ENG
Censor.NET on Facebook Censor.NET on X/Twitter Censor.NET on Telegram Censor.NET on YouTube Android App iOS App RSS
6143 visitors online
Articles
5 693 5

Safeguards against hackers: can new security rules protect government registries from cyberattacks?

Author: 

When thousands of Ukrainians suddenly lost access to state registries last December, it became clear just how vulnerable the country’s digital infrastructure is—and how catastrophic a large‑scale cyber‑attack could be.

To safeguard it, the People`s Deputies set up a working group tasked with analysing the causes of the cyberattack and drafting a regulatory framework that would prevent similar incidents in the future. Yet the very first bill it produced — on restricting access to information in the registries — prompted a negative public reaction, and its consideration has been postponed for now. At the same time, the Verkhovna Rada passed a bill providing for the creation of a national system for responding to cyberattacks, cyber incidents and cyber threats.

Today, Ukraine is, in effect, on the threshold of a fundamental overhaul of its information‑security system. The open question is whether the next steps will shield us from new crises or whether the consequences next time could be even more destructive.

cybersecurity,cyberattack

CYBER HYGIENE FOR ALL

The authors of bill No. 11290, which passed its second reading but has not yet been signed by the President, emphasise that threats to national security in cyberspace are steadily increasing. As evidence, they cite data showing that in March 2024 Ukraine’s Computer Emergency Response Team (CERT‑UA) uncovered a plan by the Sandworm group to disrupt the stable operation of the information‑and‑communication systems (ICS) of about twenty enterprises in the energy, water‑supply and heat‑supply sectors—CIF (critical‑infrastructure facilities)—across ten regions of Ukraine. CERT‑UA specialists confirmed that at least three "supply chains" had been compromised.

"The malicious activity of groups linked to the aggressor state’s security agencies targets almost every sector of the economy, the media, the judiciary, law‑enforcement bodies, critical infrastructure and the defence forces," the explanatory note says.

You don’t have to be a subject matter expert to see that the enemy’s assaults continue not only at the front but also in cyberspace. One need only recall the recent large‑scale attack on Ukrzaliznytsia. So no one doubts that a protection‑and‑response system is necessary; the real question is what form it must take to prevent attacks  or at least to minimise their negative impact.

The adopted bill provides for the creation of a unified system for exchanging information on cyberattacks and responding to them. It will bring together CERT‑UA, sectoral and regional response teams, the National Police and the SSU (Security Service of Ukraine), with coordination handled by a centre within the NSDC (National Security and Defence Council). Private companies will also be involved in responding to cyberattacks.

The document also stipulates that dedicated cybersecurity units must be established within government bodies and at critical infrastructure facilities. Officials will undergo cybersecurity and information‑protection training, as well as cyber‑hygiene briefings. The training system is to be introduced by the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).

Overall, the State Service of Special Communications and Information Protection of Ukraine will receive unprecedented powers. This has drawn criticism from cybersecurity specialists even after the bill’s adoption. "All the functions have been hung on the State Service of Special Communications and Information Protection of Ukraine, from standardisation to oversight — the same Soviet‑style principle again, with neither competition nor counterbalance," notes cybersecurity expert and president of the Adamant IT‑group, Ivan Pietukhov.

And according to Kostiantyn Korsun, former deputy head of the Computer Crime Unit at the SSU's Counterintelligence Department, founder and first head of CERT-UA, such broad powers also give this body many opportunities for manipulation. "The main thing that was criticised about draft law 11290 was the classification of information about a cyber incident, that is, the fact of an effective cyber attack by the enemy," he writes in his blog on Censor.NET. The amended version of this law, which was voted on in the second reading, seems to declare that this is open information.  However, the State Service of Special Communications and Information Protection of Ukraine ( also known as SSSCIP) is still left with plenty of room for manoeuvre, because information "on the nature, technical characteristics and other details of a cyber‑incident or cyberattack" is designated for FOUO (for official use only). The criteria for placing such information in the FOUO category will, at some undefined point, be set by the Cabinet of Ministers—read: by the SSSCIP itself. This wording leaves ample scope for multiple interpretations of those "criteria", which will almost certainly be vague and, by definition, incapable of covering every possible situation. Take a simple question: is a DDoS attack part of the "nature of a cyberattack"? To my mind, yes—so it would be FOUO. In other words, secrecy remains. And, as we know, darkness is a convenient place to hide incompetence and corruption.

The State Service for Special Communications and Information Protection of Ukraine currently states that the adopted bill will provide an opportunity to confront new challenges and threats in cyberspace, as well as strengthen the protection of state information resources and critical information infrastructure. It also contains provisions that ensure the implementation of the European cybersecurity directives into national legislation on the functions of response teams, cyber incident reporting practices, and risk management.

It is difficult to predict how well the next steps of all those involved in this process will be taken and how quickly the system will be built. And whether they will take into account what happened to state registries last year, when it seemed that the country was on the verge of complete digital paralysis, as attackers attacked not just databases but the entire digital infrastructure, seeking to make recovery impossible.

cybersecurity,cyberattack

NEW MONITORING SYSTEM

Serhii Lypka, acting director general of the National Information Systems state enterprise, told Censor.NET that all state registers are currently operating normally. And everyone who should have access to them under the law has received it.

"State registrars and notaries had to reconnect additional identification tools using a one-time password. This decision is related to the improvement of the cyber security system of state registers," he said. "I would like to remind you that this was the largest cyber attack in the history of Ukraine, not only on the public sector. Probably, in general. It was aimed at attacking infrastructure and was destructive. In our opinion, the goal was to do as much damage as possible - they wanted to deprive us of the opportunity to restore the registers and continue to provide government functions related to access to them.

But thanks to the coordinated actions of not only our team, but also the employees of the State Special Communications Service, the Cyber Defence Department of the Security Service of Ukraine, and the Cyber Police Department of the National Police, they did not achieve it. Because there was coordination of actions and the full interest of all services and agencies, we were able to restore the operation of all registers in a very short period of time.

And we had to restore a lot of data. Since the attack was aimed at infrastructure, we had a zero-trust approach to everything related to infrastructure.

- Has it been established how the attackers operated? Did they have any arrangement with employees of government agencies?

- All of this is to be determined in the course of the pre-trial investigation. It is still ongoing. From our side, we are providing full support to law enforcement agencies, as we are interested in understanding the causes of what happened and in minimizing risks going forward.

- How can they be minimized?

- We are working to ensure that in the future, with the help of law enforcement agencies, we can detect suspicious activity at an early stage. This is due to the introduction of technical means of cyber defence and a monitoring system. We are also doing additional work with people who work with registers. And right now, we probably need to devote more time to educating notaries on the basic principles of cyber hygiene.

In general, we all need to really understand what cybersecurity is. Because if the people who use the registries do not follow simple basic recommendations, we will sooner or later face such problems. Therefore, first of all, we will work with people globally at the state level. To make everyone aware of their role in the overall cybersecurity system. Because it is extremely important. And as each of the attacks shows, it all starts and ends with people. As long as people manage technology, they remain the most vulnerable element in this whole structure.

We are already taking certain measures to strengthen cybersecurity at the enterprise level. Much has already been changed at the level of infrastructure and cyber protection of registries. In the future, we will update the existing cyber incident response plans at the SE NAIS (State Enterprise "National Information Systems") and coordinate them with key partners.

Recently, we held the first forum in Ukraine on the protection and development of state registers, where we discussed current challenges to improving the registry protection system together with experts and representatives of all stakeholders. On the same day of the forum, the Parliament supported the bill No. 11290 aimed at strengthening information protection and cyber defence of state information resources and critical information infrastructure. We are grateful to the People`s for their support of this document and to everyone who contributed to its development.

Of course, we will strengthen our cooperation with the State Service for Special Communications and Information Protection of Ukraine and other cybersecurity agencies in terms of sharing cybersecurity indicators that may be of value to us and that we should be aware of.

This is a lot of work that I think needs to be done.

- Was any data lost?

- All data has been restored.

- Nothing has been replaced?

- The registers were restored from the latest online copies of the databases that were up to date at the time of the cyber attack.

The recovery took a long time because the attack was aimed at the infrastructure. And we could not trust any of its components. Therefore, we decided to deploy the entire infrastructure from scratch. It was deployed according to the best practices at the stage of a cyberattack that we could agree on.

The stage of launching the registries was the last one during the infrastructure restoration.

Since the registers have been restored, we have not received any signals that any information in the registers has been deleted or changed.

- After the attack, social media was full of advice on mandatory verification of data relating to real estate rights. They say that real estate can be re-registered to other people. Have you found any such facts?

- We have not seen any such confirmation and have not received any notifications regarding such cases.

In any case, the illegal replacement of the owner in the register is not legally binding. And if the legal owner finds out that something has been changed, he or she can apply to the Anti-Raider Commission at the Ministry of Justice to update the data in the register on the basis of the documents he or she has.

cybersecurity,cyberattack

WHEN A PASSWORD ISN’T ENOUGH

As early as last year, in response to the large-scale cyberattack, the Security Service of Ukraine opened criminal proceedings under Article 438 of the Criminal Code of Ukraine (violation of the laws and customs of war). Just recently, during the forum "Justice Ministry State Registers: Strategic Importance, Security and Development," Deputy Prime Minister for European Integration and Minister of Justice Olha Stefanishyna stated that law enforcement had identified those responsible for the attack on the state registers. According to her, there is now a clear understanding of what led to the cyberattack, how it was technically possible, and who exactly on the enemy’s side was behind it.

However, she did not disclose any details—evidently due to the confidentiality of the ongoing pre-trial investigation.

Serhii Barabash, a representative of the Cybersecurity Department of the Security Service of Ukraine, also refrained from disclosing details of the investigation, but noted that this was not just a cyberattack. It was a well-planned and coordinated cyber-operation.

"This was a cyber-operation conducted against civilian infrastructure, which is prohibited even during full-scale warfare by various international conventions. Unfortunately, the enemy disregards such norms," he said.

According to him, in the past year alone, the SSU prevented more than 2,800 cyber-incidents and cyberattacks of varying severity.

These cyberattacks are being documented as crimes involving violations of the laws and customs of war.

In general, the forum discussed little about the details of what happened during the largest-scale cyberattack on state registries, mostly about who currently has access to the registries, how cyber incidents are investigated, and whether serious consequences can be prevented if malicious activity is detected at an early stage.

Nataliia Kazaieva, Head of the Notary Chamber of Ukraine's Commission on Informatisation, Digitalisation, Transformation and Prevention of Cybercrime, recalled that notaries gained access to the State Register of Real Property Rights in 2013. A few years later, they saw illegal actions in the state registers that were committed using notaries' access identifiers. "No one believed it. The Ministry of Justice didn't believe it either," she says, "and we worked with our colleagues who were affected. How did it happen? The notary was disconnected from the register until he brought a court ruling to the Ministry of Justice that he was not guilty. In other words, the notary had to prove that he or she had not carried out the registration. And we had colleagues who had to go through this difficult process for a year, sometimes more than a year."

According to her, there was no experience of responding to such incidents at that time, and not everyone understood what to look for in a notary's computer and how to prove that he or she had not committed any illegal acts. After all, at first glance, the entrance to the register was secure - notaries had logins and passwords, and there was also two-factor authentication.

Therefore, in 2015, at the initiative of the President of the Notary Chamber, a separate commission was set up to deal with these cases.

According to her, members of the commission are constantly studying and have diplomas in cyber defence. "Now we have a developed algorithm of actions, our own internal policy on how to respond to an incident, what a notary should do. We have clearly defined that there must be a statement to the cyber police to open criminal proceedings, as well as a statement to the SE NAIS that the key has been compromised and, of course, passwords should be changed. There must also be a statement to the territorial bodies of the Ministry of Justice, to the Office of Countering Raiding - a report of unauthorised access. And the data in the register should be returned to the state in which it was before the incident."

She also added that notaries are no longer disconnected from the registers for a long period of time; in the event of a cyber incident, they can continue their professional activities while the pre-trial investigation is ongoing and examinations are being conducted.

According to her, the enemy's activity has increased during the full-scale war. "It will never end because we live in a time of technological revolution. We are already in this process and cannot get out of it. And now we have artificial intelligence. All these hacks, incidents that took place in registries using registrars and notaries were not done by humans. We have clearly tracked that they were done by a bot. The speed at which the data in the registers changes... We cannot physically repeat it. Although we have been making registrations every day for 10-15 years. We can't make these transitions at that speed. Of course, the bot does not add scans, does not add documents - this is often the case. It uses someone else's solution, someone else's application. It does not identify or sign anything because it uses what has already been signed. This is how it has been and will continue to be even more difficult," she believes. "But I want to stress that we need to work as one team, to understand one another, and to look for ways to counter all of this. If only there were a system deployed to cover all endpoints… We have a very large number of people with access to the registries. There are around 7,000 notaries, more than 2,000 registrars, and as for state and private bailiffs, I don’t even know the number. We also have staff at the civil registry offices. And then there are individuals—ordinary people working in the Ministry of Justice, in local justice departments—who also carry out registration actions. They are also unprotected by the state, even though it is the state that should be thinking about what to do with the endpoints."

As the moderator of the panel explained, in cases where a bot is involved, it can take full control of the workstation of the person who has access to the registry. To the registry system, this appears to be a legitimate user. The bot uses the same login and password, and the same secured token or storage device connected to the computer. At the same time, it can see everything the actual user is doing.

At the same time, according to a representative of the cyber police, there are notaries who themselves engage in unlawful actions and when something goes wrong, they simply claim they were "hacked."

According to Stanislav Samoilov, head of the third directorate of the National Police's cyber police department, there was a case when the computer used for registration was investigated because the notary claimed it had been "hacked". The computer was indeed found to contain malware that allowed unauthorised remote access. However, there was a two-day difference between the time of making changes to the register and the installation logs of this software. That is, it was installed after the changes were made to the registry.

"Crimes related to attacks on registries are not unique in terms of cybercrime investigations," he said. "We still have a point of compromise. When we talk about state registrars or notaries, we have the workstations of potential victims that were targeted. On the other hand, we have registry logs confirming the changes made—complete with timestamps and user identifiers for those who carried out the actions. In other words, we have full confirmation of the chain of events."

Describing the methodology for investigating cyber-incidents, he explained that the process begins with an analysis and inspection of the workstation in order to document any available digital evidence. "When necessary, we reach out to our international colleagues and partners. And in almost 100% of cases, this necessity arises. Hacker groups—including those from the Russian Federation—rent server infrastructure and build private virtual networks to avoid direct association with the aggressor state. So international cooperation is arguably one of the key tools not only for countering, but also for investigating this type of crime," said Stanislav Samoilov.

The enemy does not stop trying to destabilise Ukraine in any way. Therefore, according to Olha Stefanishyna, the Ministry of Justice will soon prepare and submit to the government a number of legislative acts that will primarily be aimed at overcoming the consequences of the cyberattack that took place in December. "We have made a lot of conclusions and understand what we need to strengthen," she said.

The cyberattack on state registers has shown how vulnerable Ukraine's digital infrastructure remains. The creation of a national system for responding to cyber threats and the adoption of new laws are important steps to protect it. However, how effective this system will be depends not only on technological solutions, but also on whether the state can ensure the effectiveness of the new structures and foster a responsible attitude to cybersecurity among all those who have access to the registers. Because even the best technical solutions will not save the system if it remains weak due to the human factor.

Tetiana Bodnia, Censor.NET

registry (65) Tetiana Bodnia (80) cyber attack (69)
Share:
Summarize:
 Support Censor.NET