Inside Russia's attempts to hack Ukrainian military operations

KYIV, Ukraine — Ukrainian intelligence officials have revealed details to NPR about an attempt by Russian state hackers to penetrate Ukrainian military planning operations systems.

The hackers from Russian military intelligence captured Android tablet devices used by Ukrainian officers on the front lines in an attempt to spy, according to a report published by the Security Service of Ukraine's Cyber Security Situation Center.

"We saw that there were attempts to penetrate these systems," said Illia Vitiuk, the head of the Cybersecurity Department of Ukraine's Security Services, also known as the SBU. Vitiuk spoke to NPR in an exclusive interview in Kyiv on Wednesday.

"Our enemy is extremely focused on getting insight into these systems," he continued.

The Ukrainian military uses multiple tools for situational awareness to track Russian troop positions and gather other intelligence from the land, air and sea. Those include Delta, a military platform developed by the Defense Technology Innovation and Development Center within Ukraine's Ministry of Defense, and Kropvya, a defense mapping software made by Ukrainian NGO Army SOS. Developers working on these systems in Kyiv are becoming increasingly aware of Russia's focus on them, and are declining to openly discuss the platforms and how they work to limit exposure to Russian threats.

In this specific operation, the Russian hackers' goals included gathering intelligence from the devices and then tailoring malware to exploit the broader military operations network.

"They planned these operations for a long period of time, and there were some hacker groups that moved closer to the front lines" in order to steal Ukrainian tablets, said Vitiuk.

The SBU attributed the cyber operation to Russian military intelligence organization GRU, or more specifically the hacking group known as SandWorm. Hackers from SandWorm have been extremely active both during and before the full-scale invasion launched in February 2022, targeting the Ukrainian energy sector, the global economy, and others.

According to the State Security Service report, the agency detected the Russian operation in its early stages, preventing full access to the military operations system.

This is not the first time that Russia has attempted to compromise the Delta system. In December, Russian hackers broke into Ukrainian military email accounts to deliver convincing phishing emails to Delta users. Ukraine's Computer Emergency Response Team published details about the operation. And last summer, Russian officers created a fake version of the Delta website in order to trick legitimate users into providing their credentials.

Ukrainian cybersecurity experts have expressed concern about these breaches, arguing that the government has not been transparent enough about what was stolen.

However, according to Vitiuk, these military platforms are segmented so that each individual user doesn't have access to all its components. Therefore, he explained, by capturing individual Android devices or stealing login credentials, Russian officers would likely only be able to access information available to the user that was compromised. Additionally, the Delta platform does not directly track Ukrainian troop locations, he said.

However, the malware samples gathered from this most recent operation gave interesting clues about what Russian hackers were most interested in.

Some of the malware samples SBU cyber experts found on the devices were designed to gather information about connections to the satellite internet device Starlink developed by Elon Musk's company SpaceX. These devices have been important in Ukraine during the full-scale invasion, particularly when other communication networks are down.

"This was very interesting malware ... it gave them the possibility to get the configurations of Starlink, so in the end they could understand the location" of specific military units, explained Vitiuk. As a result, they can use that information when targeting attacks, he continued.

"But the thing is, we have thousands of Starlinks here in Ukraine, and there are alternatives ... you cannot hit it with a missile or artillery shell, every Starlink," Vitiuk said.

Starlinks are top priority targets for Russia. Therefore, while they may have gained some information about individual devices, perhaps "hundreds," in this operation, said Vitiuk, Russians likely combine that information with intelligence gathered from drones and human sources in order to target attacks.

Understanding what information may have been compromised allows Ukraine to relocate its troops and expose Russian tactics, Vitiuk told NPR.

Vitiuk explained that part of the goal in openly publishing information about the Russian operation is to expose their tactics to allow partners to defend against them.

"We understand that Russians, they first use everything here, but afterwards, they can use the same methods and the same malware somewhere else. ... That's why it was very important to publish this report, to show the evolution of Russian hackers, to show how focused they are on military situational awareness systems," said Vitiuk.

The Delta platform recently underwent a successful NATO review to determine its interoperability with Western systems like F-16 fighter jets. "This is a significant step because thanks to Delta, soldiers can view the battlefield in real-time, including the location of enemy forces," said Ukraine's Minister of Digital Transformation Mykhailo Fedorov.

"We do believe the systems we're using now will be used by other countries ... so it's very important to start protecting them from now," Vitiuk concluded.

Kateryna Malofieieva provided additional reporting for this story.