On Thursday 24 February 2022, coincidently, the same day of my sister’s birthday, Russia launched a comprehensive invasion of Ukraine. This attack followed weeks of Russian forces building on the Russian, Ukrainian border amidst dismissive rhetoric by Vladimir Vladimirovich Putin, Russia’s President of a ‘special operations exercise’ and weeks of cyberwar attacks on critical digital infrastructure.
What made this war markedly different from any other war in history was its use of cyberwar as a precursor to the Kinetic war that followed some 5 weeks later.
Russia launched a cyberwar offensive against Ukraine and although the methods and attacks were nothing particularly new in their use and deployment, it was the sheer scale and debilitating nature of over 70 Ukraine Government websites and infrastructure that caused chaos across many normal Ukraine Government channels.
Cyber Black Market
Attacks such as Man in The Middle (MiTM) and no doubt code injections to enable Domain Admin Access and Domain Hijacking and Takeover were witnessed. Although such attacks are nothing particularly new, as these followed closely in the fashion seen in 2020 when SolarWinds who had suffered similar digital intrusions, using near identical methods with the same outcomes, it was the scale and audacity that was shocking and crippling.
What is more, it also heralded a major milestone that other Governments’ own basic security negligence also left them highly exposed. That thin red line had undoubtedly been crossed and would threaten every government and country globally as unlike a warhead with a limited range, cyberattacks have no boundaries or limits and due to security negligence, even gross negligence, every critical infrastructure globally could be targeted and infiltrated.
The Modus Operandi had been set over the last two decades or more, however, although growing in frequency and scale, they had, until now, been confined to cybercriminals looking to sell data to anyone willing to pay. This has created an entire Black Market cyber ecosystem all the way up to and including Zero Days where no ‘Fix’ is yet known or developed.
Just as in the Cold War, Russia had been taught well by their ‘opponents’ namely the United States of America. The US invested $billions of taxpayers’ money in their quest to ensure Digital Supremacy knowing full well that whoever could control the Digital World, would indeed have a major advantage over the rest of the world. Not only from a commercial but also from a military perspective. Warfare had now moved on from Land, Air and Sea to include Cyberwar, more on that later.
Error After Error
On 17 January 2022, Russia launched a bombardment of cyberattacks upon Insecure Ukraine Government websites and infiltrated at least 70 of them. This included Ukraine Military and even Ukraine’s cyber command centre. But how and what was their desired outcome? To cause havoc, chaos and destabilize the entire country.
We had already commenced Threat Intelligence gathering on numerous Ukraine Government websites and had tried to inform the various people there eventually getting to directly communicate with one of their third party U.S. partners and alerting them to just some of the oversights and errors. On 18 January 2022, we exchanged genuinely concerning information on numerous Ukraine Government websites. One example was www.mfa.gov.ua which is the Ministry of Defence for Ukraine and connected, as you would expect, to numerous other Government websites.
The MFA (Ministry of Foreign Affairs) Government website was displaying a NOT SECURE text in the URL (Uniform Resource Locator) address bar due to a PKI (Public Key Infrastructure) error and issue. This meant it was not only easily identified as being NOT SECURE, but it also confirmed basic security was lacking and therefore not only could it be easily abused, but it also confirmed data was being sent to and from the server in Plain Text (Unencrypted). I will explain more on this later, safe to say, the data was not encrypted due to the PKI issue, an expired and invalid Digital Certificate. We identified dozens of other Ukraine Government websites with the same errors rendering them also NOT SECURE and exploitable.
When we started peeling back the layers, you will hear the term ‘Defence in Depth’ quite a lot and it means exactly that. You cannot, or certainly should not rely on a single secure position, but multiple. In terms of defense, Ukraine’s Government and their technical partners failed the basic security, that of Perimeter Defence by making errors that would nullify all other levels of security no matter how complex, how many $millions or even $billions were spent and when these errors are made, wasted.
Such basic security errors, as happened to SolarWinds in 2020, once infiltrated, nobody can see or notice them as metaphorically the enemy are now masquerading as one of the internal team by wearing the same uniform. These basic security errors are not only confined to the visual errors of PKI, invalid Digital Certificates by displaying the NOT SECURE text on the website, but also the Domain Name System (DNS) which is where the content is handed off to a Content Delivery Network (CDN) to distribute that data, globally if required. It is imperative that this is also SECURE.
In the case of Ukraine Government websites that were successfully attacked as part of the Russian cyberwar offensive and a precursor to the kinetic war, they were not only NOT SECURE for the world to see, but also their SIDE and BACKDOORS were wide open to enable and even facilitate infiltration unbeknown to everyone until the attack became known sometime later. That is of course unless it was planned.
It is not beyond the realms of possibility, that this cyberwar was months, even years in the planning as part of the Russian overall reconnaissance to identify Insecure digital targets. We have identified Insecure positions that dated from at least August 2019 that would enable ‘Sleeper Digital Plants and Cells’ to have been implanted ready for activity. It is also not beyond the realms of possibility that data was being captured, controlled and amended for several years due to these basic security errors.
Exposed In The Shadows
As I write this preface on 23 March 2022, the basic security errors are STILL in place and the U.S. Tech third party insists on going via attorneys instead of directly engaging to address their security oversights and gross negligence. Do they have something to hide? Quite possibly. Are they complicit by being complacent? We cannot speculate at this point; all we can confirm is that the Ukrainian Government and thousands of other organizations are highly exposed due to their basic security errors.
I can confirm that finally on 16 March 2022, Ukraine’s website www.mfa.gov.ua had a valid Digital Certificate placed upon it at 00:00 UTC. This is some 8 weeks after we first informed them of the basic security error. However, the DNS is still completely exposed. This situation, as mentioned, nullifies all other security measures, including this Digital Certificate.
On Wednesday 26 January 2022, The White House released their paper titled: ‘Moving the US Government to a Zero Trust Model’. It is an extremely useful and insightful document and was published only 9 days after the Russian cyberwar attacks commenced upon Ukraine and cites DNS no less than 47 times. A coincidence, however with years of experience we have become a tad battle hardened and we rarely subscribe to coincidences in the cybersecurity world.
The ongoing Ukraine cyberwar and war, both currently raging, have seen the exodus of millions of Ukraine citizens, predominantly women and children as men under 60 are forced to stay and fight. The war has so far claimed the needless loss of lives on both the Russian and Ukraine sides in tens of thousands and with predicted losses of as many as 1 million people due to the war and lack of food and water. This war, no matter how it started or who is culpable, time will show basic security measures aided, even facilitated this war and marked the beginning of what we all hope does not escalate to become a chemical or even nuclear war.
I would personally like to applaud the citizens of Ukraine for their courage and determination. The fact that far too many leaders of the world have allowed such a situation to manifest itself is an utter disgrace and eventually, those responsible MUST be held to account.
Together, We’re Stronger
“Digital Blood On Their Hands” fills in the blanks. It will inform and enlighten everyone on how we got here, where we will hopefully go and what we need to do to alter the destructive course we are currently on. You will no doubt have heard the term, I hope it was not all in vain, I truly hope by my addressing and bringing the real world of clandestine cyberwar and cyberattacks to be openly discussed and addressed, not just by ignorant politicians looking to achieve their next vote so they manipulate their view of the world and vastly increase their personal bank balances, but to serve the citizens of the world congruently and as a collective. Less me, and more of us.
Governments, the Intelligence Community including the Alphabet Agencies are at a major crossroads. Do they continue manipulating the cyber realm without any defense by focussing on purely Offense, the same Offensive capabilities as we are witnessing against Ukraine and now Russia, or do we start taking security and basic security seriously?
We have frequently been marginalized because of our views, beliefs and knowledge. It is often considered ‘Dirty Little Secrets’ that are best left unsaid due to fear of reprisals to politicians or tech giants signing the next multi $billion deal which provides no more security and instead of mitigating, adds to the already woefully exposed positions. Smoke, mirrors and sleight of hand are being used by Wall Street building security unicorns, not to better protect the citizens of the world, but to line their bulging, dirty pockets further.
Personally, I am sick to my stomach of the tech giant forcing our hand to use attorneys, as literally thousands upon thousands of people are dying either directly or indirectly, quite possibly due to their errors. The title of this book, “Digital Blood On Their Hands”, could not be more apt.