2 April 2016

The Activists on the Forefront of Ukraine's Cyberwar


March 29, 2016 

In June of 2015, a small software and security programming outfit called eQualit.ie received $473,738 in funding from the Canadian government "to deliver digital security training and software to human rights defenders and activists in Ukraine."

Last month, the fruits of its labor — a program called Deflect DDoS mitigation — was put to the test, right in the thick of the tense situation still unfolding in Eastern Ukraine.

The Canadian-funded software successfully defended a Ukrainian news site from outside attackers, serving as a proof of concept that the small-scale, open-source, community-based can ward off clouds of malicious machines.

Cyber-defense in Ukraine has become especially relevant, as hackers target critical infrastructure and independent news media. Last December, hackers successfully took down a Ukrainian power plant, knocking out electricity in parts of the country.

"It also feels to us that the many internal Ukrainian conflicts — fighting corruption a telling example — often result in aggression against the website."

eQualit.ie hopes that Deflect can work as a shield against those sorts of attacks, which range from small, cheap, and unsophisticated efforts to knock out websites to large, expensive, and incredibly complicated plans to take out important state assets.

"Ukraine is often in the headlines as the origin or the target of many cyber attacks on the Internet today," Dimitri Vitaliev, a founder of eQualit.ie, told VICE News via email. "The Russian-Ukrainian conflict was also fiercely fought online, with waves of retaliatory attacks hitting news and government sites."

The basic idea behind Deflect is to offer infrastructure for the websites under its protection. It intakes traffic — both that of regular users, and of botnets that are carrying out Directed Denial of Service (DDoS) attacks — and spreads the traffic across a myriad of servers. The software also detects botnets, and works to ban them from the network altogether.

Since 2014, the service has protected sites across Ukraine, Russia, and the United States. Vitaliev says the targets are not random.

"It also feels to us that the many internal Ukrainian conflicts — fighting corruption a telling example — often result in aggression against the website first and foremost," he said.

On Tuesday, eQualit.ie released its first full report into a full-scale botnet attack on one of its protected websites.

The target was Kotsubynske, an independent Ukrainian-language website that covers politics and issues inside Ukraine. On February 1, the Deflect report notes, the website saw a spike in hits from Vietnamese IP addresses. A week later, a second, massive spike hit the site.

"Our botnet defence system bans several botnets, the largest of which comprises just over 500 unique participants," the report notes.


A botnet is a network of interlinked computers, all controlled from a central point, that can be used to orchestrate cyber attacks. Bots, or 'zombies,' inside the net are often infected through malware and are used without their owner being any the wiser.

The whole attack on Kotsubynske lasted just over an hour, and flooded the site with over 1.6 million hits — the site, on average, can expect 80,000 to 120,000 hits — spread across Vietnam, Ukraine, India, Romania, and Pakistan.

After the attack in February, the security analysts behind Deflect checked the site's traffic history and found five similar attacks on the news site's system. After analyzing the metrics of each attack, Deflect found similarities in all of them.

"Considering the scale of attacks often witnessed on the Deflect network, this was neither strong nor sophisticated. Our assumption is that the botnet controller was simply cycling through the various bots (IPs) available to them so as to avoid our detection and banning mechanisms," they conclude in their report. "The identical user agent and attack pattern used throughout the five attacks is an indication to us that a single entity was orchestrating them."

So who was behind it?

Deflect doesn't say for sure, but it thinks it knows why the site was attacked.

"On the 2nd of February, the Kotsubynske website published an article from a meeting of the regional administrative council where it stated that members of the political party 'New Faces' were interfering with and trying to sabotage the council's work on stopping deforestation," the report concludes. "The party is headed by the mayor of the nearby town Irpin. Attacks against the website begin thereafter."

Whoever is behind it, Deflect says they hope to "strip away the impunity currently enjoyed by botnet operators" by calling-out their tactics.

"DDoS is an all too common tool on the Wild East of the Internet," said Vitaliev.

The Canadian money is a small piece of a larger overall pot of cash, dedicated by the previous Conservative government, designed to support digital civil society — a spokesperson for new Foreign Affairs Minister Stephane Dion declined to comment on this story. In addition, a $9 million grant was given to the University of Toronto to fund projects aimed at circumventing government-backed firewalls and internet filtering in states like Iran.

Another $50,000 is going directly to online news outlet EspressoTV, which originally hosted livestreams of the Euromaidan protests that ultimately ousted the Yanukovich regime.

No comments: