KYIV (BLOOMBERG) – With air raid sirens, bombings and occasional dislocations disrupting their lives, the stressed-out Ukrainians keeping the country’s critical infrastructure running are dealing with yet another hazard: a sharp rise in cyberattacks.
To deal with the threat, Ukrainian authorities on April 5 certified government use of physical security keys, which are small portable devices that give an additional layer of security. Ukraine is now issuing the keys to as many government agencies as possible, said Mr Oleksandr Potii, deputy chief of the State Service of Special Communication and Information Protection.
The government wants to “to push phishing proof, password-less authentication solutions in Ukraine”, he said. They have received some help from Yubico, a Palo Alto, California-based company that said it has donated 20,000 Yubikeys, and Hideez Group, a Herndon, Virginia-based cyber-security company that operates in Ukraine and is aiding with the logistics.
The assistance has come none too soon. Ukrainian workers at one state-owned company in the critical infrastructure sector are so stressed by war that many are forgetting their passwords and changing them to weak, easy-to-remember, versions, according to the company’s head of cyber security.
Attackers are also automating password attempts twice an hour to avoid triggering security shutdowns, and using old lists of leaked passwords and other techniques to harangue staff, the official said.
A western intelligence official told Bloomberg News it was much easier for hackers to go after people who run essential services than the equipment that underpins it such as substations, telecommunication switches and others.
Engendering a stress response from their human targets is essential to the hackers’ to success, the official added, describing phishing as a personal attack rather than a technical one.
“It’s about putting somebody into a heightened psychological state, so that they don’t think rationally,” said the official, explaining that even those trained not to click suspicious links that characterise phishing e-mails can make mistakes under duress.
Security keys are a method of additional authentication that rely on public-key cryptography, verifying a user’s identity by checking information stored on a chip against online servers. They are less susceptible to compromise than usernames and passwords, which can be guessed by bots or stolen and sold on Dark Web forums.
Google, which also offers its own security keys, encourages their use for individuals and organisations at higher risk of targeted online attacks, such as elected officials, political campaigns, activists and journalists.
The keys are not without drawbacks, which include cost and the risk of losing them, cyber-security experts said. Yubico’s donation of 20,000 keys has a retail value of US$1 million (S$1.4 million), as YubiKey devices cost roughly US$50 apiece. Other technology companies, including Microsoft and Alphabet’s Google, have provided services to help with Ukraine’s cyber defence.
In order to get security keys into the hands of employees, the Ukrainian government sped up what is normally a six-month certification process for the introduction of new government-wide cyber tools to just a few weeks.
Ukraine’s government said last week that the country has suffered three times as many cyberattacks in the first month and a half of the war than during the same period last year. There have been 786,000 attempted hacks against the state-owned company since the start of the war, compared to 22,000 in all of 2021, according to the company’s cyber-security head, who requested anonymity due to security concerns.
Ukrainian state-owned companies, military and intelligence services are among the beneficiaries of the effort, with about 10,000 keys distributed so far, said Mr Oleg Naumenko, chief executive officer and founder of Hideez.