At the start of December, Ukrainians suddenly found themselves unable to sell cars, file legal claims, or register marriages through Ukraine’s recently digitized government registries.
Cybersecurity specialist and frequent coordinator of Ukrainian hackers, Karla Wagner, noticed when she went to register an NGO through the Ukrainian Justice Ministry.
“I was getting inconsistent results from the Justice Ministry website; I was able to submit the document, but I was not able to digitally sign it. And at first, I was annoyed because I'm thinking, yeah, this is a crappy system,” says Wagner.
“I was getting different results every time, from timeouts to errors to ‘something didn't seem to work right, please try again later.’”
The Justice Ministry on Dec. 19 formally announced that a Russian hack had taken a laundry list of critical government databases that had been put under the Justice Ministry offline. The databases contain sensitive information from property ownership to biometric data to tax records.
Relevant Ukrainian offices quickly called it an act of war from Russia. “The information space is one of the key directions of the enemy’s attacks,” wrote the State Communications Service, the national cybersecurity agency, in a statement provided to the Kyiv Independent.
“Russian hackers, who have become full-fledged participants in this war, are constantly getting better, improving their toolkits, tactics and strategy of operations.” The statement contained no information on the technical details as to how the systems were compromised.
XakNet, a hacking group previously tied to Russian intelligence, took credit for the attack, posting on Telegram data they claim to have hacked from the Ukrainian civil registry. The hackers claimed to have deleted at least some of the registry data.
The Justice Ministry has since announced that all its state registries were ready to operate but that access to some registers was still limited, as their data still needs to be updated. Access to government services through the Diia app would be available in the near future, the ministry said on Jan. 20.
The hack posed a major informational threat, highlighting how vulnerable government and Ukrainians’ personal data is to cyber attacks. In pushing to digitize its services quickly, the government also may have taken shortcuts that opened the door to digital onslaughts. Attacks of these kinds also erode public trust in the government, experts say.
The core problem, as Wagner diagnoses, was the pace at which Ukraine rewired systems ranging from passports to tax payments into a single digital portal, all under the auspices of the Justice Ministry, in order to show positive results to foreign observers.
“It was very, very, very, very, very fast progress,” says Wagner. “And any IT project that has the heat on to make fast progress will cut corners where needed and save resources where needed with the best of intentions, which is meeting the deadlines and satisfying the requirements. (That) created not only a long string of vulnerabilities but also over-centralization in tech admin infrastructure.”
Mykyta Knysh, who formerly worked in cybersecurity for Ukraine’s security services, the SBU, and currently runs the hacking collective “HackYourMama,” says the agencies involved should have known better.
“I understand that the Justice Ministry doesn’t necessarily have to have this kind of expertise, but the State Office of Security and Communications, the Digital Transformation Ministry, the SBU — they should have that expertise,” says Knysh.
What was hacked and what the hackers could do next
Hardly the most eye-catching of Russia’s military operations against Ukraine since the full-scale invasion, the attack nonetheless presents a serious threat to Ukraine’s security.
“If the Russians occupy more territory they can use that information, maybe to threaten or blackmail or defraud people who fall under them,” says Knysh.
Knysh hails from Kupiansk, a town in eastern Kharkiv Oblast that currently lies within five miles of Russian positions.
The registries attacked included information like individuals’ addresses and assets, as well as familial relationships. It is not yet known whether the hackers involved have actually re-written the information for certain civilians. Knysh fears the hackers may have forged digital identities to grant Russian agents access to the front.
The hack “provides opportunities for Russian intelligence to obtain additional information about Ukrainian military and civilian government employees, and identify vulnerable or otherwise suitable people in Ukraine who can be recruited or coerced into conducting espionage activities and sabotage,” analysts at cybersecurity firm Flashpoint wrote in a comments to the Kyiv Independent.
The hack "provides opportunities for Russian intelligence to obtain additional information about Ukrainian military and civilian government employees, and identify vulnerable or otherwise suitable people in Ukraine who can be recruited or coerced into conducting espionage activities and sabotage.”
“However, more likely uses of such information include conducting future cyberattacks on other organizations in Ukraine using the information from public registries for reconnaissance, identity theft, social engineering, doxxing, harassment, and crafting convincing phishing emails,” Flashpoint wrote.
Oleh Burba, who works as a component leader for EU4DigitalUA and coordinates registry integration says that while anything is theoretically possible if Russians have the access, there is currently no confirmed information they have changed anything in the registries.
Though any such impacts have yet to materialize, the attack has already proved a major inconvenience to civil society, which Wagner sees as the biggest issue.
“You attack the Justice Ministry and the day-to-day business of government cannot go on,” says Wagner. “Okay, nobody's going to die if I can't register my NGO. But it erodes confidence in the Ukrainian government.”
"You attack the Justice Ministry and the day-to-day business of government cannot go on."
For Russia, Wagner considers it an extension of a propaganda war, similar to bombardments of Ukrainian national monuments.
“You don't need to hit strategic targets in a country. All you have to do is make it appear to be ungovernable.”
XakNet hackers also claimed to have destroyed backup data in servers in Poland. In its message the hacker group mocks Ukraine’s government, saying: “It’s very telling to store government data on foreign storage — that’s what independence Ukrainian-style looks like, apparently.”
Single point of failure
The systems affected were under the umbrella of massive digitalization of government services that has taken place under the administration of President Volodymyr Zelensky, particularly his Digital Transformation Minister Mikhailo Fedorov.
This digitalization has been enormously popular, largely seen as reducing opportunities for low-level corruption among a patchwork of regional agencies ruled by unscrupulous bureaucrats.
But cybersecurity experts question the wisdom of the technical centralization of these systems within one office, with Knysh jokingly dubbing Fedorov’s agency the “Digital Degradation Ministry.”
“At the beginning of the full-scale invasion we realized that Ukraine's digital infrastructure was overly centralized, according to the old Soviet model,” says Wagner. “Centralization and single points of failure are a well-known anti-pattern. And it's highly vulnerable.”
“Centralization and single points of failure are a well-known anti-pattern. And it's highly vulnerable.”
“My personal opinion was that (the hack) was through this system, ‘Trembita,’“ says Knysh. Trembita is a core data management system that provides the backend for government systems, specifically Diia, an app that has digitized government services like passports and tax paying.
Knysh helped organize a hack on Russia’s government services portal last year that among other impacts, immobilized digital voting.
Independent hackers have been warning government agencies about the centralization of everyone’s information under Diia since 2021.
Trembita manages the digital communication between different registries. “Trembita is a trip by rail,” wrote Burba in an op-ed for Economic Pravda defending the system in May, describing the registries as cities, their digital links as railroads, and individual identifying codes as tickets.
“Trembita specifically in this situation was not damaged or broken, it functioned just as it should have functioned and protected the information exchange between these registries,” Burba told the Kyiv Independent.
Knysh is especially concerned that authorities provided no details on the hack, citing “a whole monopoly on what they are saying.” Given that hackers re-use hacking techniques, he was concerned for other nations.
It’s not a problem limited to the Zelensky cyber team and Digital Transformation Ministry. Having worked for the Ukrainian SBU under former president Petro Poroshenko's administration, Knysh says “Poroshenko was almost just the same,” and acknowledged the need for a stronger digitized and federalized system of managing data.
“Before Trembita, there was total chaos,” says Knysh. “But then they said ‘you will have a government of smartphones’ and now we have a government of smartphones open to the SBU and HUR,” he continued, referencing Ukrainian intelligence agencies.
Hackers can find backdoors left open to governments, as for example a series of legal battles to compel Apple to extract data for U.S. intelligence agencies laid out.
Officials are touting an overhaul, with Justice Minister Olha Stefanishyna dubbing a pending rebuild into a “Pentagon of registries.”
What exactly a “Pentagon of registries” means is unclear. For Wagner, it’s fairly simple: “Nothing.”
“It’s not an emotionally mature approach,” says Wagner, miming beating her chest.
“I heard this (Pentagon of Registries) and I thought, “Go out and say honestly, ‘we don’t know how to make a safe system.’”
The Kyiv Independent news desk
