Russia's relentless digital assaults on Ukraine may have caused less damage than many anticipated. But most of its hacking is focused on a different goal that gets less attention but has chilling potential consequences: data collection.
Ukrainian agencies breached on the eve of the February 24 invasion include the Ministry of Internal Affairs, which oversees the police, national guard and border patrol. A month earlier, a national database of automobile insurance policies was raided during a diversionary cyberattack that defaced Ukrainian websites.
The hacks, paired with prewar data theft, likely armed Russia with extensive details on much of Ukraine's population, cybersecurity and military intelligence analysts say. It's information Russia can use to identify and locate Ukrainians most likely to resist an occupation, and potentially target them for internment or worse.
"Fantastically useful information if you're planning an occupation," Jack Watling, a military analyst at the U.K. think tank Royal United Services Institute, said of the auto insurance data, "knowing exactly which car everyone drives and where they live and all that."
Information dominance
As the digital age evolves, information dominance is increasingly wielded for social control, as China has shown in its repression of the Uyghur minority. It was no surprise to Ukrainian officials that a prewar priority for Russia would be compiling information on committed patriots.
"The idea was to kill or imprison these people at the early stages of occupation," Victor Zhora, a senior Ukrainian cyber defense official, alleged.
Aggressive data collection accelerated just ahead of the invasion, with hackers serving Russia's military increasingly targeting individual Ukrainians, according to Zhora's agency, the State Service for Special Communications and Information Protection.
Serhii Demediuk, deputy secretary of Ukraine's National Security and Defense Council, said via email that personal data continues to be a priority for Russian hackers as they attempt more government network breaches: "Cyberwarfare is really in the hot phase nowadays."
There is little doubt political targeting is a goal. Ukraine says Russian forces have killed and kidnapped local leaders where they grab territory.
Demediuk was stingy with specifics but said Russian cyberattacks in mid-January and as the invasion commenced sought primarily to "destroy the information systems of government agencies and critical infrastructure" and included data theft.
The Ukrainian government says the January 14 auto insurance hack resulted in the pilfering of up to 80% of Ukrainian policies registered with the Motor Transport Bureau.
Demediuk acknowledged that the Ministry of Internal Affairs was among the government agencies breached February 23. He said that "a small part" of the ministry's data was stolen "but so far no case of its use has been established." He did not provide specifics. Security researchers from ESET and other cybersecurity firms that work with Ukraine said the networks were compromised months earlier, allowing ample time for stealthy theft.
Years of hacking
The data collection by hacking is a work long in progress.
A unit of Russia's FSB intelligence agency that researchers have dubbed Armageddon has been doing it for years out of Crimea, which Russia seized in 2014. Ukraine says it sought to infect more than 1,500 Ukrainian government computer systems.
Since October it has tried to breach and maintain access to government, military, judiciary and law enforcement agencies as well as nonprofits, with a primary goal of "exfiltrating sensitive information," Microsoft said in a February 4 blog post. That included unnamed organizations "critical to emergency response and ensuring the security of Ukrainian territory," plus humanitarian aid distribution.
Post-invasion, hackers have targeted European organizations that aid Ukrainian refugees, according to Zhora and the cybersecurity firm Proofpoint. Authorities have not specified which organizations or what may have been stolen.
Yet another attack, on April 1, crippled Ukraine's National Call Center, which runs a hotline for complaints and inquiries on a wide array of matters: corruption, domestic abuse, people displaced by the invasion, war veteran benefits. Used by hundreds of thousands of Ukrainians, it issues COVID-19 vaccine certificates and collects callers' personal data including emails, addresses and phone numbers.
Adam Meyers, senior vice president of intelligence at the cybersecurity firm CrowdStrike, believes the attack may, like many others, have a greater psychological than intelligence-gathering impact — aiming to degrade Ukrainians' trust in their institutions.
"Make them scared that when the Russians take over, if they don't cooperate, the Russians are going to know who they are, where they are and come after them," Meyers said.
The attack knocked the center offline for at least three days, center director Marianna Vilshinska said: "We couldn't work. Neither phones nor chatbots worked. They broke down all the system."
Hackers calling themselves the Cyber Army of Russia claimed to steal personal data on 7 million people in the attack. However, Vilshinska denied they breached the database with users' personal information. "They didn't get any valuable information," she said.
She confirmed that a contact list the hackers posted online of more than 300 center employees was genuine as well as a spreadsheet with employee passwords. But she said other files the hackers posted — listing 3 million names and phone numbers and 1 million addresses — were not from the center.
Spear-phishing attacks in recent weeks have focused on military, national and local officials, aimed at stealing credentials to open government data troves. Such activity relies heavily on Ukraine's cellular networks, which Meyers of CrowdStrike said have been far too rich in intelligence for Russia to want to shut down.
On March 31, Ukraine's SBU intelligence agency said it had seized a "bot farm" in the eastern region of Dnipropretrovsk that was controlled remotely from Russia and sent text messages to 5,000 Ukrainian soldiers, police and SBU members urging them to surrender or sabotage their units. Agency spokesman Artem Dekhtiarenko said authorities were investigating how the phone numbers were obtained.
Gene Yoo, CEO of the cybersecurity firm ReSecurity, said it likely was not difficult: Subscriber databases of major Ukrainian wireless companies have been available for sale by cybercriminals on the dark web for some time — as they are for many countries.
If Russia is successful at taking control of more of eastern Ukraine, stolen personal data will be an asset. Russian occupiers have already collected passport information, a top Ukrainian presidential adviser tweeted recently, that could help organize separatist referendums.
Ukraine collects data too
Ukraine, for its part, appears to have done significant data collection — quietly assisted by the U.S., the U.K., and other partners — targeting Russian soldiers, spies and police, including rich geolocation data.
Demediuk, the top security official, said the country knows "exactly where and when a particular serviceman crossed the border with Ukraine, in which occupied settlement he stopped, in which building he spent the night, stole and committed crimes on our land."
"We know their cell phone numbers, the names of their parents, wives, children, their home addresses," who their neighbors are, where they went to school and the names of their teachers, he said.
Analysts caution that some claims about data collection from both sides of the conflict may be exaggerated.