This interview took place in September 2022, at the latest AMTSO member meeting.
Alexander, thank you for making time today for this conversation. When Russia started its large-scale attack on Ukraine in February 2022, you told us that you had to leave your laboratory, which was located in Kharkiv, and literally had to run away from bombs. Where did you go, where are you now, and where did this situation take you at this point?
Like lots of people in Ukraine, we didn’t believe that Russia was going to manage to attack because it was completely pointless. But we were really surprised that it happened even though many intelligence agencies from the United States and the United Kingdom had this prediction.
We woke up on February 24th in the morning at around 5 AM from explosions and we saw explosions in the city skyline, so we figured out that the invasion had started. Then we stayed for some time in Kharkiv, and we saw buildings and objects being shelled in the city center by the Russian army. In particular they use MLRS, or Multiple Launch Rocket System, which is quite dangerous. They are typically used to attack major collections of troops, artillery, military headquarters, or camps, but instead they were used against city objects. And it was quite dangerous because some rockets were unguided and they hit not only military objects or administrative buildings, but residential areas, just regular houses.
I feel like every Ukrainian has a lot of stories about how we’ve seen rockets hit buildings, or have friends or relatives that have gotten into danger from these attacks.
After this, we decided to leave, and unfortunately not all employees from my laboratory managed to leave to a safe place. One of my engineers was located in the Luhansk region at the front, and it turned out to be a frontline for a long time, and he was living in the basement with his family in their private house. They stayed in the basement for a long time, like several weeks. They had no electricity, no water supply, and very bad communication, because the only way you could use the phone was when you went outside to an open space like a hill, just to try and catch the base station signal – all to send a message. Fortunately, he managed to escape using one of the humanitarian corridors, so none of my employees got injured.
We continued operations, and one of my primary focuses nowadays is the analysis of Russian cyber weapons because as you’ve probably heard, the operations on land are what we call “kinetic war” accompanied by cyber operations.
There’s a really good report I would recommend reading by Microsoft where they draw the connection between cyber operations and the military’s operations on land. One type of cyber operations used by the Russians is cyber espionage, like getting access to surveillance cameras – because when they choose which city they’re going to enter, they want to get eyes on the street and see what’s going on. That’s why Russian hackers started getting access to all these web cameras, and of course they’re not well protected, sometimes without any access control.
Are these public cameras that are placed around the city that would normally be used to observe crimes?
Not exactly, these are cameras that are usually set up by private persons or by shops, like CCTVs. They are not set up by the police, so that’s why there’s little security attached to them.
Also, there were operations where the Russian intelligence services hacked into government institutions just to collect data about government officials, police officers, and military personnel. This way, when they occupy a territory, they can start checking people to see if they’re supporting the Ukrainian army or if they had served in a government institution or the police. Then they would call these people into a basement and start torturing them to get information about where the militaries are or ask if they know other people who support the Ukrainian army.
Because of this, what we call the “partisans’ movement”, became very strong, because of course nobody in Ukraine wanted to be occupied by Russia. The Russians tried to suppress the Ukrainian citizens, so one by one they caught people who were then tortured and killed. You’ve probably heard about the Bucha massacre.
Have you changed your focus of work because of the war? NioGuard is active in malware research, cybersecurity research, and also testing. Have you started to refocus more on investigating threats related to the war, like activities of the Russian side?
I started doing that since 2014. I even managed to give a talk about the NotPetya attack by Sandworm, a military unit of GRU, which is a military intelligence service of Russia. It was VB2017 in Madrid, and at the same time there was a report from ESET where researchers Robert Lipovský and Anton Cherepanov presented a talk about Industroyer, a malware that was used to attack the Ukrainian power grid. Earlier this year (2022), there was an Industroyer2 attack that was recently reported at BlackHat in August 2022. The war has been ongoing since 2014 and the occupation of Crimea.
Russian military units, in particular Sandworm, mostly specialize on attacks against critical infrastructure and Ukrainian defense agencies, such as CERT-UA, are trying to counteract this threat. But the good thing is that even though these attacks happened, the Ukrainian Cyber Defense organizations gained valuable experience and partnerships from them. A lot of partnerships were created between the government and antivirus vendors to counteract future attacks, and since then, not all attacks planned by Russian intelligence services have been successful.
So, do you help with mitigation of threats or do you instead focus on investigation?
Just investigation, because for mitigation you need to be on-site and its restricted access to information and the security operation center. There is not only one center, but several because security was one of the primary concerns since 2014, even though there were no operations on land in terms of a kinetic war, but still during this time, government organizations and website services have experienced attacks by Russia.
From my personal experience I’ve seen a lot of spearfishing attacks and they were reported by CERT-UA. They have reported a lot of spearfishing attacks from FSB units and they were uncovered by our SBU (the Security Service of Ukraine).
These spearfishing attacks originated from a Russian FSB hacking group in Crimea called Gamaredon. You might ask, why Crimea? Probably because they know the Ukrainian language, because in many attacks we have noticed that when they write a message in Ukrainian, they contain language mistakes. For example, in 2017, in many of these ransomware and wiper attacks, they were sending some messages in Ukrainian, but these messages contained mistakes, so we knew it was just people trying to pretend to be Ukrainian. By using Crimean officers, the spearfishing emails appear more authentic.
After the 24th of February, one could also see specific groups forming in Ukraine driving and promoting DDoS attacks. What’s your opinion about these attacks against Russia? Is this their right to shoot back?
In Ukraine, some groups have formed, for example, what we call the “IT Army”: a voluntary community of Ukrainian IT specialists created by the Ministry of Digital Transformation of Ukraine. So, I think their attacks against Russia are ok. In the cybersecurity community we do question the efficiency and quality of those attacks, but in general I would say that it’s a positive. It is a positive because this helped to unite many IT professionals even though they only perform basic DDoS attacks against Russian services, but this can be seen as quite powerful in terms of informational and psychological operations.
And so when, for example, some financial services break down in Russia, people start panicking or withdrawing money from their bank accounts. These attacks are trying to make Russian citizens worry about the war because we know that Russian propaganda makes a tremendous effort to control what their people know about the war. A lot of people there just think “Oh it’s a foreign conflict and we’re just liberating the people over there in Ukraine, so everything is fine.” So, when they see or have problems accessing online services in Russia, they start thinking “Ok, what is going on? Is this happening because of what’s going on in Ukraine?” This might help them to wake them up and see that all of this is just about one person: Putin.
So where are you and your laboratory now located?
So, my engineers are still in Ukraine, they’ve just moved to safer places. My home university (Kharkiv National University of Radio Electronics) in Ukraine was evacuated because it is located in Kharkiv, close to the frontline. The rector of the university signed a directive that all employees should evacuate because schools, kindergartens, universities, and sports facilities are primary targets for the Russian bombs.
Some of my colleagues have moved to other parts of Ukraine, but I decided to move to the partner university (BTH) located in Sweden. I’ve been working for more than 10 years with this university and we’ve had a lot of joint projects financed by the EU, like Erasmus+. We started our collaboration since around 2011 and we have educational projects like this continuously going.
The primary focus of these projects is to further develop the Cybersecurity Master’s program. We participate in consortiums with other European and Ukrainian universities. It’s a massive cybersecurity program that includes many cybersecurity courses, such as Malware Analysis, Digital Forensics, Web Security, Security for Critical Infrastructure, and many others. Now I’m mostly focused on analysis of cyber weapons because it can be used not only against Ukraine, but it’s a threat for all other countries as well.
How does the decentralized work structure for NioGuard work?
You know, we had this experience with Covid-19. It was positive in a way because it gave us preparation. All education institutions in Ukraine have now moved to distance-learning mode. I still continue giving lectures remotely in my home university, Kharkiv National University of Radio Electronics. Even my son continues studying in his home Ukrainian school, it’s just gone online. I think it’s really great that even when we have this catastrophe we can just switch to online and that’s really cool.
I find the distance-learning mode to be a very useful and very convenient way to share information, for example, I started recording videos, not only academic courses, but more like public videos on YouTube. The videos on my channel are available in English and Ukrainian. Currently, I’m a bit ahead in my Ukrainian videos, but recently I started a video on cyber weapons in English. It’s public for everyone and I think it’s a great way to share information about threats, how to discover them, how to mitigate, and how to build defensive solutions.
So now let’s talk about anti-malware testing and AMTSO. Do you still do anti-malware testing, is it still part of NioGuard’s mission?
Yeah, we do it, but we’re not doing public testing with many vendors because we tried doing a couple of these tests, but it turned out to be not very welcome from the vendor’s side, so we just do it on vendor’s demand.
For example, we’ve had a vendor reach out to us who just wanted to have a comparison with another anti-malware solution. The problem we encountered was that when you do simple tests, like file detection tests, and all participants get a 99% score, and everything’s perfect, then they are willing to pay and agree to be part of the test. But if you create something advanced, like create a behavior-based detection test or complex attack scenarios (like a MITRE evaluation project), the vendors don’t always get an A mark in scoring. When the vendor sees that their product got something like 50% detection, which I think is rather OK for complex tests, they say “No, we don’t want to be involved or included in this test because it’s going to affect our sales.”
So, the next time they would even say “I’m not interested, I’m not participating”?
Yes, exactly, that’s why we moved to private testing. We don’t do comparative testing anymore, at least at this moment. We focus on a specific product for a specific vendor and then they ask us to test it. We know that the technology we’ve designed is quite sophisticated for test scenarios. We can uncover weaknesses in their products, and then vendors can have a better picture about where the weak points in their products are. It works better in the private area rather than the public area and comparative testing.
Who is your primary target audience for tests?
Because we don’t do public tests, our focus and primary audience is on development teams. We get their product, then we test it and deliver results, and then we say to them, “OK you need to develop and improve your algorithm here because it misses a threat here.”
What value does AMTSO bring to you?
It’s a really great community that engages almost all security vendors. I think it’s a good place for discussion, knowledge exchange, and for potential collaboration. I find it valuable as a community where you can get new ideas for tests and I’m currently following the Testing Town Hall talks by my colleagues. For example, Simon Edwards from SE Labs is doing quite interesting tests. We also have regular meetings and workshops where members do presentations and it’s really interesting and you can see new technologies in anti-malware defense and testing approaches. When you see new published tests, sometimes it’s hard to see behind the scenes of that particular test, but when it’s presented at AMTSO, it’s given more clarity and insight.
What is the future for you and NioGuard? Any new projects on the horizon?
There are always new projects, but for now we are focusing on R&D because I’m teaching at the university and am involved in scientific activities and research. So, we try to conduct research using artificial intelligence to test and create POCs (or Proof-of-concepts) for defense solutions.
Also, a big part of my personal work is creating additional content and programs in cybersecurity. Now I’m living in Sweden and working on a project called PROMIS, which is funded by the Swedish government. It’s interesting because there is a challenge in the professional area and requests from the industry to share knowledge not only with master students, but engineers who are already employed. Even though they graduated, there are still knowledge gaps because their program might have only specified in one track, like software development, so they might not have as much experience with cybersecurity.
We have software developers in the industry who have a lack of knowledge in cybersecurity, and that’s what we’re trying to address. We created these courses for master’s students but also professionals so we give an advanced level of information. I just completed a new version of the Malware Analysis course, a long-term project which started in 2019, and this year we started teaching this course under the name Security of Critical Infrastructure.
In light of this course, I’ve obtained very valuable experience and knowledge from the analysis of Russian cyber weapons. Now, even outside of the war, I can give several examples of when Russian hacking groups were involved with attacking critical infrastructure, like the ransomware groups who attacked the Colonial Pipeline or Garmin. Those were all attributed to Russian hacking groups like DarkSide and REvil.
Even though it’s driven by financial motives, these attacks are still a threat for any critical infrastructure. You might have noticed that when the Colonial Pipeline was attacked, although the company was able to shut down its computers and the hackers couldn’t proliferate their malware, it still started a fuel crisis in America. Even though the result was just long queues to fill up on gas, in the light of war, these consequences can be even more harsh.
These attacks are financially motivated, but maybe it’s a little bit of practice for these groups to see what can happen and see how much impact they can have. Then they can use this experience to attack again during wartime?
This is what happened in 2017 when NotPetya was delivered and some victims even gave money to the hackers.
Regarding NotPetya, back then it was first targeting Ukrainian targets but then it spread quickly to other targets in Europe, do you think that was or wasn’t intended?
I would say that this is one of the statements I’ll be making in my VB presentation in several days. But I would say that the hackers didn’t care about their European targets, only Ukrainian. If you compare NotPetya and Stuxnet, Stuxnet was very targeted and since the “Olympic Games” project was started in 2005, it took at least three years to develop this malware. They created a functionality that allowed Stuxnet to recognize what kind of operating system the target runs when they infected it, and it was able to propagate without any restrictions, so that’s why it escaped from one of the suppliers and proliferated through the internet.
Stuxnet first detected if the computer’s Windows Server had Persian localization and, second, recognized if the target had a specific version of a SCADA server from Siemens, and only then Stuxnet activated the payload. Then, it connected to PLCs, reprogramed them, and increased the rotation frequency for gas centrifuges, so it was pretty targeted.
The interesting thing was that if you were a regular user but not in Iran, even if you got infected with Stuxnet, it did no harm to your computer. It specifically targeted SCADA servers in Iran.
I would say that’s also one of the characteristics of Russian cyber weapons: they’re not well developed which may lead to uncontrolled distribution. Even though, some attacks are targeted, for example, NotPetya or AcidRain (again created by Sandworm to break satellites), are not controlled on where they go and as a result, they infect IT/OT systems in the rest of Europe as well. And that’s why I think it’s important to analyze and share information about these kinds of threats and think about defense against such types of cyber weapons.
All of this shows that we are one world, right? Because this is affecting all of us potentially.
That’s correct. In Ukraine, we have six power plants, and currently one is under physical control of the Russians and so my major concern is if they create some kind of NotPetya that’s going to affect security servers of nuclear power plants, it’s going to lead to some kind of thing similar to Chernobyl.
Fortunately, it hasn’t happened so far, because everyone understands how dangerous it can be, but it could be done by mistake because they could run a wiper that’s out of control and could spread, and this type of attack is especially dangerous.
That’s why we need to study, report, and talk about cyber defense.
Thank you Alex, for all the work you do!