power plant

Exclusive: Rounding up a cyberposse for Ukraine

Russian hackers have been trying to break into Naftogaz systems for years, so when Mandiant offered to deploy hunt teams for free to see if anything was lurking in their networks, the company executives couldn’t believe their luck.

The World

Just weeks after Russian tanks began rolling into Ukraine, a representative from the cybersecurity firm Mandiant phoned executives at Naftogaz, Ukraine’s largest state-owned oil and natural gas company, with an unusual offer: Would Naftogaz be open to having Mandiant check their network for bad guys?

Russian hackers have been trying to break into Naftogaz systems for years, so when Mandiant offered to deploy hunt teams for free to see if anything was lurking in their networks, the company executives couldn’t believe their luck.

The thing is, it wasn’t really luck. The offer was part of a broad effort by Western tech companies to help Ukraine protect itself against Russian cyberattacks in a time of war. Dozens of companies from the US cybersecurity, threat intelligence and tech world — from Mandiant to Microsoft — have banded together in a kind of volunteer cyberposse, wading into the middle of the conflict without a pretense of neutrality.

They call themselves the Cyber Defense Assistance Collaboration (CDAC), and it is the brainchild of Greg Rattray, a former chief information security officer at JP Morgan Chase. For months, he has been helping build a kind of public-private partnership to combat destructive cyberattacks. This is the first time he’s speaking in depth about the initiative publicly.

US officials have been talking about public-private partnerships to fight destructive cyberattacks for years. The animating logic is that the National Security Agency and the military’s cyberarm, Cyber Command, often have intelligence about cyberattacks before or while they are happening. US cybersecurity companies have the expertise to block them. So, it would make sense that they should join forces to stop them. 

What makes this particular CDAC effort different is that the partner in this case isn’t Washington. It’s Kyiv, and it has become a test case for how such a joining of forces might eventually work in the US. 

“I think the war started on a Thursday and I started making calls on the Monday,” Rattray told the "Click Here" podcast, adding that some two dozen US companies quickly signed on offering to provide licenses, personnel, and expertise to help Ukraine defend its networks. "Click Here" and The Record are editorially independent units of Recorded Future, which has been involved in the effort as well. 

“I think it was easier to get companies to sign on because of the clear transgressions of the Russians,” Rattray said. “Ukraine was a place where people were willing to volunteer quickly to try to figure out what could be done.” 

A natural target for hackers

Naftogaz is a natural target for Russian hackers with its vast network of suppliers, subsidiaries, and online billing systems — any and all of which could be open to cyberattacks. A determined adversary could then use that access to monkey-bar over to Naftogaz and potentially hobble the nation’s gas delivery systems or even turn out the lights. 

Russia had already done something similar back in 2015, when it cracked into Ukraine’s electrical grid and flipped the switch on power to nearly a quarter of a million people in Kyiv for as many as six hours. The feeling was if Russia was willing to do that back then, it would be willing to do so again, during a war, when the gloves are off.

That’s what prompted Ron Bushar, a chief technology officer at Mandiant, to initiate the call to Naftogaz and ask if they wanted Mandiant’s special software programs to sweep their networks. Bushar said there was a general sense that Russian actors were probably lurking in Naftogaz networks and the sweeps, or hunts, were meant to find them.

A hunt team or sweep is the cyber equivalent of a swarm of cops looking for signs of a break in: a kind of high-tech dusting for prints, checking for theft and searching for signs that whoever broke in left nothing — like malicious code — behind. 

“We do that across thousands and thousands of systems very, very rapidly,” Bushar said. “And if we see something from that sweep, then we’ll pivot to that system and do a deeper dive of that system.” 

The thing was, they didn’t find much: Malicious code that could wipe information from hard drives, prepositioned malware that hackers could activate later, but no wholesale douse-the-lights badness. 

“There was no overt detection of aggressive activity,” Bushar said. “But we did find evidence that these attackers had gained access and were moving throughout the environment.”

So, they find where they had slipped in and shut them out.

In the early days of the war, Russian hacking teams had put a number of slow-burn, low-grade attacks in motion all over the country, not just targeting Naftogaz. They erased hard drives and hobbled authentication systems so employees couldn’t log in. 

But once Naftogaz secured and fortified its network perimeter — the walls around their computer systems — wiper malware somehow kept reappearing in their systems. Passwords and logins continued to be stolen. They could see it happening but couldn’t explain why. And then, Bushar said, it dawned on them: they “had to adopt a military mindset.”

Insider threat

It turns out what is different about defending computer networks during a war, Bushar and his team realized, is that the perimeter you think you secured is always changing. What they hadn’t accounted for was that the Russian troops now occupying pockets of Ukraine had started entering gas installations and trying to crack into their operating systems.

“In eastern parts of the country, as Russia was taking territory, they were obviously occupying critical facilities,” Bushar said.

Those included Naftogaz data centers and local telecoms and ministry offices.

“So, we were able to definitively point to systems and IP addresses that were physically located in captured territory and that’s where we were seeing these attacks coming from.”

In fact, sometimes the attacks looked like they were coming from inside Naftogaz itself. They came to find that it was not because they had breached the perimeter but because, Bushar said, “Russia was coming from inside the building or inside the network. They had physically captured that data center or that system so they could plug in their own systems and continue to attack other parts of the infrastructure. ... It’s almost like you’re dealing with an insider threat.”

So, they adjusted. They began cutting off systems in areas that were about to fall to Russian forces.

“We were starting to recommend that if people were retreating from a certain province, Naftogaz should start segmenting those systems off the network before they fell into enemy hands.”

And that’s what they did. Naftogaz ended up instructing their employees to contact supervisors if their towns were overrun by Russian soldiers, so their network access could be cut. They would literally call Naftogaz as they were fleeing overrun cities. Once that kind of reporting started, Naftogaz could adjust perimeter security to reflect events on the ground. Bashar said after that, the mysterious insider threats went away.

Technical capability

When CDAC founder Rattray began looking for volunteers for the collaborative, he said his first phone call was to Art Coviello, the former CEO of RSA Security, one of the early entrants into the world of cybersecurity and encryption. Now, Coviello runs a venture capital fund that invests exclusively in cybersecurity companies.

“Ukrainians had a capability,” he said. “The fact that a lot of companies had [software] development sites in Ukraine speaks to the technical capability and the education that was available there. They just had never had the opportunity or perhaps the financial resources to invest in their own defenses as we have here in the US.” 

So, he said, CDAC came in to supplement that.

Coviello said the effort isn’t entirely driven by the war. People outside Ukraine should take note because the cyberweapons Russia wields against Ukraine are unlikely to remain there.

“I wouldn’t underestimate the Russians’ capability,” he said.

“What people fail to realize is that the US lives in the biggest digital glass house” in the world, Coviello said. “We have more to lose than anybody else because we are so interconnected and we are so dependent on technology. All of our critical infrastructures, all of our businesses have been transformed.”

Rattray said Ukraine has surprised everyone, not just on the ground but in cyberspace, too. It has proven to be very agile, quickly moving systems into the cloud where data is out of reach of bombings and basic hacks. Their technical expertise has allowed them to pivot quickly when under assault and now they have found themselves on the receiving end of tremendous assistance from the tech world.

“Russians have not been as operationally proficient as we’ve thought they would be,” Rattray said. “They’re doing things we would expect in the digital space, things like information competition, monitoring things in a classic way to gather intelligence through cyberspace. We certainly haven’t seen the type of disruption that we might have expected.”

An earlier version of this story originally appeared in The Record.Media. There was additional reporting by Sean Powers and Will Jarvis.

Sign up for our daily newsletter

Sign up for The Top of the World, delivered to your inbox every weekday morning.