KIEV, Ukraine — Michail Fiodorov thought he had everything under control. Months before Ukranians were set to go to the polls to elect their next president, the 28-year-old campaign manager had his staff trained, robust security practices in place, and servers he’d sourced in the U.S. to prevent hackers from taking them down.
But all that preparation was erased within minutes of launching the website for his boss, comedian turned surprise front-runner Volodymyr Zelensky. Before Zelensky could even tweet a link to the site, a cyberattack overwhelmed the website’s servers with 5 million simultaneous requests, knocking all operations offline.
Nearly three months later, and with Sunday’s election looming, Zelensky leads in almost all the polls, despite what Fiodorov says has been a near-constant bombardment of cyberattacks and disinformation.
“From the first day of the campaign, we have been under attack,” Fiodorov told VICE News this week.
The type of attack that knocked Zelensky’s website offline — known as a distributed denial-of-service, or DDOS, attack — is relatively rudimentary, but the scale of this one was so big and would have cost so much that the hackers must have had significant resources. Fiodorov wouldn’t name names, but experts said there was only one credible perpetrator: Moscow.
Since Russia’s annexation of Crimea in 2014, Moscow has used Ukraine as a laboratory for its increasingly aggressive cyber-army, attacking the country’s electrical grids and disrupting its businesses, costing billions of dollars worldwide. And as Ukrainians head to the polls this weekend, their country’s electoral systems are being bombarded at rates not seen elsewhere, officials from Ukraine, Europe and the U.S. told VICE News. More concerning, they said, is that hackers are now trying to penetrate the country’s critical national infrastructure in an effort to sow chaos and confusion around Sunday’s election.
“Some critical infrastructure has been attacked in recent weeks,” said Roman Boyarchuk, the head of Ukraine’s Cyber Protection Centre. He wouldn’t say which systems were under attack, but he offered a cryptic warning ahead of the vote: “The very worst situation is that we don’t know that they have access.”
Ukrainian officials like Boyarchuk aren’t the only ones worried about what happens here over the next few days. European and U.S. officials are also paying close attention, fearing Ukraine may be a prelude to this May’s European Parliament elections and the U.S. presidential election in 2020.
“Everyone sees Ukraine as the testing ground for what is going to hit the West next from Russia,” Laura Galante, a cybersecurity analyst at the Atlantic Council, told VICE News.
HACKING THE RESULTS
Except for the few shivering supporters handing out leaflets for presidential contender and former Prime Minister Yulia Tymoshenko, Kiev on Wednesday bore few visible signs of a pending election. But just outside the city center in Ukraine’s Central Electoral Commission (CEC), a tall, imposing building that looks like a Soviet-era skyscraper turned on its side, hundreds of employees were working around-the-clock to ensure the integrity of the electoral process.
Victor Zhora, who leads a team helping protect the CEC’s network, sat at his desk worrying that hackers will attack the systems that will deliver the early results of Sunday’s vote.
“The threat of cyberattacks is big, and we need only look back to 2014 when Ukraine was the first country to suffer cyberattacks on its election systems,” Zhora, co-founder of cybersecurity firm Infosafe, told VICE News. “Thank God we have an election system which gathers official results with the use of paper ballots.”
He’s right to be worried: Experts began to notice the spike in attacks last December, when waves of phishing emails were sent to employees of government agencies, enticing them to click on Christmas greeting cards, shopping invitations, and software updates — the same method used to trick Hilary Clinton’s campaign manager, John Podesta, into giving up his email credentials. Last week, the Ukrainian cyber police reported that an email designed to look like it was coming from Interior Minister Arsen Avakov in support of a specific candidate was created in Russia on March 21.
It’s unclear how many of these attacks have been successful, but if even a single one succeeded in tricking their victims into downloading malware, it could have huge consequences for the election.
“If someone’s phishing attack was successful in December and they got access to the network, then three and a half months is enough time to be able to get to the point to be able to launch a larger attack or monitor what is going on inside networks,” Oleh Derevianko, a cybersecurity expert whose company is helping defend Ukraine’s election infrastructure, told VICE News.
The election-results systems overseen by the CEC are a particular area of concern. Earlier this month, the Ukraine cyber police said they had observed attempts by Russian hackers to “test” the CEC website and obtain information about its internal network. In February, incumbent President Petro Poroshenko blamed Russia for a distributed denial of service attack on the CEC server, while the Secret Service of Ukraine (SBU) reported that Russian hackers were attempting to uncover information about the communications network used for reporting election results, including how long it would take to recover from an attack.
Zhora knows how porous Ukraine’s election systems can be, but he says the CEC has made sure that each stage of this process has been reviewed and hardened to the point where he’s confident that it is close to impossible for hackers to infiltrate. Now, ironically, he fears that shoring up his end of things may ultimately lead hackers to go after bigger targets instead.
“We can predict a situation where an attack could be conducted on the infrastructure of the whole country, instead of attacking this election system, just to bring chaos,” Zhora said.
And that is exactly what appears to be happening. In February, the attack volume rose 30 percent compared to January, Boyarchuk said. Every week since December, up to 8,000 targeted phishing emails are sent. Last month alone, Boyarchuk’s team faced 25,000 brute force attacks — which bombard systems with username/password combinations to try to guess the right one to gain access to Ukraine’s networks. Another 30,000 attacks sought to harvest potentially valuable information. On top of that, Ukrainian officials have recorded up to 50 high-intensity DDoS attacks — similar to the one that knocked Zelensky’s campaign website offline.
As the election approaches, the volume of attacks has actually started to decrease, he said, which only worried him more.
“The regular, or what I call background-type of attack, are decreasing because they have enough preliminary information to work with, they are now trying some APT-type attacks,” Boyarchuk said. (APT refers to advanced persistent threats, a term used to describe sophisticated nation-state–affiliated hacking groups like Fancy Bear and Sandworm.)
Just the presence of these sophisticated hacking groups will scare Ukrainians who have seen large parts of their country crippled in recent years.
In 2015, and again in 2016, the Russian hacking group known as Sandworm infiltrated electricity companies and caused blackouts that impacted hundreds of thousands of citizens.
In June 2017, the NotPetya attack, which the White House blamed on Moscow, caused widespread damage to business across Ukraine — before hitting targets worldwide. And the malware behind the NotPetya attack last year may be lingering in the country’s networks.
“We cannot be sure 100 percent that everything was cleaned up completely. This is one of our worries: that bad actors left some hidden backdoors on systems in order to use it another time,” Boyarchuk said.
“PLAYING WITH THE WEST’S MINDS”
Russia, analysts said, no longer seems to care if people know it is conducting these attacks.
“They are far less concerned about making interventions covert,” Keir Giles, a Russia expert, told VICE News. “They are perfectly content with implausible deniability and doing things which everybody knows is actually coming from Moscow.”
In fact, that devil-may-care attitude is part of the design. The aim may not be to get one candidate or another into power — none of Ukraine’s leading candidates offer an overtly friendly position toward Russia — but to try to undermine the democratic process by sowing chaos.
“The main goal is to destabilize Ukraine, to discredit, to make chaos,” Valentyn Nalyvaichenko, a presidential candidate and a former head of the Security Service of Ukraine (SBU), told VICE News.
The second goal, then, may be to rattle the West ahead of high-stakes elections in Europe and America.
In May, EU elections will take place in at least 27 countries across the continent, and there are already indications that Russia is aiming to interfere in the outcome. Last week FireEye released a report that showed hackers affiliated with Fancy Bear and Sandworm have already tried to hack into systems belonging to governments across Europe.
Merle Maigre, who heads up government relations with Estonian cybersecurity company Cybexer, is paying close attention to Ukraine precisely for that reason.
Working with the EU, Cybexer conducted a three-day training exercise for Ukranian officials earlier this month to help prepare them for possible attacks from Russia.
“I think Ukraine is a test bed, and it is important therefore to show an awareness of what’s happening in Kiev to be able to prepare ourselves for what could happen in Paris, Brussels, London or Berlin,” Maigre told VICE News.
Maigre’s not alone. Western countries have been pouring resources into Ukraine to help the country protect its elections and gain critical insight. NATO, the U.S., the EU and organizations like the International Foundation for Electoral Systems have all played a vitally important role in bolstering Ukraine’s cyber defenses in recent years. In May 2018, the U.S. State Department pledged $10 million in cybersecurity aid to Ukraine.
A U.S. official based in Kiev said Washington is not just worried about Ukraine’s election running smoothly but also concerned how it will impact its own elections.
“I think we see Ukraine as a front line in active hybrid war, and we are always concerned that anything tested here might be used elsewhere,” the official, who was not authorized to speak publicly, told VICE News. “It is no secret that there are people interested in exploiting cyber vulnerabilities in Ukraine. We prefer they don’t get experience here that they can use on us.”
As the election nears, Boyarchuk said, officials from the U.S. and EU are stationed in Kiev, “actively helping” Ukrainian officials by monitoring attacks, sharing information about new threats and updating databases listing indicators of compromise.
But both the EU and the U.S. have been shy about how actively involved they are in supporting Ukraine’s intelligence agencies ahead of the elections (one source at the U.S. Embassy in Kiev denied that U.S. officials were currently monitoring Ukrainian networks), and organizations like NATO have mostly kept a low profile, wary of giving Russia another excuse to increase its aggression toward Europe.
“NATO doesn’t want to be seen to be meddling with the electoral process in Ukraine, for reasons you can easily understand,” Antonio Missirolli, NATO assistant secretary-general, told VICE News at NATO headquarters in Brussels in February. “[But] of course, we are concerned about the possibility that that could happen on the landscape — especially in Ukraine.”
For all the money and resources poured into Ukraine in the last five years to boost its cyber defenses, officials worry it’s a drop in the bucket compared to an adversary like Russia. The head of the Foreign Intelligence Service of Ukraine (FISU), Yegor Bozhok, recently claimed that the Kremlin has allocated $350 million to its intelligence services to finance interference in Ukraine’s elections.
In his offices in a modern, glass-fronted building in the northwest part of Kiev, Derevianko worried over the things that have been missed.
“There is definitely more attention, but I can’t say there is enough attention,” Derevianko, said. “There is certainly more of an understanding of the dangers and the risks, but the state authorities are still quite slow in implementing the protective measures.”