War in cyberspace: Ukrainian KRITIS operators in the crosshairs

War is raging in cyberspace: the Ukraine conflict is also taking place here, in digital space. Recently, a large part of the IT landscape of a Ukrainian telephone company was hit. But other KRITIS systems and even IOT components are also being targeted.

It will soon be the second anniversary of the start of the Russian attack on Ukraine. In addition to the physical conflict, the war is also reaching new heights in cyberspace. For attackers acting on behalf of Russian interests, everything that belongs to critical infrastructure is of particular interest. But even outside the theatres of war, KRITIS operators are called upon to exercise the utmost caution.

The attackers were preparing the Russian aggression in cyberspace long before the start of the open military conflict. Systems were infiltrated in order to be able to switch off critical Ukrainian communication infrastructures, for example. Among other things, this led to the failure of the KA-Sat satellite network, which was also used by the Ukrainian military, just a few minutes after the attack on Ukraine. There have been repeated spillover effects, including the attack on the KA-Sat satellite network, which even affected wind turbines in Germany. The German BSI has long warned of the impact on German KRITIS systems.

Millions of Ukrainians without internet and telephone

New spectacular Russian attacks are currently attracting attention. Last month, for example, it became known that suspected Russian attackers had infiltrated the systems of Ukraine's largest mobile phone provider Kyivstar. They paralysed numerous central IT systems and caused a prolonged outage of the communications infrastructure. But that was just the tip of the iceberg.

It has since become known that the attackers had already broken into the mobile phone provider's systems many months ago. They had already taken control of the first important systems in May 2023. The Ukrainian secret service SBU attributes the attacks to the Russian hacker group Sandworm, which is considered an offshoot of the Russian secret service GRU. However, according to the news agency Reuters, the Killnet group has claimed responsibility for the intrusion on the internet. For months, attackers had full control over Kyivstar's systems. The intruders also had extensive access to communication data, including personal information, text messages and contact details from messengers. This also included location information from mobile phones. However, the attackers were not only interested in data theft and espionage: they paralysed a large part of the Ukrainian telephone company's IT landscape, causing the mobile phone provider's telephone and internet connections to fail throughout the country. Millions of customers were affected.

Ukraine strikes back: telecommunications and airports shut down

It did not take long for a response to the Kyivstar attack. Ukrainian cyber activists, who are said to be linked to the Ukrainian secret service, targeted Russian telephone companies. They were successful with the Moscow provider M9 Telecom. According to Ukrainian information, they gained control of important IT systems there and captured 20 TByte of communication data. In addition, the internet connections of part of the Moscow population were paralysed.

Ukrainian hackers have already reported successes: cyber specialists from the ranks of the Ukrainian military are said to have paralysed the Russian ERP system 1C-Rarus. As a result, various Russian companies were unable to fully maintain their operations. The economic damage is said to be in the high millions. The same group had already hacked the Russian flight booking system in autumn. As a result, flight operations at several Russian airports are said to have come to a complete standstill. Ukrainian Digital Minister Mykhailo Fedorov commented on this with the words: "If Ukrainian airports cannot function due to the war, why should Russian airports?"

Even harmless IOT devices are being weaponised

Attacks are by no means limited to telecommunications equipment and therefore to traditional critical infrastructure. IOT devices can also be very valuable, such as webcams. At the turn of the year, it became known that attackers had hijacked Ukrainian webcams, particularly in sensitive locations. The action is attributed by the Security Service of Ukraine (SSU) to Russian actors who are said to be linked to Russian intelligence services. Images and data from the cameras are said to have been used to prepare a Russian airstrike, among other things.

Remote-controlled cameras were of particular interest. The news portal Heise-Online reports: "One of the cameras hung on a balcony of an apartment complex and was used by the flat owners to observe their surroundings". So these are by no means just webcams operated by government agencies, but also by private individuals. Especially if the camera can be directed at sensitive facilities in the neighbourhood. According to the report, the SSU has already blocked access to around 10,000 IP cameras since the start of the war.

It should be noted that all information is ultimately based on information provided by two warring parties and in particular their intelligence services.

Author: Uwe Sievers

Securing critical infrastructure: nothing works without it

How secure are our critical infrastructures? What cyber threats do operators of critical infrastructures face? What are the security standards and which organizations are subject to the regulatory requirements?

Information and recordings of the presentations at it-sa Expo&Congress and it-sa 365 will show you how to protect your business.