Ukraine claims Russia uses its cooperation with China to carry out cyberattacks

The Russian invasion of Ukraine has also developed into the first cyberwar in history. That was one of the main conclusions of the Kyiv International Cyber Resilience Forum, held February 7-8 in the Ukrainian capital and where representatives of cybersecurity agencies from Ukraine, the United States, NATO, and the European Union discussed collaboration on defense systems for their digital networks. The meetings yielded one relevant conclusion: that the Kremlin is using its cooperation with China to carry out cyberattacks against Ukraine.

Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), assured that her government’s priority is to deal with Beijing’s interference in her country. “China is the big threat in the long term, although our focus is still on Russia,” Easterly explained. “When the invasion started, we increased our measures in case of retaliation. And what we’ve seen is that Russia and China are cooperating.”

Serhii Demediuk, deputy secretary of the National Security and Defense Council of Ukraine, confirmed to EL PAÍS that Kyiv has detected the consequences of this cooperation between Moscow and Beijing in its cyberspace: “We are aware of the knowledge provided by China [to Russia], although it is impossible to know precisely how it is being used.” Demediuk did confirm that Chinese spyware has been used “for attacks with a destructive purpose in Ukraine.” China-developed data-hijacking programs have also been deployed in attacks on Ukrainian institutions.

In March 2022, a month after the invasion began, an attack was detected in Ukraine that leading cybersecurity analysis centers such as SentinelOne confirmed used malware developed by Scarab, a hacker group linked to the Chinese government. The UK’s National Cyber Security Centre announced in April 2022 that it was investigating an alleged massive Chinese attack on 600 Ukrainian websites in the days leading up to the invasion, including that of the Ministry of Defense.

European Commission Vice-President Vera Jourová warned Chinese authorities in September 2023 in a statement to Politico that they should not support Russia in the invasion: “I have stated that we consider how China interacts with Russia’s war against Ukraine to be a determining factor for EU-China relations going forward. This includes of course aspects relating to cybersecurity, and disinformation.”

Demediuk stated during one of his speeches that Moscow has mimicked Chinese Internet censorship systems: “Now they are testing it in their own countries, the weaknesses of DNS protocols [the domains used by applications and websites], while we are concerned with the defense of our own countries, that’s why we have to strengthen international alliances.”

“This morning, while we were being bombed in Kyiv, we were also suffering cyber-attacks,” the deputy secretary said Wednesday. “They work with hackers from China, Iran, Belarus, and North Korea. It is being proved every day.”

“There is no gray area”

“There is no gray area anymore, now the world is black and white; you are in one block or the other,” says Yegor Aushev, a cybersecurity expert and one of those responsible for organizing the Kyiv Forum. “Any technology that China brings to Russia will be used to attack.” Aushev notes that a key difference is that NATO partners’ contributions to Ukraine are for defense, not attack.

Juhan Lepassar, director of the EU Agency for Cybersecurity, advanced that the new €50 billion financial assistance plan for the Ukrainian government includes a provision for cybersecurity programs. Meanwhile, the U.S. Congress and Senate are blocking a $61 billion package that President Joe Biden’s government wants to allocate in mostly military assistance to Kyiv. Nathaniel Fick, the Biden administration’s ambassador for Cyberspace and Digital Policy, told EL PAÍS that there are other ways to circumvent the legislative blockade and provide U.S. cybersecurity assistance.

Fick pointed to the so-called Tallinn Mechanism, an alliance that came into force last December and is formed by the U.S. and nine other countries to quickly provide cybersecurity resources to protect civilian infrastructure. “Ukraine sets the priorities and the members of the group coordinate to respond as quickly as possible,” explains Fick: if Ukraine needs, for example, priority assistance to protect satellite connections, the Tallinn Mechanism will address it in the first instance, says the senior U.S. official.

Demediuk and Illia Vitiuk, head of the cybersecurity department of the Ukrainian secret services (SSU), welcomed the fact that the U.S. is accepting that what Ukraine is suffering from is not cybercrime, but acts of war via the Internet and telecommunications networks. This is critical, they said, for pursuing future court cases to prosecute them as war crimes. “The Russian invasion of Ukraine is the first modern war to feature a major cyber warfare component,” wrote researcher Vera Mironova in 2023 for the Atlantic Council, a U.S.-based geopolitical think tank.

Vitiuk pointed out to this newspaper that Russian missile attacks have been accompanied by simultaneous attacks against the servers of targeted Ukrainian agencies. This was the case in the bombing campaign of autumn 2022 and winter 2023 against the Ukrainian energy network, says the senior SSU employee. Andy Greenberg, one of the most renowned journalists in the investigation of Russian hacking, asserted in November 2023 that what happened during the bombings against the Ukrainian power grid was a first in the history of cyberwar. According to Greenberg, a Russian military intelligence agency unit known as Sandworm had hacked the Ukrainian power grid twice in the past decade, but did so again to “target civilians with a blackout attack at the same time missile strikes hit their city, an unprecedented and brutal combination of digital and physical warfare.” The same occurred in the 2022 missile attack on Kyiv’s main television broadcasting tower, according to Vitiuk.

Ukraine’s National Security Council defines a cyberattack as an act of war when it has a destructive purpose, is carried out by military units, or financed by a state. Vitiuk completed the description by indicating that acts of cyberwar are committed if a state trains the experts who carry them out. He conceded that attacks against military targets are legitimate, but Russia mostly focuses its aggression against civilian infrastructure.

Aushev argued, citing Vitiuk, that Ukraine is hitting military data and telecommunications systems in Russia, which would be a legitimate target in war. But leading international organizations state otherwise. The Swiss-based CyberPeace Institute, in a report published last December, concluded that it had recorded at least 300 cyberattacks against Russian civilian agencies since the beginning of the invasion until September 2023, and that the main attacker is the so-called IT Army of Ukraine, a large network of hackers supported by the Kyiv government, according to the institute. The institute confirmed 574 attacks against Ukrainian civilian agencies in the same period. The SSU claims that in nearly two years of war it has dealt with 10,000 major cyberattacks, with a daily average of 13.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition