Nolan Peterson: Whose Cyberattack Brought Ukraine to a Shuddering Halt?

This article first appeared on The Daily Signal.

Kiev, Ukraine—Combat modestly abated along the front lines in eastern Ukraine this week as part of a "harvest truce" so farmers near the front lines could safely tend to their crops.

Meanwhile, Ukraine's hybrid warfare battlefield was in flames.

On Tuesday, a car bomb killed a top Ukrainian military intelligence officer in Kiev in what Ukrainian authorities immediately called an act of terrorism.

While the car of Col. Maksym Shapoval, a special operations commander, was still smoldering, unknown handlers unleashed a computer virus that had been incubating for months in the network of a Kiev-based tax software company.

Within hours, the cyberattack, which security experts call Petya, had paralyzed Ukrainian banks, communications, media sites, government networks, and mass transit systems.

Servicemen of the Ukrainian volunteers battalion of Donbas rest in the village of Shirokine, Donetsk region on June 6, 2015. ALEKSEY CHERNYSHEV/AFP/Getty

The flight schedule billboard at Kiev's Boryspil International Airport, the country's main air travel hub, temporarily went blank. Commuters on Kiev's metro couldn't use their electronic PayPass cards, and had to purchase single ride tokens to get home. Banks across the country were also affected by the attack, putting many ATMs out of service.

"As a result of these cyberattacks, banks experience difficulty in servicing customers and performing banking operations," the National Bank of Ukraine said in a statement.

As of Thursday, Ukrainian authorities had not yet identified suspects in either Shapoval's murder or the Petya cyberattack. Yet, Ukrainian officials did not shy away from suggesting both attacks bore the hallmarks of Russia's ongoing hybrid warfare campaign against Ukraine.

"It's no accident that the terrorist act coincided with a massive cyberattack, which also has a Russian trace," Oleksandr Turchynov, secretary of the National Security and Defense Council of Ukraine, said Wednesday, according to Ukrainian news reports.

Russia denies state hacking, or sponsoring a recent string of assassinations across Ukraine, which have targeted high-profile military, intelligence, media, and political figures.

Shapoval was an officer of the Ukrainian Defense Ministry's Main Intelligence Directorate. He commanded a covert reconnaissance division that collected evidence of Russia's military operations against Ukraine, and conducted daring covert raids in territory held by Russian-led separatists.

The Ukrainian Ministry of Internal Affairs called Shapoval's murder an act of terrorism—the latest in a string of assassinations ordered by Moscow.

"There is every reason to think that these assassinations were masterminded and staged with the direct participation of the Russian special services," Turchynov said Wednesday.

Invisible Battlefields

Tuesday's cyberattack affected more than a dozen countries and at least 80 companies, including Russian steel, mining, and oil firms.

Yet, Ukraine was hit hardest. Across all strata of Ukrainian society—from government officials to university students—suspicions immediately shifted to Russia as the likely culprit.

"Already on first analysis of the virus it is possible to talk of Russian fingerprints," Turchynov, the Ukrainian security official, said, according to news reports.

As of Wednesday, the Petya ransomware virus was still spreading around the world and appeared to be more sophisticated than cybersecurity experts originally thought.

The virus's patient zero was a Ukrainian tax software product called Intellekt Servis, which, according to early reports, spread the virus through automatic updates to its clients around the word.

Information Systems Security Partners, or ISSP, a Ukrainian cybersecurity firm, said the virus was likely planted in March or April this year.

ISSP called the attack an advanced persistent threat, or APT. In this type of cyberattack, hackers intrude a network and stay within it long enough to install additional backdoors and sleeper agents in preparation for a final attack at a later date.

"There is no magic pill" to such a sophisticated type of attack, Oleg Derevianko, head of ISSP's board of directors, said in an emailed statement to The Daily Signal.

"Today we are witnessing a new powerful wake-up call on the commercial and government level," Derevianko said.

Mykhailo Vasyanovich, head of the Public Council for the Ministry of Information Policy of Ukraine, said Ukrainian cybersecurity officials were caught off guard by Tuesday's attack.

"In general, Tuesday's cyberattack unfortunately showed the unwillingness of [information technology] departments at large Ukrainian companies to counter the virus threats," Vasyanovich told The Daily Signal.

Coincidental Timing

Wednesday was Ukraine's Constitution Day, a national holiday celebrating the 21st anniversary of Ukraine's current democratic constitution.

"We defend not only our land and territorial integrity, but also democracy, freedom, will, and our European choice," Ukrainian President Petro Poroshenko said during a Wednesday speech commemorating the holiday.

The concurrence of Tuesday's cyberattack with Shapoval's murder and Constitution Day, all on the heels of Poroshenko's visit to Washington last week to meet with President Donald Trump, suggests Russian involvement, Ukrainian officials and other experts said.

"Cyberattacks are a pressure point of aggression, which Russia continues to employ against Ukraine," Daniel Kochis, a policy analyst for European affairs at The Heritage Foundation's Margaret Thatcher Center for Freedom, wrote Wednesday for The Daily Signal.

"The timing of the cyberattacks may also have been coordinated to send a political message," Kochis wrote.

However, the holiday mood remained undimmed in Kiev on Wednesday.

Crowds packed Khreshchatyk, Kiev's main boulevard, until late at night.

Break dancers, guitar players, karaoke singers, fire jugglers—it felt like a festival on the Maidan, Kiev's central square and ground zero of the 2014 Revolution of Dignity, which ousted Viktor Yanukovych, Ukraine's pro-Russian former president.

Here, in 2014, Berkut special police banged nightsticks against their shields like advancing lines of Greek hoplites before they beat protesters. Now, children in bathing suits play in fountains to escape the summer heat.

A drummer performed for passing crowds. He was seated near scars on the stone floor of the square where protesters burned tires in 2014, sending up a billowing black smoke screen from the snipers.

On a sidewalk at the top of Heroes of the Heavenly Hundred Street, the light poles still bear bullet holes from when snipers gunned down protesters in the closing days of the revolution. Flowers always cover the memorials of the revolution's dead, the Heavenly Hundred, as they are called.

In nearby Mariyinsky Park, university students on summer break sat on park benches playing guitar. People zipped by on rollerblades, or bikes. Children, under the watchful eye of a parent, took turns riding ponies.

Yet, intermingled in the crowds were patrols of police clad in their all-black uniforms, baseball caps, and holstered sidearms. Near important landmarks like the Bankova, Ukraine's presidential administration building, or the Verkhovna Rada, Ukraine's parliament, National Guard troops in their all-green uniforms stood watch with gas masks attached to their belts.

Such visible displays of security personnel are not unusual in Ukraine's capital city, especially around big holidays or key anniversaries related to anything political.

But Turchynov announced stepped-up counterterrorism measures in Kiev on Wednesday, due to the combination of Shapoval's assassination and the cyberattack, which had security officials on edge.

"This terrorist act is aimed at intimidation and destabilization of the situation in the state," Turchynov said, referring to Shapoval's murder.

Out of Sight

Russia's 2014 invasion of Crimea and ongoing proxy war in the Donbas have paralleled a hybrid war against Ukraine, comprising cyberattacks and propaganda.

"If Russia or Russian hackers were behind Tuesday's cyberattacks, it would be the latest in a long list of cyber aggressions against Ukraine, and the most widespread," Kochis wrote.

The war in Ukraine's southeastern Donbas region continues after more than three years, and multiple failed cease-fires.

The war has killed nearly 11,000 Ukrainians, and displaced about 1.7 million people.

Russia continues to feed the conflict with weapons and its own troops, according to U.S. and Ukrainian officials as well as three years of independent news reports.

The Kremlin denies it is involved in the conflict.

The war in eastern Ukraine is now a static conflict, fought from trenches and fortified positions using, for the most part, long-range weapons like artillery, rockets, and snipers.

Outside of the war zone, life goes on. Yet, the war—both in the trenches as well as on the hybrid battlefield—is not over.

The Ukrainian military and its foes, a combined force of pro-Russian separatists and Russian regulars, agreed to a month-long ceasefire so that farmers living near the roughly 250-mile-long contact line in eastern Ukraine could harvest their crops.

The "harvest truce" was set to last from June 24 to Aug. 31.

The pace of fighting dipped on June 24, the first day of the truce, but it never totally stopped. That day, two Ukrainian soldiers died after they set off a trip wire connected to a land mine.

The fighting has cooled, but combined Russian-separatist forces are still firing on Ukrainian positions every day with artillery, mortars, and small arms, according to Ukrainian military reports. The Ukrainian military reported 48 cease-fire violations on June 23, the day before the truce went into effect, and 23 on June 25.

"Regardless of the recent agreements on maintaining the cease-fire from June 24 for the period of active farm operations, militants continue actively using heavy weaponry to shell Ukrainian troops' positions," Ukrainian Ministry of Defense spokesman Col. Andriy Lysenko told reporters in Kiev on Sunday.

Some experts say the war has devolved into a frozen conflict, through which Russia can periodically exert political pressure on Ukraine.

One common line of thinking among Ukrainian security officials is that, with the shooting war at a stalemate, Russia has turned to cyberattacks and assassinations to disrupt Ukrainian society as the country enacts tough anti-corruption reforms and fosters deeper ties with the West.

NATO, for its part, has taken notice of Russia's hybrid warfare playbook in Ukraine, treating the war as a case study in modern Russian military doctrine.

"There are elements that have to worry us and we have to stay ready," Gen. Petr Pavel, chairman of the NATO Military Committee, said at a Politico Brussels Playbook breakfast on Monday.

"So we take this even potential threat very seriously," Pavel said. "We do everything possible to be ready both in terms of capabilities and readiness, to face any potential threat that would mirror the situation we know from Crimea, from eastern Ukraine, not to be repeated against any NATO ally."

Nolan Peterson, a former special operations pilot and a combat veteran of Iraq and Afghanistan, is The Daily Signal's foreign correspondent based in Ukraine.