BOSTON (AP) – Russia’s relentless digital attacks on Ukraine may have done less damage than many anticipated. But most of the hacking is focused on another goal that receives less attention but has terrifying potential consequences: data collection.
Among the Ukrainian authorities injured on the eve of the February 24 invasion is the Interior Ministry, which oversees the police, national guard and border patrol. A month earlier, a national database of auto insurance policies was raided during a distractive cyberattack that defaced Ukrainian websites.
The hacks, coupled with pre-war data theft, likely armed Russia with extensive details about much of Ukraine’s population, cybersecurity and military intelligence analysts say. It’s information Russia can use to identify and locate Ukrainians most likely to resist occupation, potentially targeting them for internment or worse.
“Fantastic useful information if you’re planning employment,” said Jack Watling, a military analyst at Britain’s think tank Royal United Services Institute, of the auto insurance data, “to know exactly what car everyone drives and where they live and so on.”
As the digital age advances, information dominance is increasingly being used for social control, as China has demonstrated in the oppression of the Uyghur minority. It came as no surprise to Ukrainian officials that a pre-war priority for Russia was compiling information on the citizenry.
“The idea was to kill or imprison these people in the early stages of the occupation,” claimed Victor Zhora, a senior Ukraine cyber-defense official.
Aggressive data gathering accelerated just before the invasion, with hackers serving the Russian military increasingly targeting individual Ukrainians, according to Zhora’s agency, the state Service for Special Communications and Information Protection.
Serhii Demediuk, deputy secretary of Ukraine’s National Security and Defense Council, said by email that personal data remains a priority for Russian hackers as they attempt more attacks on government networks: “Cyberwarfare is really in the heat these days. ”
There is little doubt that political targeting is a goal. Ukraine says Russian forces have killed and kidnapped local leaders where they are grabbing territory.
Demediuk was tight on details, but said Russian cyberattacks in mid-January and early in the invasion were primarily aimed at “destroying government agencies’ information systems and critical infrastructure,” including data theft.
The Ukrainian government says the Jan. 14 auto insurance hack led to the theft of up to 80% of Ukrainian policies registered with the Motor Transport Bureau.
Demediuk acknowledged that the Interior Ministry was among the government agencies injured on February 23. He said data was stolen, but wouldn’t say by which authorities, only that it “didn’t have any significant consequences, especially when it came to data on soldiers or volunteers.” Security researchers from ESET and other cybersecurity firms working with Ukraine work together, said the networks were compromised months earlier, leaving ample time for clandestine theft.
Data collection through hacking is a work that has been going on for a long time.
A unit of Russia’s FSB secret service, dubbed Armageddon by researchers, has been doing this for years from Crimea, which Russia seized in 2014. Ukraine says it tried to infect more than 1,500 Ukrainian government computer systems.
Since October, it has attempted to breach and maintain access to government, military, judicial and law enforcement agencies, and nonprofit organizations, with the primary goal of “filtering out sensitive information,” Microsoft said in a Feb. 4 blog post. These included unnamed organizations “vital to the emergency response and ensuring the security of Ukrainian territory,” as well as the distribution of humanitarian aid.
After the invasion, hackers targeted European organizations helping Ukrainian refugees, according to Zhora and cybersecurity firm Proofpoint. Authorities have not specified which organizations or what may have been stolen.
Another April 1 attack paralyzed Ukraine’s National Call Center, which operates a hotline for complaints and inquiries on a variety of issues: corruption, domestic violence, people displaced by the invasion, benefits for war veterans. Used by hundreds of thousands of Ukrainians, it issues COVID-19 vaccine certificates and collects callers’ personal information, including emails, addresses, and phone numbers.
Adam Meyers, senior vice president of intelligence at cybersecurity firm CrowdStrike, believes the attack, like many others, could have psychological rather than intelligence implications — with the goal of eroding Ukrainians’ trust in their institutions.
“Frighten them that if the Russians take over, if they don’t cooperate, the Russians will know who they are, where they are and will come after them,” Meyers said.
The attack paralyzed the center for at least three days, said center director Marianna Vilshinska: “We couldn’t work. Neither phones nor chatbots worked. They broke the whole system down.”
Hackers calling themselves Cyber Army of Russia claimed to have stolen personal data of 7 million people in the attack. However, Vilshinska denied that they had breached the database of users’ personal information, while confirming that a contact list posted online by the hackers of more than 300 people working at the center was genuine.
Spear phishing attacks in recent weeks have focused on military, national and local officials with the goal of stealing credentials to open government files. Such activities are highly dependent on Mobile networks of Ukrainewhich, according to CrowdStrike’s Meyers, were far too information-rich for Russia to want to shut down.
On March 31, Ukraine’s SBU intelligence agency said it had seized a Russian-controlled “bot farm” in the eastern Dnipropretrovsk region and sent text messages to 5,000 Ukrainian soldiers, police officers and SBU members urging them to surrender or to sabotage their units. Agency spokesman Artem Dekhtiarenko said authorities are investigating how the phone numbers were obtained.
Gene Yoo, CEO of cybersecurity firm ReSecurity, said it probably wouldn’t be difficult: Subscriber databases of major Ukrainian cellphone companies have been put up for sale by cybercriminals on the dark web for some time – as in many countries.
If Russia manages to take control of a larger part of eastern Ukraine, stolen personal data will be an asset. Russian occupiers have already collected passport information, a senior adviser to Ukraine’s president recently tweeted, that could help organize separatist referendums.
For its part, Ukraine – tacitly supported by the US, UK and other partners – appears to have conducted extensive data collection against Russian soldiers, spies and police officers, including extensive geolocation data.
Demediuk, the top security official, said the country knows “exactly where and when a particular soldier crossed the border into Ukraine, in which occupied settlement he stopped, in which building he spent the night, stole and committed crimes committed to our country”.
“We know their cell phone numbers, the names of their parents, wives, children, their home addresses,” who their neighbors are, where they went to school and the names of their teachers, he said.
Analysts warn that some claims about data collection from both sides of the conflict may be exaggerated.
But in recordings posted online by Ukraine’s digital transformation minister, Mikhailo Fedorov, callers can be heard calling the faraway wives of Russian soldiers, posing as Russian state security officers to say that packages coming from Belarus to them were sent, were looted from Ukrainian homes.
In one, a nervous-sounding woman admits she’s received what she calls souvenirs—a woman’s bag, a bunch of keys.
The caller tells her that she shares criminal responsibility for her husband “killing people in Ukraine and stealing their belongings.”
She hangs up.
___
AP data journalist Larry Fenn in New York and Inna Verenytsia in Kyiv, Ukraine contributed to this report.