Featured Article

How Ukraine’s cyber police fights back against Russia’s hackers

Ukraine’s cyber police talks crypto, ransomware and documenting war crimes after Russia’s invasion

Comment

Yevhenii Panchenko, the chief of division of the Cyberpolice Department of the National Police of Ukraine, during a talk on Tuesday in Manhattan, NY.
Image Credits: Kris Tripplaar/Chainalysis

On February 24, 2022, Russian forces invaded Ukraine. Since then, life in the country has changed for everyone.

For the Ukrainian forces who had to defend their country, for the regular citizens who had to withstand invading forces and constant shelling, and for the Cyberpolice of Ukraine, which had to shift its focus and priorities.

“Our responsibility changed after the full scale war started,” said Yevhenii Panchenko, the chief of division of the Cyberpolice Department of the National Police of Ukraine, during a talk on Tuesday in New York City. “New directives were put under our responsibility.”

During the talk at the Chainalysis LINKS conference, Panchenko said that the Cyberpolice is comprised of around a thousand employees, of which about forty track crypto-related crimes. The Cyberpolice’s responsibility is to combat “all manifestations of cyber crime in cyberspace,” said Panchenko. And after the war started, he said, “we were also responsible for the active struggle against the aggression in cyberspace.”

Panchenko sat down for a wide-ranging interview with TechCrunch on Wednesday, where he spoke about the Cyberpolice’s new responsibilities in wartime Ukraine. That includes tracking what war crimes Russian soldiers are committing in the country, which they sometimes post on social media; monitoring the flow of cryptocurrency funding the war; exposing disinformation campaigns; investigating ransomware attacks; and training citizens on good cybersecurity practices.

The following transcript has been edited for brevity and clarity.

TechCrunch: How did your job and that of the police change after the invasion?

It almost totally changed. Because we still have some regular tasks that we always do, we’re responsible for all the spheres of cyber investigation.

We needed to relocate some of our units in different places, of course, to some difficult organizations because now we need to work separately. And also we added some new tasks and new areas for us of responsibilities when the war started.

From the list of the new tasks that we have, we crave information about Russian soldiers. We never did that. We don’t have any experience before February 2022. And now we try to collect all the evidence that we have because they also adapted and started to hide, like their social media pages that we used for recognizing people who were taking part in the larger invading forces that Russians used to get our cities and kill our people.

Also, we are responsible for identifying and investigating the cases where Russian hackers do attacks against Ukraine. They attack our infrastructure, sometimes DDoS [distributed denial-of-service attacks], sometimes they make defacements, and also try to disrupt our information in general. So, it’s quite a different sphere.

Because we don’t have any cooperation with Russian law enforcement, that’s why it’s not easy to sometimes identify or search information about IP addresses or other things. We need to find new ways to cooperate on how to exchange data with our intelligence services.

Some units are also responsible for defending the critical infrastructure in the cyber sphere. It’s also an important task. And today, many attacks also target critical infrastructure. Not only missiles, but hackers also try to get the data and destroy some resources like electricity, and other things.

When we think about soldiers, we think about real world actions. But are there any crimes that Russian soldiers are committing online?

[Russia] uses social media to sometimes take pictures and publish them on the internet, as it was usual in the first stage of the war. When the war first started, probably for three or four months [Russian soldiers] published everything: videos and photos from the cities that were occupied temporarily. That was evidence that we collected.

And sometimes they also make videos when they shoot in a city, or use tanks or other vehicles with really big guns. There’s some evidence that they don’t choose the target, they just randomly shoot around. It’s the video that we also collected and included in investigations that our office is doing against the Russians.

In other words, looking for evidence of war crimes?

Yes.

How has the ransomware landscape in Ukraine changed after the invasion?

It’s changed because Russia is now not only focused on the money side; their main target is to show citizens and probably some public sector that [Russia] is really effective and strong. If they have any access on a first level, they don’t deep dive, they just destroy the resources and try to deface just to show that they are really strong. They have really effective hackers and groups who are responsible for that. Now, we don’t have so many cases related to ransom, we have many cases related to disruption attacks. It has changed in that way.

Has it been more difficult to distinguish between pro-Russian criminals and Russian government hackers?

Really difficult, because they don’t like to look like a government structure or some units in the military. They always find a really fancy name like, I don’t know, ‘Fancy Bear’ again. They try to hide their real nature.

Contact Us

Do you have information about cyberattacks in Ukraine? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

But we see that after the war started, their militaries and intelligence services started to organize groups — maybe they’re not so effective and not so professional as some groups that worked before the war started. But they organize the groups in a massive [scale]. They start from growing new partners, they give them some small tasks, then see if they are effective and truly succeed in a small portion of IT knowledge. Then they move forward and do some new tasks. Now we can see many of the applications they also publish on the internet about the results. Some are not related to what governments or intelligence groups did, but they publish that intelligence. They also use their own media resources to raise the impact of the attack.

What are pro-Russian hacking groups doing these days? What activities are they focused on? You mentioned critical infrastructure defacements; is there anything else that you’re tracking?

It starts from basic attacks like DDoS to destroy communications and try to destroy the channels that we use to communicate. Then, of course, defacements. Also, they collect data. Sometimes they publish that in open sources. And sometimes they probably collect but not use it in disruption, or in a way to show that they already have the access.

Sometimes we know about the situation when we prevent a crime, but also attacks. We have some signs of compromise that were probably used on one government, and then we share with others.

[Russia] also creates many psyops channels. Sometimes the attack did not succeed. And even if they don’t have any evidence, they’ll say “we have access to the system of military structures of Ukraine.”

How are you going after these hackers? Some are not inside the country, and some are inside the country.

That’s the worst thing that we have now, but it’s a situation that could change. We just need to collect all the evidence and also provide investigation as we can. And also, we inform other law enforcement agencies in countries who cooperate with us about the actors who we identify as part of the groups that committed attacks on Ukrainian territory or to our critical infrastructure.

Why is it important? Because if you talk about some regular soldier from the Russian army, he will probably never come to the European Union and other countries. But if we talk about some smart guys who already have a lot of knowledge in offensive hacking, he prefers to move to warmer places and not work from Russia. Because he could be recruited to the army, other things could happen. That’s why it’s so important to collect all evidence and all information about the person, then also prove that he was involved in some attacks and share that with our partners.

Also because you have a long memory, you can wait and maybe identify this hacker, where they are in Russia. You have all the information, and then when they are in Thailand or somewhere, then you can move in on them. You’re not in a rush necessarily?

They attack a lot of our civil infrastructure. That war crime has no time expiration. That’s why it’s so important. We can wait 10 years and then arrest him in Spain or other countries.

Who are the cyber volunteers doing and what is their role?

We don’t have many people today who are volunteers. But they are really smart people from around the world — the United States and the European Union. They also have some knowledge in IT, sometimes in blockchain analysis. They help us to provide analysis against the Russians, collect data about the wallets that they use for fundraising campaigns, and sometimes they also inform us about the new form or new group that the Russians create to coordinate their activities.

It’s important because we can’t cover all the things that are happening. Russia is a really big country, they have many groups, they have many people involved in the war. That type of cooperation with volunteers is really important now, especially because they also have a better knowledge of local languages.

Sometimes we have volunteers who are really close to Russian-speaking countries. That helps us understand what exactly they are doing. There is also a community of IT guys that’s also communicating with our volunteers directly. It’s important and we really like to invite other people to that activity. It’s not illegal or something like that. They just provide the information and they can tell us what they can do.

What about pro-Ukrainian hackers like the Ukraine IT Army. Do you just let them do what they want or are they also potential targets for investigation?

No, we don’t cooperate directly with them.

We have another project that also involves many subscribers. I also talked about it during my presentation: it’s called BRAMA. It’s a gateway and we coordinate and gather people. One thing that we propose is to block and destroy Russian propaganda and psyops on the internet. We have really been effective and have had really big results. We blocked more than 27,000 resources that belong to Russia. They publish their narratives, they publish many of psyops materials. And today, we also added some new functions in our community. We not only fight against propaganda, we also fight against fraud, because a lot of fraud today represented in the territory of Ukraine is also created by the Russians.

They also have a lot of impact with that, because if they launder and take money from our citizens, we could help. And that’s why we include those activities, so we proactively react to stories that we received from our citizens, from our partners about new types of fraud that could be happening on the internet.

And also we provide some training for our citizens about cyber hygiene and cybersecurity. It’s also important today because the Russians hackers not only target the critical infrastructure or government structures, they also try to get some data of our people.

For example, Telegram. Now it’s not a big problem but it’s a new challenge for us, because they first send interesting material, and ask people to communicate or interact with bots. On Telegram, you can create bots. And if you just type twice, they get access to your account, and change the number, change two-factor authentication, and you will lose your account.

Is fraud done to raise funds for the war?

Yes.

Can you tell me more about Russian fundraising? Where are they doing it, and who is giving them money? Are they using the blockchain?

There are some benefits and also disadvantages that crypto could give them. First of all, [Russians] use crypto a lot. They create almost all kinds of wallets. It starts from Bitcoin to Monero. Now they understand that some types of crypto are really dangerous for them because many of the exchanges cooperate and also confiscate the funds that they collect to help their military.

How are you going after this type of fundraising?

If they use crypto, we label the addresses, we make some attribution. It’s our main goal. That’s also the type of activities that our volunteers help us to do. We are really effective at that. But if they use some banks, we only could collect the data and understand who exactly is responsible for that campaign. Sanctions are the only good way to do that.

What is cyber resistance?

Cyber resistance is the big challenge for us. We wanted to play that cyber resistance in cyberspace for our users, for our resources. First of all, if we talk about users, we start from training and also sharing some advice and knowledge with our citizens. The idea is how you could react to the attacks that are expected in the future.

How is the Russian government using crypto after the invasion?

Russia didn’t change everything in crypto. But they adapted because they saw that there were many sanctions. They create new ways to launder money to prevent attribution of the addresses that they used for their infrastructures, and to pay or receive funds. It’s really easy in crypto to create many addresses. Previously they didn’t do that as much, but now they use it often.

More TechCrunch

Fisker is just a few days into its Chapter 11 bankruptcy, and the fight over its assets is already charged, with one lawyer claiming the startup has been liquidating assets…

The fight over Fisker’s assets is already heating up

A hacker is advertising customer data allegedly stolen from the Australia-based live events and ticketing company TEG on a well-known hacking forum. On Thursday, a hacker put up for sale…

Hacker claims to have 30 million customer records from Australian ticket seller giant TEG

Welcome to Startups Weekly — Haje‘s weekly recap of everything you can’t miss from the world of startups. Sign up here to get it in your inbox every Friday. Elon…

Tesla makes Musk best-paid CEO of all time and Fisker bites the dust

Dot is a new AI companion and chatbot that thrives on getting to know your innermost thoughts and feelings.

Dot’s AI really, really wants to get to know you

The e-fuels startup is working on producing fuel for aviation and maritime shipping using carbon dioxide and other waste carbon streams.

E-fuels startup Aether Fuels is raising $34.3 million, per filing

Fisker was facing “potential financial distress” as early as last August, according to a new filing in its Chapter 11 bankruptcy proceeding, which the EV startup initiated earlier this week.…

Fisker faced financial distress as early as last August

Cruise, the self-driving subsidiary of General Motors, has agreed to pay a $112,500 fine for failing to provide full information about an accident involving one of its robotaxis last year.…

Cruise clears key hurdle to getting robotaxis back on roads in California

Feel Therapeutics has a pretty original deck, with some twists we rarely see; the company did a great job telling the overall story.

Pitch Deck Teardown: Feel Therapeutics’ $3.5M seed deck

The Rockset buy fits into OpenAI’s broader recent strategy of investing heavily in its enterprise sales and tech orgs.

OpenAI buys Rockset to bolster its enterprise AI

The U.S. government announced sanctions against 12 executives and senior leaders of the Russia-based cybersecurity giant Kaspersky. In a press release, the Department of the Treasury’s Office of Foreign Assets…

US government sanctions Kaspersky executives

Style DNA, an AI-powered fashion stylist app, creates a personalized style profile from a single selfie. The app is particularly useful for people interested in seasonal color analysis, a process…

Style DNA gets a generative AI chatbot that suggests outfit ideas based on your color type

Rates of depression, anxiety and suicidal thoughts are surging among U.S. teens. A recent report from the Center of Disease Control found that nearly one in three girls have seriously…

Khosla-backed Marble, built by former Headway founders, offers affordable group therapy for teens

Cover says what sets it apart is the underlying technology it employs, which has been exclusively licensed from NASA’s Jet Propulsion Laboratory.

A new startup from Figure’s founder is licensing NASA tech in a bid to curb school shootings

Spotify is introducing a new “Basic” streaming plan in the United States, the company announced on Friday. The new plan costs $10.99 per month and includes all of the benefits…

Spotify launches a new Basic streaming plan in the US

Photographers say the social media giant is applying a ‘Made with AI’ label to photos they took, causing confusion for users.

Meta is tagging real photos as ‘Made with AI,’ say photographers

Website building platform Squarespace is selling Tock, its restaurant reservation service, to American Express in a deal worth $400 million — the exact figure that Squarespace paid for the service…

Squarespace sells restaurant reservation system Tock to American Express for $400M

Featured Article

Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

The February ransomware attack on UHG-owned Change Healthcare stands as one of the largest-ever known digital thefts of U.S. medical records.

11 hours ago
Change Healthcare confirms ransomware hackers stole medical records on a ‘substantial proportion’ of Americans

Google said today that it globally paused its experiment that aimed to allow new kinds of real-money games on the Play Store, citing the challenges that come with the lack…

Google pauses its experiment to expand real-money games on the Play Store

Venture firms raised $9.3 billion in Q1 according to PitchBook data, which means this year likely won’t match or surpass 2023’s $81.8 billion total. While emerging managers are feeling the…

Kevin Hartz’s A* raises its second oversubscribed fund in three years

Google is making reviews of all your movies, TV shows, books, albums and games visible under one profile page starting June 24, according to an email sent to users last…

Google is making your movie and TV reviews visible under a new profile page

Zepto, an Indian quick commerce startup, has more than doubled its valuation to $3.6 billion in a new funding round of $665 million.

Zepto, a 10-minute delivery app, raises $665M at $3.6B valuation

Speak, the AI-powered language learning app, has raised new money from investors at double its previous valuation.

Language learning app Speak nets $20M, doubles valuation

SpaceX unveiled Starlink Mini, a more portable version of its satellite internet product that is small enough to fit inside a backpack.  Early Starlink customers were invited to purchase the…

SpaceX debuts portable Starlink Mini for $599

Ali Rathod-Papier has stepped down from her role as global head of compliance at corporate card expense management startup Brex to join venture firm Andreessen Horowitz (a16z) as a partner…

Brex’s compliance head has left the fintech startup to join Andreessen Horowitz as a partner

U.S. officials imposed the “first of its kind” ban arguing that Kaspersky threatens U.S. national security because of its links to Russia.

US bans sale of Kaspersky software citing security risk from Russia 

Apple has released Final Cut Pro for iPad 2 and Final Cut Camera, the company announced on Thursday. Both apps were previously announced during the company’s iPad event in May.…

Apple releases Final Cut Pro for iPad 2 and Final Cut Camera

Paris has quickly established itself as a major European center for AI startups, and now another big deal is in the works.

Poolside is raising $400M+ at a $2B valuation to build a supercharged coding co-pilot

The space industry is all abuzz about how SpaceX’s Starship, Blue Origin’s New Glenn, and other heavy-lift rockets will change just about everything. One likely consequence is that spacecraft will…

Gravitics prepares a testing gauntlet for a new generation of giant spacecraft

LTK (formerly LiketoKnow.it and RewardStyle), the influencer shopping app with 40 million monthly users, announced on Thursday the launch of a free direct message tool for creators to instantly share…

Influencer shopping app LTK gets an automatic direct message tool

YouTube appears to be taking a firm stance against Premium subscribers who attempt to use a VPN (virtual private network) to access cheaper subscription prices in other countries. This week,…

YouTube confirms crackdown on VPN users accessing cheaper Premium plans