Transcription

CSS CYBER DEFENSE PROJECTHotspot Analysis:Cyber and Information warfare inthe Ukrainian conflictZürich, October 2018Version 2Risk and Resilience TeamCenter for Security Studies (CSS), ETH Zürich

Cyber and Information warfare in the Ukrainian conflictAuthor: Marie Baezner 2018 Center for Security Studies (CSS), ETH ZürichContact:Center for Security StudiesHaldeneggsteig 4ETH ZürichCH-8092 ZürichSwitzerlandTel.: 41-44-632 40 [email protected] prepared by: Center for Security Studies (CSS),ETH ZürichETH-CSS project management: Tim Prior, Head of theRisk and Resilience Research Group; Myriam DunnCavelty, Deputy Head for Research and Teaching;Andreas Wenger, Director of the CSSDisclaimer: The opinions presented in this studyexclusively reflect the authors’ views.Please cite as: Baezner, Marie (2018): Cyber andInformation warfare in the Ukrainian conflict, Version2, October 2018, Center for Security Studies (CSS), ETHZürich.1

Cyber and Information warfare in the Ukrainian conflictTable of Contents1Introduction52Background and chronology733.1DescriptionTools and techniquesDDoSWebsite defacementMalwareTargetsAttribution and actorsPro-Ukrainian hacker groupsPro-Russian hacker groups10101010101112121244.14.24.34.4EffectsSocial and political effectsEconomic effectsTechnological effectsInternational effects141414151555.1175.45.5Policy ConsequencesRaising awareness of propaganda andmisinformationLimit dependence on foreign technologyLeading by example against DDoS and websitedefacementMonitoring of the evolution of the conflictConfidence Building Measures (CBMs)6Annex dum323.23.35.25.321717171818

Cyber and Information warfare in the Ukrainian conflictExecutive SummaryTargets:Tools:Effects:Timeframe:Ukrainian and Russian institutions,media outlets and connected devices.Distributed Denial of Service 1 (DDoS) ationArmageddon, X-Agent, Telebot), propaganda, andmisinformation.Unavailability of targeted websites,information stolen from infectednetworks, electricity outage for severalhours in Ukraine due to an attack onseveral power plants, damagedcomputers and devices propagandaand misinformation campaigns.November 2013 and still ongoingRussian intrusion into American computernetworks during the US election attracted significantattention in the West, and publicly demonstrated theircyber capabilities. Yet Russia has been developing andimproving its cyber arsenal for the past ten years, asRussian cybertools have been in play in Estonia in 2007,and strategic cyberattacks were deployed during theRusso-Georgian war in 2008. During the Ukrainianconflict that started in 2014, Russia demonstrated itscapacity to combine cyber capabilities with electronicwarfare, intelligence and kinetic capabilities.This Hotspot Analysis examines the specific caseof the use of cybertools in the Ukrainian conflict. A“hotspot” is understood as the cyber-aspect of aparticular conflict and relates to the series of actionstaken in that context by states or non-state actors incyberspace.The main objective of this analysis is to betterunderstand the events and cyber-activities that tookplace during the Ukrainian conflict and their effects. Anadditional aim of this document is to evaluate victims’responses to the cyberattacks in order to learn fromtheir reactions.DescriptionAt the end of 2013, the Ukrainian Presidentabandoned an Association Agreement with theEuropean Union that would have strengthened tiesbetween the entities significantly, triggering mass publicdemonstrations. A few months later, disgracedPresident Yanukovych fled to Russia, and Russia invadedthe Crimean Peninsula. Throughout the EuromaidanTechnical terms are explained in a glossary in section 7 at the end ofthe document.1protests and the resulting conflict, institutions andmedia outlets in both Ukraine and Russia fell victim toDDoS attacks, website defacement and RemoteAdministration Tools (RAT) delivered by spear phishingemails. These cyberattacks were used to either disrupt,spy on or damage the enemy. By employing non-stateactors as proxy forces to conduct these attacks, thewarring parties were also ensured of plausibledeniability for their actions in cyberspace.EffectsThe analysis found that the cyber-activitiesconducted in the context of the Ukrainian conflict notonly affected Ukraine at the domestic level, but also hadrepercussions internationally. The social and politicaleffects of the cyber-conflict in Ukraine included thedomination of Crimean news and information sourcesby Russia, the erosion of Ukrainian government’scredibility among Ukrainians, and a loss of trust in thegovernment for the Ukrainian population as a result.Economic effects included the costs of the loss revenueand reputational damage caused by the various DDoSattacks and website defacements and the expensesincurred by the need to replace equipment followingcyberattacks on the Ukrainian power grid. Technologicaleffects comprise the risks of heavy dependence onforeign technology, having enemy troops physicallytamper with telecommunications infrastructure, theramifications of cyberattacks on the Ukrainian powergrid, and the development of new malware.At the international level, cyberattacks in theUkrainian conflict exhibit a low-intensity tit-for-tat logicbetween the warring parties in cyberspace. Additionally,while Ukraine experienced limited support from theinternational community, significant economicsanctions were instituted against Russia.Policy ConsequencesA range of policy consequences can be derivedfrom the effects of cyber-activities that occurred in theUkrainian conflict and in the Russian informationwarfare campaign. As in, proactively try to bolster theirown situation so their state does not fall victim topropaganda campaigns in the same way that Ukrainedid. Additionally, states should enhance thecybersecurity of online state infrastructures againstDistributed Denial of Service attacks and websitedefacement. In addition, nation states may wish toimprove their cybersecurity by limiting theirdependency on foreign technology and providingguidance for the private sector on how to respondfollowing a cyberattack. States should closely monitorhow the Ukrainian conflict continues to evolve, and23Abbreviations are listed in section 8 at the end of the document.

Cyber and Information warfare in the Ukrainian conflictpromote Confidenceinternational level.BuildingMeasuresattheAddendumThis is the second version of the Hotspot Analysison Ukraine, and includes an addendum at the end of thedocument. The addendum covers the period fromJanuary 2017 to June 2018 and its purpose is to updatethe earlier version of the Hotspot Analysis and provideadditional information on the events that occurred inadvance of and during that period of time. Those sixmonths saw new malware that targeted Ukrainiannetworks, and two reports were published that broughtnew information to light regarding the cyberattack onUkraine’s electrical grid in 2016.The addendum is structured like the mainHotspot Analysis to keep consistency between the twoversions of the report. The addendum only reports newelements in the case of Ukraine and seeks to avoidrepetition with the main Hotspot Analysis. Therefore,the addendum cannot be read on its own and should beread in addition to the original Hotspot Analysis. Inaddition, Appendix 1 from the earlier Hotspot Analysishas been incorporated into the addendum and includesnew elements. The addendum is organized as follows. InSection 2, it first details a chronology of the events thatoccurred between January 2017 and June 2018. Section3 examines the malware that targeted Ukraine duringthat period. This section focuses on the malwareCrashOverride, NotPetya, BadRabbit, Python/Telebotand VPNFilter. This section also gives more details ontwo pro-Russian hacker groups: Sandworm (previouslycalled Quedagh), which is a subunit of APT28, an actorthat was examined in the main Hotspot Analysis; and theGamaredon Group, which the main Hotspot Analysisattributed with Operation Armageddon. Section 4analyzes the effects of these attacks on Ukraine and itsinternational relations. It first examines the social andpolitical effects of the cyberattacks. It shows that sincethe beginning of the conflict, Ukraine has developed itscyber capabilities and is increasingly aware of Russia’sonline influence campaigns. As such, Ukraine has begunattempting to limit their effects. However, a feeling ofinsecurity remains in the Ukrainian population due torecurring cyberattacks. The cyber-campaign againstUkraine had significant economic effects on Ukraine,including the consequences of ransomware attacks andthe replacement of technology due to cyberattacks onthe electrical grid. Technologically, the Ukrainian conflictrevealed new sophisticated malware, some of whichimitating known malware to confuse observers.Additionally, Ukraine has most likely become a testingground for the further advancement of Russianmalware. Internationally, the situation in Ukraineindicated that even though cyberattacks in Ukraine weresophisticated and were increasing in intensity, attacksremained below a certain threshold that would triggeran international intervention. This fact also emphasizesthe lack of international support to Ukraine in its fightagainst pro-Russian separatists and cyberattacks.Section 5 gives some general policy recommendations tohelp states avoid a similar situation as in Ukraine.4

Cyber and Information warfare in the Ukrainian conflict1 IntroductionOver the past ten years, Russia has repeatedlyshown that it is capable of developing its cybercapabilities and effectively integrating them with itsother military capabilities (e.g. kinetic, intelligence andelectronic warfare (EW) 3). Perhaps the earliest examplewas from 2007, with the use of Distributed Denial ofService (DDoS) 4 against Estonian government institutionwebsites. By 2008, during the conflict between Russiaand Georgia, Russian capabilities had improved to theextent that cybertools were successfully combined withkinetic forces. This Hotspot Analysis examines specificcases in the context of the Ukrainian conflict to betterunderstand actors’ dynamics and modus operandi in thisregion. The goal of this report is to analyze how victims,both individual and institutional, were affected bycyberattacks and how they responded. This paper alsoserves as a basis for a broader comparative study ofvarious Hotspots that can be used to inform other stateson how to improve their responses, if faced with similarsituations.This Hotspot Analysis report will be regularlyupdated as new details are released or important eventsoccur. The aim is to keep the document as up-to-date aspossible.This report analyzes the specific case of cyberactivities in the Ukrainian conflict. Relations betweenUkraine and Russia have been tense ever since VladimirPutin was first elected president of Russia in 2000. Theirstrained relationship was punctuated by disputes in2004 during the Orange Revolution in Ukraine, and againregularly over natural gas supplies. Tensions reachednew heights when Ukraine began developing closerrelationships with the European Union (EU) andUkraine’s Russia-friendly president Viktor Yanukovychwas ousted following the Euromaidan protests. The twonations finally erupted into an open conflict when Russiainvaded the Crimean Peninsula.This case warrants close examination because itconcerns an ongoing conflict that is characterized by anintense cyber-dimension. While the intensity of theconflict has decreased in both the physical and the cyberrealms, it remains a significant factor in world politicsand may influence events elsewhere, for example inSyria where Russian troops are also deployed.This Hotspot Analysis is divided into the followingfive sections: Section 2 describes the historicalbackground and chronology of the events fromUkrainian independence in 1990 to the renewedviolence in the Donbass region in January 2017. Itrecords the events that have most influenced the tenserelationship between Russia and Ukraine, and situates3Abbreviations are listed in section 8 at the end of the document.the cyberattacks in relation to the broader context ofthe conflict .In section 3, the report explains the variouscybertools and techniques used during the Euromaidanprotests and the Ukrainian conflict, as well as the varioustargets and perpetrators. It demonstrates that the toolsand techniques used in this conflict display differentdegrees of sophistication and serve different purposes.The reported cyberattacks included DDoS; websitedefacement, which was mainly aimed at disruptingproper website function; – and several malware familiesthat were used to steal information. The victims ofcyberattacks were mostly state institutions and mediaoutlets in both Ukraine and Russia, but also Ukrainianarmed forces and third parties (e.g. internationalorganizations and other states). The perpetrators arecategorized into two groups based on their affiliations.Therefore, actors are either classified as a pro-Ukrainianhacker group, or a pro-Russian hacker group. BothUkraine and Russia conduct cyberattacks throughproxies, which enables both governments to deny anydirect involvement.Section 4 examines the diverse effects of thecyber-aspects of the Ukrainian conflict on the domesticand international level. On the domestic level in Ukraine,the effects were felt in the social, political, economic andtechnological domains. Sociopolitical effects in Ukraineincluded a denial of access to non-Russian informationon the Crimean Peninsula, and a loss in trust in Ukrainianinstitutions’ ability to protect society. The economiccosts of cyber warfare included the costs of loss revenueand reputational damage caused by DDoS attacks andwebsite defacements, as well as the costs of replacingdamaged equipment in the power plant that wastargeted by a Russian cyberattack. Technological effectsconsist of Russian troops physically tampering withtelecommunications infrastructures in Ukraine – anaspect that clearly illustrates the dangers of relying onforeign technology; of the physical damage totechnological equipment in power plants due to thecyberattacks; and the discovery of new malware. Effectson the international level can be characterized as lowintensity, and the warring parties were seen to employa tit-for-tat logic even when critical infrastructure suchas power plants were targeted. Additionally, the limitedsupport that Ukraine received from the internationalcommunity has major global implications, as does theimplementation of economic sanctions against Russia.Finally, section 5 proposes some conclusions thatmay be drawn from this Hotspot Analysis and that stateactors can learn from to reduce the risk of beingimpacted by cyber-activities resulting from theUkrainian conflict or to avoid a similar situation. Itsuggests improving cybersecurity by raising publicawareness of the issues of propaganda andTechnical terms are explained in a glossary in section 7 at the end ofthe document.45

Cyber and Information warfare in the Ukrainian conflictmisinformation; leading by example with betterprotection of online state infrastructures against DDoSand website defacement; and limiting dependency onforeign technology. It also recommends closelymonitoring the development of the Ukrainian conflictand promoting Confidence Building Measures (CBM) incyberspace to reduce mistrust among states, butparticularly Ukraine and Russia.The addendum shares the same structure asthe main Hotspot Analysis. Section 2 outlines achronology of events in Ukraine between January 2017and June 2018. Section 3 describes the new malwareobserved during that period in Ukraine and providesnew information on actors present in the Ukrainiantheater. Section 4 analyzes the effects of the additionalcyberattacks on Ukraine and on international relations.Finally, Section 5 gives some general recommendationsstates can use to ward off similar cyberattacks as theones in Ukraine.6

Cyber and Information warfare in the Ukrainian conflict2 Background andchronology08.2008Both the historical background and chronology ofthe Ukrainian conflict are important in understandingthe context in which it developed.Ukraine gained its independence at the fall of theSoviet Union, but Russia still tried to maintain a certaincontrol or influence over former Soviet Republics. Therelations between Russia and Ukraine have beencharacterized by disputes, including the OrangeRevolution during the Ukrainian elections in 2004 anddisputes over natural gas supplies. Ukraine first initiatedits rapprochement with the EU with an associationagreement, but later turned back towards Russiainstead. This decision precipitated the Euromaidanprotests and provoked the departure of UkrainianPresident Yanukovych. In parallel with the protests,DDoS and website defacement occurred on Ukrainianwebsites. A few months later, when Russia invadedCrimea, there was another increase in cyber-activities inUkraine and Russia, but these then dropped again to amore or less constant low level. However, there weretwo spikes in the form of two attacks against theUkrainian power grid.12.201111.20131821.02.2014Rows with gray background refer to cyberrelated incidents.Date05.12.199403.200501.2006EventUkraine becomes a member of theNuclear Non-Proliferation Treaty byreturning its nuclear weapons es, Ukraine is assured thatits territorial integrity and politicalindependencewouldnotbethreatened by Russia (Besemeres,2014; United Nations, 1994).In March 2005, Russia accusesUkraine of diverting natural gasbound for EU states and not payingtaxes on natural gas supplies. OnJanuary 1, 2006, Russia cuts offnatural gas supplies to Ukraine, witheffects on European states thatdepend on the gas supply transitingthrough Ukraine (BBC News, 2006).22.02.20142728.02.2014For a detailed table of the cyberattacks during this period and duringthe Ukrainian conflict, see Annex 1.57Russia invades Georgia followingskirmishes between pro-Russianrebels and Georgian armed forces.The Russian military uses acombination of kinetic capabilitiesand cyberattacks on Georgianinstitutions’ websites (Giles, 2016a,pp. 4–5).After Putin’s victory in the legislativeelections, the opposition organizesdemonstrations to protest against theelection results. During the protests,the Russian armed forces useautomated DDoS to disrupt mediaand social media pages in order tostop discussions of the elections(Giles, 2012).The Ukrainian President Yanukovychrejects the Association Agreementwith the EU. The pro-EuropeanEuromaidan movement subsequentlyorganizes protests but is violentlyrepressed. At the same time,Ukrainian institutions’ websites aretargeted by DDoS attacks 5 (Ukraineinvestigations, 2014).Violenceagainstprotestersintensifies causing the deaths ofseveral demonstrators. DDoS attackscontinue on Ukrainian websites andonUkrainianmembersofParliament’s cell phones. TheUkrainian Parliament agrees to achange in constitutional law and toreturn to the setting before the 2004constitution.Ukrainian President Yanukovych fleesto Russia. The Ukrainian Parliamentelects Oleksandr Turchynov as actingPresidentuntiltheplannedpresidential election of 25th May 2014(Pakharenko, 2015).Pro-Russiangroupsorganizedemonstrations in various Ukrainiancities, while non-uniformed soldiersseize airports and other strategic sitesin Crimea. They cut off Crimeancommunications with the externalworld in a raid on the Ukrainiantelecommunications infrastructuresand tamper with its fiber optic cables(Gordon, 2014; Martin-Vegue, 2015).

Cyber and Information warfare in the Ukrainian 5.05.201420.06.201417.07.201407.2014The Russian Parliament authorizesthe use of force against Ukraine (Lallyet al., 2014).Russian troops enter Crimea (Maurer,2015).Various Russian websites aretargeted by DDoS attacks inretaliation for the invasion (Ukraineinvestigations, 2014).The referendum on the annexation ofCrimea by Russia is carried by theCrimean population (Geers, 2015, p.10).Various DDoS attacks on Ukrainianand Russian websites are reported(Ukraine investigations, 2014).The USA and European states agreeon a first round of sanctions againstRussia (Geers, 2015, p. 10).President Putin signs a bill on theannexation of Crimea (White, 2014).The war in the Eastern Ukrainianregion of Donbass starts betweenpro-Russia separatists and theUkrainian armed forces. At the sametime, cyberattacks on Russian andUkrainian websites continue. The USAand European states agree on asecond round of sanctions againstRussia (Shahani, 2015).A pro-Russian hacker namedCyberBerkut hacks the servers of theCentral Election Commission (CEC)and infects the election networkswith malware. The Ukrainian cyberemergency response team managesto remove the malware from thenetwork in time for the election(Weedon, 2015).Petro Poroshenko is elected as thenew President of Ukraine (Geers,2015, p. 10).President Poroshenko declares aseven-day ceasefire for the proRussian separatists to lay down theirweapons. Cyberattacks from proRussian hacker groups also stopduring this ceasefire (Shahani, 2015).Malaysia Airlines flight MH17 fromAmsterdam to Kuala Lumpur is shotdown by combatants in Ukraineresulting in approximatively 300 dead(Geers, 2015, p. 10).The USA and European states expandtheir sanctions against Russia (BBCNews, 201601.12.20160614.12.20168Russia issues an embargo onagricultural goods from the countriesthat imposed sanctions against Russia(Walker and Rankin, 2014).The warring parties agree on aceasefire in the Donbass region in theMinsk Protocol. The ceasefirecollapses in January 2015.Poroshenko’s political party wins themajorityintheUkrainianparliamentary elections. During thecampaign, several DDoS attacks andhacks are observed against Ukrainianinstitutions (Martin-Vegue, 2015).Russia creates a new cyber warfarespecific military unit in Crimea(Pakharenko, 2015, p. 62).A new Russian military doctrine ispublished, which also details theconcept of information warfare(Giles, 2016a, p. 27).The warring parties sign a newceasefire agreement, the Minsk IIProtocol. The protocol is violatedshortly after it is signed (Weaver andLuhn, 2015).The EU creates a StratCom TaskForce, whose goal is to identify andcorrect disinformation coming fromRussian-speaking media (EuropeanUnion, 2015).A cyberattack on the Ukrainian powergrid leaves approximately 250,000inhabitants without power for severalhours (Zetter, 2016).An international investigation reportsthat flight MH17 was shot down by aSoviet-built BUK missile launchedfrom the Donbass region (Harding,2016).A Ukrainian hacker group leakshacked emails from a key advisor ofVladimir Putin, Vladislav Surkov. Hisemails reveal that he wascommunicating with leaders of proRussian separatists in Ukraine on aregular basis (Windrew, 2016).RussiawithdrawsfromtheInternational Criminal Court (Reuters,2016a).Ukraine tests missiles in the BlackSea, west of Crimea, and is accused ofviolating Russian territorial waters(BBC News, 2016a).Several cyberattacks target Ukrainianbanks, state agencies and ministries(Miller, 2016a).

Cyber and Information warfare in the Ukrainian conflict17.12.201629.01.2017Power goes out for an hour in theregion of Kiev after a new cyberattackon the Ukrainian power grid (Goodin,2017).In Eastern Ukraine, clashes betweenUkrainian forces and separatistgroups intensify after several calmermonths (BBC News, 2017).9

Cyber and Information warfare in the Ukrainian conflict3 DescriptionThis section describes the different tools andtechniques used during the Euromaidan protests andthe Ukrainian conflict to provide a better understandingof these tools and techniques, of how they work and thepurposes they serve. It also explains who the targets ofthese cyberattacks were and who perpetrated them.3.1 Tools and techniquesThe cyberattacks in the conflict between Ukraineand Russia can be categorized by three types: DDoSattacks, website defacement and malware infection byspear phishing 6. The first two tools are more accuratelydescribed as cyber-disruption, while the latter isoriented more strongly toward cyber-espionage forintelligence collection and battlefield preparation forfurther kinetic offensives or cyberattacks (Torruella,2014, p. 121).an SQL injection to gain administrative access, isregarded as a cyber-version of vandalism. Once thesystem has been penetrated, the attacker changes thevisual appearance of the website or replaces pages withtheir own materials. Hacktivists commonly use thistechnique to spread political messages. For instance, thewebsite of the Russian media, RT, was defaced in March2014, with attackers replacing the words “Russia”,“Russian” and “military” with the word “Nazi” (Perlroth,2014; Storm, 2014).MalwareVarious malware, believed to be linked to theUkrainian conflict, has been observed throughout theconflict. The security firm FireEye reported that sincethe beginning of the war there has been an increase inthe use of malware connected to Russian and Ukrainianservers (Geers, 2014). Four malware groups have beenidentified in this context: BlackEnergy, Snake 7,Operation Armageddon and X-Agent.DDoSAn increase in DDoS attacks against variouswebsites was observed at the beginning of theEuromaidan protests and during the invasion of Crimea.In a DDoS attack, perpetrators overload targetedwebsites with requests causing disruption to thewebsite services and preventing legitimate users fromaccessing these pages. This technique requires the useof multiple computers infected by botnets or thecoordination of a large number of users. Attackerscontrol such computers compromised by botnets tosend requests to the target network without users ofinfected computers even being aware of this. This kindof cyberattack was used multiple times by both partiesto the conflict; Ukrainian media websites were targetedby pro-Russian hackers in November 2013, for instance,and Russian media websites were attacked by proUkrainian hackers in December 2013. DDoS attacks canalso serve as a distraction to monopolize the attentionof the emergency team of the targeted institution. Whilethey are busy combating the DDoS attack, theperpetrator(s) are able to conduct other maliciousactivities on the relevant network such as installing abackdoor or malware in order to steal data (NSFocusInc., 2016, p. 4).Website defacementWebsite defacement has also been observed as atool used by both parties in the Ukrainian crisis. Thistechnique, where a hacker breaches a web server using6 Even though the use of trolls to spread propaganda andmisinformation is a technique used in the Russian informationwarfare, this aspect will not be considered as a tool for cyberattacks inBlackEnergyBlackEnergy is a family of malware primarily usedby cybercriminals. It was also employed in a campaignnamed Sandworm (Zetter, 2014). The first version ofBlackEnergy was used to gain access to networks inorder to launch DDoS attacks. The second version,BlackEnergy2, was updated with new functionalitiesenabling it to steal data. The last version, BlackEnergy3,was updated to target Supervisory Control and DataAcquisition (SCADA) systems and added a new feature,KillDisk, which rendered the infected computersunusable. This version was used to attack the Ukrainianpower grid system in December 2015 (E-ISAC, 2016;FireEye Inc., 2016). Attackers used spear phishing emailswith a compromised attachment to infect computers.The malware would then install a backdoor to grant theattackers access to the network. The last two versions ofthe malware were deployed to gather information andwere implanted in specific targets such as NATO, theUkrainian government or the Ukrainian power gridsystem.SnakeThe Snake malware was discovered in 2014 buthas been active since at least 2010 or 2011. It is similarto an older malware, Agent.btz, used to infiltrate the USmilitary network in 2008. Victims got infected either byopening spear phishing emails or by visiting wateringhole websites, i.e. webpages infected with malware inthis section. However, it will be examined in the section on attributionand actors.710This malware is also known as Urobouros or Turla.

Cyber and Information warfare in the Ukrainian conflictthe hope that targets would visit it and get infected.Once the malware has infected a machine, it waits untilthe user opens a web browser and then simultaneouslyopens a backdoor for communication with the attackerswithout the user’s knowledge (InfoSecurity, 2014;Paganini, 2014a). It is designed to copy and delete files,connect to infected servers, and to load and executeother malware. The Snake malware is composed of twoelements: a rootkit and a driver. The former takescontrol of the computer and hides its activities from theuser in order to steal data and capture network traffic.The driver injects code into the web browser to hide theexchange of information with the attackers’ servers andcreates a hidden file for holding configuration and stolendata (Paganini, 2014b; Symantec Security Response,2014). The number of computers infected by Snakeincreased in Ukraine after the start of the Euromaidanprotests. There were only eight cases of Snake infectionin Ukraine in 2013, as compared to 14 new casesbetween January 2014 and March 2014. A total of 32cases have been observed since 2010 (Sanger andErlanger, 2014).Operation on or Access Tool (RAT) that targetedUkrainian government, law enforcement and militarynetworks. It was discovered in September 2014 by theUS securi

Center for Security Studies (CSS), ETH Zürich Hotspot Analysis: . States should closely monitor how the Ukrainian conflict continues to evolve, and . 2. Abbreviations are listed in section 8 at the end of the