Cybersecurity in wartime: how Ukraine’s infosec community is coping

Whenever shells rain down on Ukraine, Yuriy Gatupov’s colleagues put a ‘+’ sign in a chat room. Then, the pluses are counted. “We check if everybody is alive,” he says.

Gatupov, the owner of two cybersecurity companies, says it is vital to stay connected during a time of war. With Russia now controlling around 18% of Ukraine’s territory including Donbas and Crimea, tech workers face formidable challenges. Air raid sirens blast all the time. Explosions are heard in the distance. Power and internet outages are common. Sometimes, code is written in a basement.

“You can’t be prepared for such kind of situation,” Gatupov said. “We stopped working as a business and started to work as a family.”

On the morning of February 24, 2022, when Russia launched its full-scale invasion, he was at home, in the capital of Kyiv. The loud sounds woke him at dawn. He went to the balcony and saw that people on the street were in panic mode. That morning, explosions were heard in Kyiv, Kharkiv, Odesa, Lviv, and other cities.

Gatupov and his colleagues had a plan for a potential war with Russia but could not imagine that scale or intensity. He couldn’t imagine Kyiv being hit by missiles. “The first priority was protecting my family,” he says. He put everyone into the car and drove them to the western part of the country, which was thought to be safer. Once there, he spent a few days with them, making sure they had what they needed.

“The second priority was to defend my city, my country, so I went back to Kyiv,” he says. By the time he arrived, the capital’s suburbs were devastated by the bombings. In Bucha, Irpin, and Hostomel, Russian shells wrecked apartment blocks and cars and killed civilians.

With these images in mind, Gatupov went straight to the Military Office and enlisted. Since then, he has fought both the traditional and the cyberwar.

Compliance-ready vs. combat-ready

Gatupov is now in the eastern Donbas region, one of Ukraine’s most dangerous war zones. He wears his khaki uniform during the day, helping defend his country. When he’s not on duty, he’s in contact with his colleagues who work for the companies he owns.

One of his businesses, iIT Distribution, sells security solutions from vendors like CrowdStrike, GTB Technologies, and Automox, while Labyrinth Development offers deception-based threat detection products. He knew from the very beginning that he and his colleagues had to step up and put their cybersecurity skills into service for their country. “We started to help, to protect Ukraine’s critical infrastructure,” he says.

His companies offered products free of charge to anyone in Ukraine who needed them, securing hundreds of organizations from both the public and the private sectors. Their partners also agreed to lend a hand and provided their software for free. “Everybody who needs [security products] can have them,” he says.

Although these solutions came at no cost, many were reluctant to use them. “There was a lot of bureaucracy around,” he says. “Some thought that the war is going to be over in two, three, or four weeks, and afterward they [might] have to explain why they used that software, which was maybe not in compliance with the regulations.”

Still, most organizations welcomed this help and realized it was “not the time to think about compliance,” as Gatupov put it. They feared Russia’s tremendous cyber capabilities, which were obvious from the beginning. On the first day of the invasion, one of the largest commercial satellite companies, Viasat, was hit by Moscow-backed hackers. Wiper attacks were also common.

During the first year of the war, “Russia increased targeting of users in Ukraine by 250% compared to 2020,” according to a recent report by Google. The Ukrainian Ministry of Defense, the Ministry of Foreign Affairs, and the National Agency for Civil Service were among the hardest hit. Russian-backed hacking groups aimed to gather intelligence, disturb public services, and crush critical infrastructure.

Securing every Ukrainian citizen’s devices

Against such threats, many tech workers like Gatupov felt they had no choice but to intervene. Sergii Kryvoblotskyi, technology R&D lead at app developer startup MacPaw, thought about building a tool to be installed on citizens’ devices. The app, created by him and his team, analyzes the traffic and alerts users if the websites they browse or the apps they have installed send data to Russian or Belarussian servers.

“I started this project from the improvised bomb shelter in the basement of my house,” Kryvoblotskyi says. “It’s hard to be creative when you are under stress, but that was the least we could do, so we agreed that we must complete and share this project with the community to protect our computers from the aggressors’ impact.”

The tool, dubbed SpyBuster, is offered to Ukrainians free of charge. It works on iOS and MacOS devices and has a Google Chrome extension. When it is installed, people can immediately see and block applications, services, and websites that are connected to the invaders.

SpyBuster gained international recognition and received the Golden Kitty Awards 2022 by Product Hunt in the Privacy focused category. “For MacPaw, it was a matter of honor to protect Ukrainians from Russian propaganda and keep their data safe,” says Mykola Srebniuk, CISO of MacPaw.

Balancing security and usability

Honor is a word often heard within Ukraine’s tech community, as professionals recognize the role they can play in times like these. “Our defensive work allows more of my Ukrainian colleagues to come back home alive,” says Eugene Pilyankevich, founder and CTO of British-Ukrainian security company Cossack Labs.

He and his colleagues have been in the digital trenches since the beginning of the war. Just like Gatupov, they helped protect Ukraine’s infrastructure. They’ve improved the security of existing government and military systems and have researched the novel attack vectors and techniques Russian hackers employed.

Defending organizations during an ongoing war put Cossack Labs’ cybersecurity experts on an accelerated learning path, says Pilyankevich’s colleague Anastasiia Voitova, head of customer solutions. “What I learned is that the priorities are very different from peacetime,” she says. “The risks are different; the threats are very different. We have this real enemy. It’s not textbook security. No. These are real issues, and we need to build real mitigation to these real issues.”

One could easily fall into the trap of creating systems that use the highest possible level of security, but Voitova believes this can be a mistake because a system that’s too paranoid won’t be usable. “This trade-off drama of how to balance security and usability, right now, can cost you even more because if you create a super secure system, but no one will use it, it will lead people to adopt insecure methods,” she says. “And if insecure messages are intercepted, people might be injured.”

Such mistakes are more likely to occur as the war continues and users face prolonged stress and tiredness. Some live in areas with intense fighting or frequent power outages or have family members on the front. Others simply feel exhausted.

Voitova is exhausted, too. For a year now, she has been working non-stop. There was always a crisis, there was always someone who needed help. Now, she must force herself to eat and sleep. “Unfortunately, I still have a body that requires food, and requires sleep, so I push myself to do all these things, so I am capable of continuing working and continuing thinking clearly,” she says.

As a manager, Pilyankevich tells her and his other colleagues to schedule a time to rest, never complaining when tasks take longer to complete. “When a person commits to doing something in three days, and you don’t get it for two weeks, it’s not that that person is bad. It’s just that everybody’s very tired, exhausted, and burned out,” he says. “And maybe a rocket has hit that building next to the person’s grandma’s apartment. This has become the day-to-day environment in which all of my colleagues [operate].”

Ukrainian cybersecurity experts face difficulties working for foreign companies

Although security experts work diligently, the companies employing them struggle to make ends meet. Working for free to secure government organizations is not a lucrative endeavor. Charging local companies is also hard because the war has impacted everyone. Ukraine lost at least one-third of its GDP last year, according to the International Monetary Fund.

The only option to keep security companies running is to try to sell services abroad. That’s also challenging, because who wants to do business with a country at war?, says Sergey Avetisyan, CEO at RMRF Technology. His company provides a wide range of services, including penetration testing, identity and access management, digital forensics, and incident response.

Retaining foreign customers was difficult, Avetisyan adds. One thing they did was to exclude from their contracts the paragraph about the force majeure. “I absolutely understand the customers [asking that] because they have compliance obligations,” he says.

On several occasions, his engineers reached out and asked him if they still had a job the next month. “And to be honest, I don’t have answers,” Avetisyan says. “But of course, I said everything will be great. If you try to be a leader, you must support them, and motivate them even when you are frightened and uncertain.” His main goal now is to keep the company afloat, prevent layoffs, and maybe find a few more customers abroad. For the time being, more ambitious plans must be put on hold.

It’s been a year since Russia started this phase of the invasion, and nobody knows when the war will end. Avetisyan, Gatupov, Voitova, and everybody else say they are ready to keep fighting for as long as needed.

“The things we do now, as cybersecurity experts, have real impact,” Voitova says. “We’re a small piece in a large, large puzzle, but what we do affects everything that is happening here.”