Going Toe-to-Toe With Ukraine’s Separatist Hackers
The proliferation of cyberespionage tools empower even small breakaway regions to run digital intelligence operations.
The hacker realized that he was being watched.
The spy software he was attempting to run against the Ukrainian government had infected the wrong machine, and now an analyst working for an American security company was picking apart the program—known as RatVermin—trying to understand how it worked.
The hacker, likely working on behalf of the Luhansk People’s Republic, a breakaway region of Eastern Ukraine, first tried to run a ransomware program dubbed Hidden Tear to scramble the contents of the computer it had mistakenly infected. The program would have made the computer useless to the analyst and flashed a sardonic message: “Files have been encrypted with hidden tear. Send me some bitcoins or kebab. And I also hate night clubs, desserts, being drunk.”
But the analyst blocked the program from executing, and then, for a few hours on March 20, 2018, the two engaged in the digital equivalent of hand-to-hand combat.
The hacker tried to delete the software being used by the analyst to understand RatVermin, a custom-made all-purpose spy tool. The analyst simply reset the machine and booted RatVermin back up, this time with a question displayed on the screen: Why had the hacker tried to run ransomware on the computer?
The hacker replied with a one-word question: “Mad ?”
In the perpetual game of cat and mouse between analysts who try to protect networks and the hackers who break into them, this brief interaction represented a rare moment of human contact. The analyst had trapped the hacker; the hacker responded with a cynical shrugging of the shoulders.
The conversation was detailed in a report released last month by the U.S. cybersecurity firm FireEye exposing the hacking operation as part of a campaign being run by operatives working on behalf of the Luhansk People’s Republic, one of the breakaway republics in Eastern Ukraine backed by Moscow, that used both custom-written malware and publicly available spy software to target Ukrainian government ministries for espionage.
The Luhansk hacker cornered last year failed to hit his target, but the campaign that it was a part of illustrates how cyberespionage operations that were once the domain of well-funded intelligence agencies have now trickled down to even semi-autonomous regions fighting for independence. The proliferation of these weapons allows individual hackers and their confederates to carry out intelligence operations for their pseudo-governments.
“This is a really good example of how easy it is to set up a lasting program,” said John Hultquist, the director of intelligence analysis at FireEye. “It evens the playing field for much smaller countries and gives them an ability to collect intelligence without the vast resources that are necessary for a major human intelligence operation.”
It is difficult to assess the success of the campaign, but as it has been active since 2014, according to FireEye’s data, it would be surprising if it hadn’t notched a few victories during the time the Luhansk hackers have kept it up and running. Five years into Ukraine’s civil war, the breakaway republic continues to operate its espionage program.
“The list of targets covers a wide swath of Ukrainian military, political figures and media outlets that could have huge effects if successfully targeted in a hack and leak operation,” said Nina Jankowicz, a global fellow at the Wilson Center think tank ’s Kennan Institute who studies Russian information operations. “Even if it was not successful, it is meant to inspire doubt among the public about Ukraine’s cyber and governance capabilities.”
While Russia has provided extensive support to the breakaway republics of Eastern Ukraine, there is no evidence to indicate that the program run out of the Luhansk People’s Republic is a Russian operation. Hultquist said his analysts found no overlap between the tools being used by the Luhansk hackers and other Russian operatives.
Remarkably, the hackers in Luhansk appear to have set up an indigenous cyberintelligence operation.
To run that operation, the hackers relied on a mix of publicly available hacking tools and custom-made software. Its operatives wrote a piece of custom software—RatVermin—that security companies have tracked since last year. The group also used the publicly available Quasar RAT spy software, which has become so popular that there are YouTube tutorials on how to use it. It has been used by hackers working out of Iran and China, and its ubiquity offers its users a measure of plausible deniability.
Software such as RatVermin and Quasar RAT represent the bread and butter of espionage campaigns. They give their operators the ability to view the computer screen and file directory of the machines they infect, and they allow hackers to run programs remotely, log keystrokes, and turn on microphones and video cameras. (The recurring vermin motif in the naming convention is reference to the acronym RAT, which stands for “remote access tool” or “remote access trojan” and describes this class of spy software.)
Since Russia’s military intervention in Ukraine in 2014, the country has turned into a staging ground for the Kremlin to test its latest, greatest hacking tools. U.S. intelligence agencies concluded that it was their Russian counterparts who developed the NotPetya ransomware, which is widely considered to be the most destructive malware in history. Russian hackers have on at least two occasions shut down Ukrainian electrical systems.
Hultquist said his company places a premium on its Ukrainian operations because it gives his researchers insight into the cutting edge of Russian operations—and their spread to other actors.
“The fact that an unrecognized upstart government can build out a capability that has lasted for five years really indicates to me that this is well within the grasp of just about anyone,” Hultquist said.