Ukraine ramps up cyber defences to slow surge in attacks

The government wants to "to push phishing proof, password-less authentication solutions in Ukraine". PHOTO: REUTERS

KYIV (BLOOMBERG) - With air raid sirens, bombings and occasional dislocations disrupting their lives, the stressed-out Ukrainians keeping the country's critical infrastructure running are dealing with yet another hazard: a sharp rise in cyberattacks.

To deal with the threat, Ukrainian authorities on April 5 certified government use of physical security keys, which are small portable devices that give an additional layer of security. Ukraine is now issuing the keys to as many government agencies as possible, said Mr Oleksandr Potii, deputy chief of the State Service of Special Communication and Information Protection.

The government wants to "to push phishing proof, password-less authentication solutions in Ukraine", he said. They have received some help from Yubico, a Palo Alto, California-based company that said it has donated 20,000 Yubikeys, and Hideez Group, a Herndon, Virginia-based cyber-security company that operates in Ukraine and is aiding with the logistics.

The assistance has come none too soon. Ukrainian workers at one state-owned company in the critical infrastructure sector are so stressed by war that many are forgetting their passwords and changing them to weak, easy-to-remember, versions, according to the company's head of cyber security.

Attackers are also automating password attempts twice an hour to avoid triggering security shutdowns, and using old lists of leaked passwords and other techniques to harangue staff, the official said.

A western intelligence official told Bloomberg News it was much easier for hackers to go after people who run essential services than the equipment that underpins it such as substations, telecommunication switches and others.

Engendering a stress response from their human targets is essential to the hackers' to success, the official added, describing phishing as a personal attack rather than a technical one.

"It's about putting somebody into a heightened psychological state, so that they don't think rationally," said the official, explaining that even those trained not to click suspicious links that characterise phishing e-mails can make mistakes under duress.

Security keys are a method of additional authentication that rely on public-key cryptography, verifying a user's identity by checking information stored on a chip against online servers. They are less susceptible to compromise than usernames and passwords, which can be guessed by bots or stolen and sold on Dark Web forums.

Google, which also offers its own security keys, encourages their use for individuals and organisations at higher risk of targeted online attacks, such as elected officials, political campaigns, activists and journalists.

The keys are not without drawbacks, which include cost and the risk of losing them, cyber-security experts said. Yubico's donation of 20,000 keys has a retail value of US$1 million (S$1.4 million), as YubiKey devices cost roughly US$50 apiece. Other technology companies, including Microsoft and Alphabet's Google, have provided services to help with Ukraine's cyber defence.

In order to get security keys into the hands of employees, the Ukrainian government sped up what is normally a six-month certification process for the introduction of new government-wide cyber tools to just a few weeks.

Ukraine's government said last week that the country has suffered three times as many cyberattacks in the first month and a half of the war than during the same period last year. There have been 786,000 attempted hacks against the state-owned company since the start of the war, compared to 22,000 in all of 2021, according to the company's cyber-security head, who requested anonymity due to security concerns.

Ukrainian state-owned companies, military and intelligence services are among the beneficiaries of the effort, with about 10,000 keys distributed so far, said Mr Oleg Naumenko, chief executive officer and founder of Hideez.

Mr Naumenko, who founded Hideez in 2017 after he said his bank account was drained of funds, has previously distributed 10,000 security keys produced by his own company throughout Ukraine. But he said at the time the war started, on Feb 24, he had none left in his warehouse. He fled Kyiv after hiding in underground parking for the first six days of the war with his wife, teenage daughter and cat.

His company turned to Yubico for help. Within hours of receiving the request on March 4, Ms Stina Ehrensvard, chief executive officer and co-founder of Yubico, authorised the donation of 20,000 YubiKeys to the Ukrainian government.

"They are under an attack in both the physical and digital world," said Ms Ehrensvard. "The reality is in a war, you have to log into a lot of stuff."

Still, distributing the keys during a bloody and unpredictable conflict has proven difficult.

Mr Yuriy Ackermann, a Ukrainian who lives abroad and specialises in authentication, joined Hideez as a volunteer after Russia's invasion. He does not get paid but he did get a title: vice-president for war efforts.

He said they are relying on a patchwork of government mail services, private trusted drivers "and even friends just driving around" to distribute the keys.

Mr Naumenko said it was impossible to deliver keys to some regions in Ukraine due to the conflict. "Now the main need is with electricity suppliers and military agencies," he said, adding he assessed Ukraine's need at more than 100,000 keys.

Join ST's Telegram channel and get the latest breaking news delivered to you.