The same countries are regularly ranked as having the greatest offensive cyber capabilities: Russia, the United States, Israel, China. But when it comes to the nations with the greatest ability to absorb, withstand, and recover from cybersecurity incidents, there’s a strong case to be made that we all have something to learn from Eastern Europe. The classic case is Estonia, which bounced back from aggressive denial-of-service attacks in 2007 to become a world leader in promoting international efforts for computer security. But this week’s reports of malware directed at Ukraine’s state power distributor and banks appear to offer another model for how to respond to a cybersecurity breach.
Ukraine is no stranger to seeing its computer systems targeted—earlier this month, Wired’s Andy Greenberg described in incredible detail Russia’s ongoing efforts to compromise Ukraine’s cyber infrastructure over and over and over again. This most recent strain of malware may or may not come from Russia. In one of the most understated accusations ever made in the immediate aftermath of a cybersecurity incident, Ukraine’s security council secretary reportedly said of the breach, “it is possible to talk of Russian fingerprints.”
Ukraine seems to be rallying surprisingly well in the wake of the intrusions. Reuters reported that Ukrainian lender Oschadbank had not lost any customer data due to the unidentified virus, while power distributor Ukrenergo said the malware had not affected its power supplies. Meanwhile, the deputy prime minister, Rozenko Pavlo, tweeted a photo of his computer screen showing a suspicious error message, and the country’s main Twitter account tweeted a surprisingly humorous announcement reassuring people:
Some of our gov agencies, private firms were hit by a virus. No need to panic, we’re putting utmost efforts to tackle the issue 👌 pic.twitter.com/RsDnwZD5Oj— Ukraine / Україна (@Ukraine) June 27, 2017
Certainly, the attacks were disruptive. There were reports of ATMs not working and subway passengers who were unable to enter the metro using their bankcards. The boards listing flight schedules at the Boryspil International Airport in Kiev, as well as the airport’s website, were malfunctioning. Ukrainian officials have not commented on what type of malware they’re seeing, referring to it only as an “unknown virus,” and the screenshot that Pavlo tweeted doesn’t indicate any ransom demands. But Christiaan Beek, a lead scientist at McAfee, told Wired that it appeared to be a strain of the ransomware family dubbed Petya or Petrwrap, itself a relative of the WannaCry ransomware that affected systems worldwide earlier this year.
But where WannaCry was disastrous—crippling the U.K.’s National Health Service and leaving hospitals unable to treat patients—in Ukraine at least, this latest incident seems ultimately to have been only disruptive, not destructive. Ukrainians were clearly inconvenienced, but pretty much every single piece of infrastructure targeted there was able to limit the damage. Though banks were unable to perform some services, their customers’ money and data were secure. The power distributor saw some of its computers infected but did not witness another blackout due to the compromise, as it did late last year. People couldn’t use their bank cards to enter the subway, but the trains were still running. The airport’s website and flight boards were affected, but flights continued to arrive and take off, though airport director Pavlo Ryabikin warned that there might be some delays. At the Chernobyl nuclear plant, computers were down, but workers were continuing to monitor radiation manually.
It’s possible that this incident was never meant to be anything more than an inconvenience—that whoever launched it only wanted to cause minimal damage and disruption rather than all-out catastrophe. But it’s also possible that this was in fact meant to cause damage of a comparable scale and scope to WannaCry and previous cyberattacks directed at Ukraine—that it was intended to shut down businesses, black out cities, and stop trains and flights. And if that’s the case, then Ukraine did a remarkable job containing the damage and defending the most critical elements and functions of its critical infrastructure.
In the United States, it was not clear that things were going as smoothly. Pharmaceutical company Merck, which is based in New Jersey but also has an office in Ukraine, had to shut down computer systems and the Washington Post reported that “critical information tied to Merck drug research could be lost.” Meanwhile, the New York Times reported hospitals being forced to cancel operations in Pennsylvania.
Like Estonia, Ukraine seems to have learned from past cyberconflicts how to do a better job protecting computer systems and ensuring that daily life can continue largely unhindered even in the face of serious compromises. Of course, both Eastern European nations have much smaller populations than the United States, and it would be difficult to scale some of their solutions to a country so much larger and more decentralized. But Estonia and Ukraine also have fairly advanced, online infrastructure, suggesting that they may well have defensive lessons to offer even to countries with relatively sophisticated technology, who may have spent more time and energy thinking about how to use computers to attack others than how to protect themselves.