Cybersecurity professionals were offered lessons of resilience in the most extreme circumstances from Ukraine’s former minister of foreign affairs.
Dmytro Kuleba, who served as Ukraine’s Minister of Foreign Affairs between 2020 and 2024, told Infosecurity Europe delegates that the key to Ukraine’s survival after the full-scale Russian invasion of 2022 was pre-planning, a lesson learned in the early weeks of the war.
Ukraine’s largest mobile operator KyivStar was subjected to an outage in December 2023 because of a Russian cyberattack.
“They got to the very core of their system of their network,” Kuleba said. “They put it down, or they knocked it out, and the way they did it, they penetrated through an account of one single employee of KyivStar.”
Kuleba added: “Miraculously, KyivStar did [the] unimaginable, and within days they restored the system and fenced it off.”
Few successful cyberattacks have happened since this incident, according to Kuleba, who credited this success on a pre-planning for resilience methodology that has been adopted by the Ukrainian government and businesses.
“We don’t know what and how it is going to happen,” Kuleba said. “But you can presume, you can brainstorm, you can calculate, and you can prepare. You can prepare so that it becomes your muscle memory.”
Even if the unexpected happens you will be more prepared if you’ve gone through preparations, Kuleba argued.
“Make no mistake when the crisis situation occurs, everything will be different,” said Kuleba. “You will be punched in the face. You plan not to follow the plan but to know your environment perfectly and to develop instincts of survival in this environment.”
Exodus
Kuleba began preparing Ukraine’s foreign ministry for the war in November 2021, starting with learning precisely how its systems worked and planning for contingencies such as how diplomats and staff could communicate if online messaging apps became unavailable.
When war broke out foreign ministry services was evacuated abroad.
“We did not waste a single second on figuring out what is possible and what is impossible, because we knew all of that in advance,” Kuleba said.
Preparation for potential disasters might seem like a distraction from more immediate projects or even boring but making contingency plans is vital not just for Ukraine but for technologists around the world.
“There are more important projects than preparing for something that might not even happen,” Kuleba advised. “But if you care for your company, if you care for your country, you have to prepare for the worst.”
Kuleba concluded: “Resilience is not being prepared to repair a destruction. Resilience is your ability to keep repairing the wrecks as destruction becomes new normal.”
The war has affected the operations of even smaller Ukrainian businesses as Russian cyberattacks have become stealthier.
For example, Russian operatives have recently sought to gain “pattern of life” intelligence that might be used to assassinate Ukrainian officials or target members of their family for kidnap after hacking into the customer relationship management (CRM) systems used by businesses such as barbers, gyms, and nail bars.
“What Russian security services are doing is they break into CRM systems of barbers, fitness clubs … the loyalty programmes of supermarkets, to track your movements, to understand whether you usually show up, [and] how much time do you usually spend, to build a picture, and then do what they believe is necessary,” Kuleba said.
In one case Kuleba linked to this tactic, the son of an unspecified Ukrainian official was kidnapped before his father was blackmailed by the Russians into leaking intel.
CRM systems in the Ukraine were particularly vulnerable because for years before the invasion, “Russian companies had been offering very lucrative offers to Ukrainian businesses so that they would install [their] CRM platforms,” Kuleba said.
Kuleba added: “Did these Russian companies do that on their own initiative? Perhaps. Did the Russian security service ask them to do that and help them to do it? Perhaps. But the thing is, even such innocent programme as a check-in system at a restaurant, or a barber shop, or a gym, can help your enemy to kill someone … to kidnap.”
“Do not trust the products made by your potential enemy,” Kuleba concluded, adding that the incident shows the importance of technological sovereignty and data security even for the smallest companies.