Featured Article

How Ukraine’s cyber police fights back against Russia’s hackers

Ukraine’s cyber police talks crypto, ransomware and documenting war crimes after Russia’s invasion

Comment

Yevhenii Panchenko, the chief of division of the Cyberpolice Department of the National Police of Ukraine, during a talk on Tuesday in Manhattan, NY.
Image Credits: Kris Tripplaar/Chainalysis

On February 24, 2022, Russian forces invaded Ukraine. Since then, life in the country has changed for everyone.

For the Ukrainian forces who had to defend their country, for the regular citizens who had to withstand invading forces and constant shelling, and for the Cyberpolice of Ukraine, which had to shift its focus and priorities.

“Our responsibility changed after the full scale war started,” said Yevhenii Panchenko, the chief of division of the Cyberpolice Department of the National Police of Ukraine, during a talk on Tuesday in New York City. “New directives were put under our responsibility.”

During the talk at the Chainalysis LINKS conference, Panchenko said that the Cyberpolice is comprised of around a thousand employees, of which about forty track crypto-related crimes. The Cyberpolice’s responsibility is to combat “all manifestations of cyber crime in cyberspace,” said Panchenko. And after the war started, he said, “we were also responsible for the active struggle against the aggression in cyberspace.”

Panchenko sat down for a wide-ranging interview with TechCrunch on Wednesday, where he spoke about the Cyberpolice’s new responsibilities in wartime Ukraine. That includes tracking what war crimes Russian soldiers are committing in the country, which they sometimes post on social media; monitoring the flow of cryptocurrency funding the war; exposing disinformation campaigns; investigating ransomware attacks; and training citizens on good cybersecurity practices.

The following transcript has been edited for brevity and clarity.

TechCrunch: How did your job and that of the police change after the invasion?

It almost totally changed. Because we still have some regular tasks that we always do, we’re responsible for all the spheres of cyber investigation.

We needed to relocate some of our units in different places, of course, to some difficult organizations because now we need to work separately. And also we added some new tasks and new areas for us of responsibilities when the war started.

From the list of the new tasks that we have, we crave information about Russian soldiers. We never did that. We don’t have any experience before February 2022. And now we try to collect all the evidence that we have because they also adapted and started to hide, like their social media pages that we used for recognizing people who were taking part in the larger invading forces that Russians used to get our cities and kill our people.

Also, we are responsible for identifying and investigating the cases where Russian hackers do attacks against Ukraine. They attack our infrastructure, sometimes DDoS [distributed denial-of-service attacks], sometimes they make defacements, and also try to disrupt our information in general. So, it’s quite a different sphere.

Because we don’t have any cooperation with Russian law enforcement, that’s why it’s not easy to sometimes identify or search information about IP addresses or other things. We need to find new ways to cooperate on how to exchange data with our intelligence services.

Some units are also responsible for defending the critical infrastructure in the cyber sphere. It’s also an important task. And today, many attacks also target critical infrastructure. Not only missiles, but hackers also try to get the data and destroy some resources like electricity, and other things.

When we think about soldiers, we think about real world actions. But are there any crimes that Russian soldiers are committing online?

[Russia] uses social media to sometimes take pictures and publish them on the internet, as it was usual in the first stage of the war. When the war first started, probably for three or four months [Russian soldiers] published everything: videos and photos from the cities that were occupied temporarily. That was evidence that we collected.

And sometimes they also make videos when they shoot in a city, or use tanks or other vehicles with really big guns. There’s some evidence that they don’t choose the target, they just randomly shoot around. It’s the video that we also collected and included in investigations that our office is doing against the Russians.

In other words, looking for evidence of war crimes?

Yes.

How has the ransomware landscape in Ukraine changed after the invasion?

It’s changed because Russia is now not only focused on the money side; their main target is to show citizens and probably some public sector that [Russia] is really effective and strong. If they have any access on a first level, they don’t deep dive, they just destroy the resources and try to deface just to show that they are really strong. They have really effective hackers and groups who are responsible for that. Now, we don’t have so many cases related to ransom, we have many cases related to disruption attacks. It has changed in that way.

Has it been more difficult to distinguish between pro-Russian criminals and Russian government hackers?

Really difficult, because they don’t like to look like a government structure or some units in the military. They always find a really fancy name like, I don’t know, ‘Fancy Bear’ again. They try to hide their real nature.

Contact Us

Do you have information about cyberattacks in Ukraine? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

But we see that after the war started, their militaries and intelligence services started to organize groups — maybe they’re not so effective and not so professional as some groups that worked before the war started. But they organize the groups in a massive [scale]. They start from growing new partners, they give them some small tasks, then see if they are effective and truly succeed in a small portion of IT knowledge. Then they move forward and do some new tasks. Now we can see many of the applications they also publish on the internet about the results. Some are not related to what governments or intelligence groups did, but they publish that intelligence. They also use their own media resources to raise the impact of the attack.

What are pro-Russian hacking groups doing these days? What activities are they focused on? You mentioned critical infrastructure defacements; is there anything else that you’re tracking?

It starts from basic attacks like DDoS to destroy communications and try to destroy the channels that we use to communicate. Then, of course, defacements. Also, they collect data. Sometimes they publish that in open sources. And sometimes they probably collect but not use it in disruption, or in a way to show that they already have the access.

Sometimes we know about the situation when we prevent a crime, but also attacks. We have some signs of compromise that were probably used on one government, and then we share with others.

[Russia] also creates many psyops channels. Sometimes the attack did not succeed. And even if they don’t have any evidence, they’ll say “we have access to the system of military structures of Ukraine.”

How are you going after these hackers? Some are not inside the country, and some are inside the country.

That’s the worst thing that we have now, but it’s a situation that could change. We just need to collect all the evidence and also provide investigation as we can. And also, we inform other law enforcement agencies in countries who cooperate with us about the actors who we identify as part of the groups that committed attacks on Ukrainian territory or to our critical infrastructure.

Why is it important? Because if you talk about some regular soldier from the Russian army, he will probably never come to the European Union and other countries. But if we talk about some smart guys who already have a lot of knowledge in offensive hacking, he prefers to move to warmer places and not work from Russia. Because he could be recruited to the army, other things could happen. That’s why it’s so important to collect all evidence and all information about the person, then also prove that he was involved in some attacks and share that with our partners.

Also because you have a long memory, you can wait and maybe identify this hacker, where they are in Russia. You have all the information, and then when they are in Thailand or somewhere, then you can move in on them. You’re not in a rush necessarily?

They attack a lot of our civil infrastructure. That war crime has no time expiration. That’s why it’s so important. We can wait 10 years and then arrest him in Spain or other countries.

Who are the cyber volunteers doing and what is their role?

We don’t have many people today who are volunteers. But they are really smart people from around the world — the United States and the European Union. They also have some knowledge in IT, sometimes in blockchain analysis. They help us to provide analysis against the Russians, collect data about the wallets that they use for fundraising campaigns, and sometimes they also inform us about the new form or new group that the Russians create to coordinate their activities.

It’s important because we can’t cover all the things that are happening. Russia is a really big country, they have many groups, they have many people involved in the war. That type of cooperation with volunteers is really important now, especially because they also have a better knowledge of local languages.

Sometimes we have volunteers who are really close to Russian-speaking countries. That helps us understand what exactly they are doing. There is also a community of IT guys that’s also communicating with our volunteers directly. It’s important and we really like to invite other people to that activity. It’s not illegal or something like that. They just provide the information and they can tell us what they can do.

What about pro-Ukrainian hackers like the Ukraine IT Army. Do you just let them do what they want or are they also potential targets for investigation?

No, we don’t cooperate directly with them.

We have another project that also involves many subscribers. I also talked about it during my presentation: it’s called BRAMA. It’s a gateway and we coordinate and gather people. One thing that we propose is to block and destroy Russian propaganda and psyops on the internet. We have really been effective and have had really big results. We blocked more than 27,000 resources that belong to Russia. They publish their narratives, they publish many of psyops materials. And today, we also added some new functions in our community. We not only fight against propaganda, we also fight against fraud, because a lot of fraud today represented in the territory of Ukraine is also created by the Russians.

They also have a lot of impact with that, because if they launder and take money from our citizens, we could help. And that’s why we include those activities, so we proactively react to stories that we received from our citizens, from our partners about new types of fraud that could be happening on the internet.

And also we provide some training for our citizens about cyber hygiene and cybersecurity. It’s also important today because the Russians hackers not only target the critical infrastructure or government structures, they also try to get some data of our people.

For example, Telegram. Now it’s not a big problem but it’s a new challenge for us, because they first send interesting material, and ask people to communicate or interact with bots. On Telegram, you can create bots. And if you just type twice, they get access to your account, and change the number, change two-factor authentication, and you will lose your account.

Is fraud done to raise funds for the war?

Yes.

Can you tell me more about Russian fundraising? Where are they doing it, and who is giving them money? Are they using the blockchain?

There are some benefits and also disadvantages that crypto could give them. First of all, [Russians] use crypto a lot. They create almost all kinds of wallets. It starts from Bitcoin to Monero. Now they understand that some types of crypto are really dangerous for them because many of the exchanges cooperate and also confiscate the funds that they collect to help their military.

How are you going after this type of fundraising?

If they use crypto, we label the addresses, we make some attribution. It’s our main goal. That’s also the type of activities that our volunteers help us to do. We are really effective at that. But if they use some banks, we only could collect the data and understand who exactly is responsible for that campaign. Sanctions are the only good way to do that.

What is cyber resistance?

Cyber resistance is the big challenge for us. We wanted to play that cyber resistance in cyberspace for our users, for our resources. First of all, if we talk about users, we start from training and also sharing some advice and knowledge with our citizens. The idea is how you could react to the attacks that are expected in the future.

How is the Russian government using crypto after the invasion?

Russia didn’t change everything in crypto. But they adapted because they saw that there were many sanctions. They create new ways to launder money to prevent attribution of the addresses that they used for their infrastructures, and to pay or receive funds. It’s really easy in crypto to create many addresses. Previously they didn’t do that as much, but now they use it often.

More TechCrunch

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender Solo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient, and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

OpenAI is removing one of the voices used by ChatGPT after users found that it sounded similar to Scarlett Johansson, the company announced on Monday. The voice, called Sky, is…

OpenAI to remove ChatGPT’s Scarlett Johansson-like voice

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

1 day ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

3 days ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free