro-Ukrainian groups and else. Also, hackers try to do their best to get inside pro-Russian communities in order to get some detailed information on people involved in separatist actions and to reveal info on some actions. But, so do the Russians. How Russians Attack Ukrainian Sites. By all means, Russian professional hackers act discrete. Their main advantage is in heavy human resources and better equipment. Together with independent and enthusiastic hackers, who form groups or organize solo attacks, there are groups who are supported by the government. The GRU GSH VS RF (General HQ of the Military Forces Main Intelligence Directorate of Russian Federation) and FSB are responsible for recruiting IT professionals for successful attacks on Ukrainian sites. They use different methods to make the system work starting with simple recruiting on the web and going up to blackmailing people. Both methods work perfectly well. Also, disinformation groups are interested in trolls and in big quantities. Here’s how pro-Russian activists recruit trolls on one of the Job related sites: “A PR agency (Ukraine) is looking for a commentator, blogger, preferably with the experience of writing comment and political articles on popular Ukrainian resources. We are ready to take students. This is a distance job, you will need to write around 20 decent comments a day about a certain political force.” The pro-Russian propaganda hasa very powerful center and they are very strong. Pretty much every pro-Ukrainian site that provides quality information about situation in Ukraine and criticizes Russian invasion, is or will be attacked by Russian hackers soon. Even our site, ukraininvestigation.com, draw attention and Russian trolls started leaving aggressive comments on our YouTube channels as well as got us blocked on reddit.com Who is responsible for hacker attacks. By all means, this is not a single group. Moreover, hacker and trolling groups, as well as solo activists, act on the territories of both countries – Russian and Ukraine. Most of them try to stay discrete but there is a group that officially recognized its activity. Cyber Berkut. A hackers’ community that concentrates on blocking pro-Ukrainian sites and those sites that share information about Russian activity on the territory of Ukraine. On their official site and Vkontakte group they share misleading information about politicians, people involved in events on Maidan and else. They also share plans about the future attacks on sites. Most of the posts are written in aggressive and threatening manners. Their most astonishing achievement was attack on the NATO sites. The activity of Cyber Berkut: - Attack on NATO sites (http://ccdcoe.org ; http://nato.int ; http://nato-pa.int), March 16, 2014: NATO officials confirmed powerful DDoS attacks on their sites. NATO IT specialists managed to prevent the sites from being taken down and reported that portals received no damage. Cyber Berkut took all the responsibility and claimed that this was only a beginning. - rtb.rv.ua, March 18, 2014: powerful DDoS attack on the official site of the Regional State TV Station in Rivne. They managed to recover their work only on March 26. According to TV Station workers, Cyber Berkut have been pretty active lately. - Attacks on the official sites of the Ministry of Internal Affairs and the Main Prosecutor’s office, April 04, 2014: Cyber Berkut confirmed attacks on both sites and warned that this is only a beginning. They also demanded to release the imprisoned Berkut soldiers. The chronology of Russian digital war: Russian invasion period. - ZIK.ua, March 18, 2014: Heady DDoS attack on Ukrainian site. Beforehand, ZIK authorities received an email that notified them about hackers attack. Some time after ZIK.ua started receiving 70.000 request at a second. In order to fight the attack, ZIK admins were forces to set traffic limitations.- RoadNews, April 09, 2014: the site went down completely on April 9 but it had been attacked previously during the whole time. For some reason, RoadNews appeared in the list of extremist sites who spread information about Putin in a “wrong light.” - Official Site of the Main Prosecutor’s office, April 10, 2014: a powerful DDoS attack on the official site of the Main Prosecutor’s Office. It was down for a couple of hours. The attack was planned well and planned beforehand. Now the Main Prosecutor’s Office is looking for hackers responsible for the attack. On the top of that, Russian government pulls all the possible strings and does its best to block Ukrainian related communities in social networks. On March 1, 2014 RussianRoskomnadzor (Federal Service for Supervision of Communications, Information Technology and Mass Media) forced Durov, now the former head of the Vkontakti social network, to close all Ukrainian groups that are somehow related with Maidan, Euromaidan, Right Sector and else. Now those groups have migrated to Facebook. Also, on March 31 Ukrainian internet community was expecting the first truly Ukrainian social network weua.info to start rolling but it’s been stormed with the DDoS attacks and site administrators were forced to postpone the official launch. weua.info is an Ukrainian alternative to the popular Russian networks Vkontakte and Odnoklasniki. It was created for Ukrainians and is promised to become a decent substitute. Fighting on Other Informational Fronts. Together with internet wars, Russian special forces try to isolate Ukrainian from Ukrainian TV channels and radio stations. They already jam signals in Crimea and instead of Ukrainian channels the citizens of Crimea are watching Russian television which, by the way, is filled with pro-Russian propaganda and disinformation. The very same situation is on the Eastern regions of Ukraine. Some of the providers are forced to broadcast Russian channels only but the armed forces of local self-defense and Russian soldiers, others do that voluntarily. No matter the reason, this has a very serious impact on people living in the areas, especially on those who still support Ukrainian unity. One of the latest examples of media control is the captivity of local TV station in Slovyansk. Not only separatists took control over the TV station but also started broadcasting their own TV channel with pro-Russian information. The signal is powerful enough to misinform more than 500 000 people. Russia won’t stop In Ukraine (Instead of conclusions), Huntley, an expert in software questions from Google warned the community about the possible upcoming hacker attacks on 21 out of 25 most popular informational agency in the world. In his message Huntley mentions “a certain country” that is in charge of all hackers. “These attacks have been organized by hackers who are being supported by the government or act directly from the inside. As a part of hackers’ attacks, journalists received falsified letters” - said Huntley. He also added that attacks are being performed regardless the country location. Now Google services warn journalists about the attacks. Reports claim that it was Syrian Digital Army who attacked Forbes, the Financial Times and the New York Times journalist. Though, if the attacks are reported to be Syrian, it does not mean that they are really from this country. Attacks were performed by well trained hackers with a strong coordination center. One of the main reasons for these attacks might be the strict policy against Russian Federation from the Western side: “One of the most active answers on the latest sanctions coming from Europe and the USA will be cyber attacks. In Kremlin they will deny their connection with these attacks. […] The main aim of these attacks is to destabilize foreign medias and cause physical and financial loses in order to break the communication.” (Source: UkraineInvestigation): http://tinyurl.com/kxhx44l