KYIV, Ukraine — In the first days after Russia launched its full-scale invasion into Ukraine, Illia Vitiuk and his colleagues feared the worst: the fall of Kyiv.
Vitiuk, the head of the cyber department at Ukraine's top counterintelligence agency, had already been battling Russian hackers and spies for years. Inspired by James Bond films and a life of adventure, he says he'd been studying all his life for this kind of work.
But on Feb. 24, 2022, members of that agency — Ukraine's Security Service, or the SBU — took on another role: physically hauling important servers and technical infrastructure away from Kyiv to protect it from Russian invaders.
"Just imagine what happened here on the morning of February 24," he said during an interview with NPR at the SBU's headquarters in Kyiv. "Missiles hit Kyiv, and people were running away from here. We tried to contact some of the ministries and critical infrastructure. And sometimes there were answers like, 'The system administrator is gone because his family is in Bucha and he needs to take them from Bucha,' " he recalled.
"There was the risk of Kyiv to be surrounded," Vitiuk continued. "So we needed to take the most important databases and hardware and relocate it from Kyiv. And so we literally helped to do this with rifles."
The so-called "cyber war" experts foretold in Ukraine may not have come to pass: Despite Russia's best efforts, its hackers were unable to single handedly destroy Ukraine's digital infrastructure in the early days of the war.
However, Ukraine's defenders have been under a near constant barrage of cyberattacks, almost 3,000 this year so far, according to Vitiuk.
Coupled with missiles and drone strikes, those operations have allowed Russia to weaken Ukraine's infrastructure, most concerningly the power grid, as well as steal sensitive information that supports their military campaigns. Vitiuk and his team are constantly investigating and responding to Russian state hackers, and they believe they serve as a "shield to the whole Democratic world," by sharing what they learn with their allies, Vitiuk said.
During a rare exclusive interview with NPR in Kyiv, Vitiuk spoke about the impact of Russian cyberattacks on Ukraine for the last decade, what it's been like defending Ukraine's critical infrastructure during the war and his plans for after the war ends.
The birth of the SBU's cyber unit
Ukraine's counterintelligence agency, the Security Service of Ukraine, divorced from its Soviet predecessor, the KGB, in the fall of 1991.
The historical building where the SBU has its headquarters today in Kyiv is not far from the Golden Gate monument of Kyiv, which marked the city's boundaries in the 11th century. It's also a building previously used by the KGB, whose officers remained a part of the SBU for years following the collapse of the Soviet Union.
Ukraine's President Volodymr Zelenskyy took the step of removing several top SBU officials from office at the beginning of the war, in part due to those long standing connections to Russia. Some of the mistrust and suspicion remains today, creating divisions between Ukraine's government and its private sector.
However, Vitiuk and his colleagues are working hard to distance themselves from that past.
"We do believe we've filled [this building] with our energy as a Democratic Special Service," he told NPR. "So we don't think a lot about the probably bad things that were happening here before 1990."
The SBU's cyber department was created in 2012, "two years before the war with Russia," said Vitiuk, referring to Russia's 2014 annexation of Crimea.
Since then, Russia has pummeled Ukraine with a series of increasingly sophisticated cyberattacks.
It started in 2014 with "banal DDOS attacks," said Vitiuk, referring to denial of service attacks that involve flooding a server with traffic to knock it offline. (Vitiuk says the SBU doesn't count DDOS attacks anymore as cyberattacks in its official statistics.) Then, by 2015, Russia knocked out the power grid, cutting off electricity for millions of Ukrainians for several hours. Russia started trying to target additional civil infrastructure, including train control systems, in 2016, Vitiuk recalled. And then in 2017 Russia launched a virus disguised as a ransomware attack that ultimately infected computers around the world and cost companies billions to recover from, called NotPetya.
"Our focus shifted to Russia because we needed to protect ourselves, and not from a ransomware group, but from real specialists and people focused on damaging our infrastructure, the real professionals with budgets, with laboratories, and research institutes," said Vitiuk.
The full-scale invasion
Starting around December of 2021, there was a major buildup of Russian cyber activity that made many in Ukraine's private sector fearful the invasion was imminent. Some were concerned enough to flee, move their families out of Ukraine, or report their suspicions to the government.
Around that same time, representatives from the U.S. Cyber Command took a trip to Kyiv and helped to inspect elements of Ukraine's critical infrastructure "that we thought would be the focus of attacks," said Vitiuk. "And it happened just like that." Vitiuk said they also provided hardware and software the government is still using today to defend its networks.
In January and February, Russia started deploying some of its tools, targeting about 70 state owned facilities in Ukraine with wiper attacks and taking down dozens of official websites. Russia claimed to have infiltrated Diia, a digital application used by Ukrainians to store official documents, make use of state services and other activities. And then in February, they targeted the financial sector to make people believe that they couldn't get access to their money in the event of an emergency.
Vitiuk said it seemed as if Russian hackers were "testing something, and maybe they are preparing themselves for something big." However, it was still unclear that activity would be the precursor to a physical invasion. "Of course, we had doubts of whether that massive invasion will happen," he said.
That all changed the night before the invasion began. "We started to react to cyberattacks on February 23rd," Vitiuk recalled. "And then we switched," he said, to fighting "the psychological campaign they launched."
Some of those attacks included one that temporarily knocked out ViaSat, the satellite communications system the Ukrainian military was using at the time. When that failed to prevent Ukraine's Armed Forces from communicating, Vitiuk said Moscow summoned "all the special services and the so-called hacktivist groups" to create chaos in cyberspace and in the information space. He said they targeted infrastructure, "especially mass media," communications providers, and "websites of local administrators and ministries."
"Since the very beginning, we clearly see that they really thought there would be a blitzkrieg. ... They tried to use all the aces in their sleeves during the first days," said Vitiuk.
However, for Ukraine, the main challenge in those early days was coordinating with cybersecurity experts at other government agencies and critical infrastructure organizations, many of whom were in serious physical danger, Vitiuk recalls. That's when SBU began hauling critical servers from Kyiv with rifles.
When asked whether these early attacks had long-term impacts, Vitiuk said that only a couple systems were damaged, and only some data was stolen. "None of the critical systems were damaged," he said. "We were working 24/7. ... We managed to cope with that rather fast," he said.
But it wasn't for lack of trying, he continued.
"Russian hackers are one of the best in the world. But it's because our cybersecurity is so strong because of these experiences since 2014," Vitiuk said.
A switch to spying
Following Russia's failure to immediately overtake Ukraine, Vitiuk said SBU observed Russian hackers switch tactics, primarily toward intelligence gathering and disrupting the power grid.
"Since the summer, they understood this war is going to last longer, and they need to switch to something more serious," he said.
During a cybersecurity conference in Lviv in early August, a representative from Ukraine's governmental Computer Emergency Response Team spoke about Russian hackers increasingly targeting healthcare and insurance providers in recent months, for example, to gather confidential medical information for the purposes of blackmail or targeting individual Ukrainians.
There has also been a serious effort by Russia to infiltrate Ukraine's military operational planning systems, including a platform called Delta. The SBU recently published a detailed report about Russian military intelligence officers camping out on the front lines to steal Android tablets used by Ukrainian officers, in order to break into Delta and gather information about Ukrainian intelligence gathering and the military's use of Starlink, a portable communications device developed by Elon Musk's company SpaceX. By learning about the device's configurations with Starlink, Russia can locate some of those devices and better target its missile strikes.
While Vitiuk said the SBU was successful in preventing Russia's full access to Delta and similar programs, he said they managed to gather some information. Beyond this specific operation, he said Russians are constantly using surveillance drones, human sources, and more to specifically target these systems.
It's an ongoing challenge to protect frontline troops' digital footprints. While some units employ technical cybersecurity experts, others don't have the same resources. As a result, technology like physical tokens for two-factor authentication have become more popular with soldiers, sources in Ukraine revealed.
Meanwhile, Vitiuk's team is also focused on investigating how Russia is bypassing sanctions, in particular to outsource the delivery of weapons components. He says they've tracked some of Russia's networks and been able to disrupt some of those supply chains.
The case for cybercrimes as war crimes
Meanwhile, on the civilian side, Russia has been heavily focused on disrupting and damaging Ukraine's power grid. Starting in October, Vitiuk said, this became a priority for Moscow. He told NPR there were between 30 to 40 "very serious attacks on our power" in the last year.
When cyberattacks fail to take out electricity, missile strikes have gotten the job done. Then, Ukrainians are forced to turn to generators to keep the power going, and devices like Starlink to keep these devices connected, creating more opportunities for Russia to target vulnerabilities.
Currently, the SBU and other Ukrainian cybersecurity officials are working with the Prosecutor General's Office to build an unprecedented legal case against Russian military hackers from the GRU, a group called Sandworm, for their attacks on the power grid. SBU is not only a counterintelligence agency but a law enforcement agency, similar to the American FBI, Vitiuk explained.
"We do believe that attacks on our civil infrastructure should be considered a war crime," said Vitiuk, echoing sentiments made by Ukrainian officials like Viktor Zhora, one of Vitiuk's counterparts at the Ukrainian State Special Communications and Information Protection Service.
"This is very important, and there should be a new methodology to understand casualties when we speak about cyberattacks," said Vitiuk. "Because nobody's shooting, but there could be casualties nonetheless ... people in hospitals without electricity, somebody can die."
The goal is to bring the case to the International Criminal Court after the war.
Cyber volunteers, hacktivists and criminals
In Ukraine during the war, nearly everyone is volunteering, raising money or working directly with the government to support the war effort.
That includes technical experts. For one, the IT community in Ukraine is providing its expertise and services. Many individuals are serving as official part-time advisors for government agencies.
Meanwhile, plenty of others are volunteering in a more offensive capacity.
Perhaps the most prominent is the IT Army, which has been officially supported by Ukraine's Ministry of Digital Transformation from the beginning of the war. That group is focused on primarily developing software and tools for average citizens to launch denial of service attacks against Russian targets, though the group has also developed digital bots for the government to crowdsource intelligence, and occasionally passes on intelligence to government partners, according to a representative of the group.
There's also groups like the Ukrainian Cyber Alliance, Hackyourmom — a project started by Ukrainian cybersecurity entrepreneur Nykyta Kynsh — and Inform Napalm, a website that works with some of the hacktivist outfits to investigate leaked data and expose Russian hackers by name.
Some of these groups claim their activities publicly, while others operate more covertly.
Some cybersecurity experts have argued that the attacks launched by volunteers, which sometimes appear random and don't often achieve long term effects, may cause more harm than good to covert operations. Expert cyber operators might be leveraging their access inside a system only to have their cover blown by an amateur hacker. Additionally, there's concern that these civilians could be considered armed combatants through launching these attacks, though the Russian military has not hesitated to attack civilian targets without cause.
Vitiuk argues that everyone volunteering their skills is valuable in some capacity, despite these concerns.
"This is like our cyber territorial defense," he said. "It's our job to monitor and understand these cyber volunteers, and to some extent, to direct them or give them advice on where to be more effective."
Those volunteers include former convicted cybercriminals, Vitiuk said.
"There was literally a line of people standing at the Security Service of Ukraine, calling, text messaging, etc., and asking, how can we help? What should we do?" Vitiuk said. "There were a number of even convicted criminals, cyber criminals that came and said ... now it's over. And we are focused on protecting our state. So tell us what to do and where to go."
Vitiuk said the SBU penetrated ransomware groups and recruited members from various different countries, which helped them later penetrate "some of the Russian ransomware groups working for special services." The SBU has also been able to recruit Russian sources, some of them still inside the country, Vitiuk says.
There's an awareness on SBU's part of concerns that officially working with cybercriminals or average citizens launching cyberattacks could create problems in the future. While there's no appetite to press charges against Ukrainians launching cyberattacks against Russia within Ukraine, that could change in the future if those people act outside wartime, or make use of their newfound skills to turn to cybercrime after the war. Keeping those people close is all the more important because of those concerns, Vitiuk says.
"It's very important to make these people work for the benefit of our country and not go back or switch to some bad activities some of them used to do before," he said.
Their contributions have been significant, he said.
In one example, the private sector helped develop a bot in a Telegram channel that allowed normal people to upload photos, videos, and geolocation data about Russian military activity. In the early days of the war, Vitiuk said, people were sharing information about columns of Russian troops, which the SBU would verify through human sources. Then, they passed the information straight to the military.
"And it was very important because we didn't have a sufficient number of shells," Vitiuk said. "It was very important to strike with precision. And this bot helped a lot."
What comes next
When asked about the ongoing Russian threat in cyberspace, Vitiuk said he expected Russian attacks to continue at about the same rate as the previous year, particularly going into another harsh winter.
While attacks might get more sophisticated, it would be challenging for Russia to increase the rate of attacks, he explained, because the number of skilled professionals available is limited. "In order to increase something you need to have more people," he said.
Vitiuk said SBU is focused on preparing for the winter, working with the Ministry of Energy and other experts to do what they can to further protect the power grid based on lessons learned last year.
Meanwhile, Vitiuk responded to fears that Russia might launch massive cyberattacks against Western companies for their support of Ukraine. Those same limited resources that prevent doubling efforts against Ukraine will also limit Russia's ability and focus on targets abroad, he argues.
"I think they don't have enough potential to do that. They are too focused on Ukraine," he said.
Vitiuk acknowledges that despite all the success Ukraine has had defending against Russian cyberattacks, it needs help continuing to bolster all its critical infrastructure. That need is especially acute in local governments where resources are fewer, and within the growing military technology industry in Ukraine, he says.
During a recent cybersecurity conference in Estonia, he made a call to action that cybersecurity companies visit Ukraine and help assess its needs, from technical infrastructure to hardware and software. He wants those companies to donate those goods and services directly.
One reason Vitiuk is recommending this course of action is an awareness of the lingering concern for corruption in Ukraine–that donated funds might be misused or stolen.
"We don't need money. We want the system to be as transparent as possible," he said.
Since he made that appeal to global companies, Vitiuk says there have been a number of meetings with Ukrainian government agencies, who have all voted in favor to create a working group to support international cooperation and assistance in cybersecurity.
"We are working on it and we hope that it will start as soon as possible."
Living through war
Before taking the helm at SBU's cyber department, Vitiuk worked for a time as a professional athlete specializing in mixed martial arts, a sport, he tells NPR, that is "very popular in post Soviet countries."
While he doesn't have a lot of free time during the war, he occupies most of it with "training," he says. He doesn't smoke or drink, so fitness has become his primary stress reliever. He used to love going skydiving, he reveals, before the war "closed the skies."
Vitiuk believes that Putin's decision to invade Ukraine was extremely risky, and will ultimately prove to be a mistake, he says.
"I am not interested actually in Moscow, what they see and what they think," Vitiuk said. "I'm interested in our victory and I hope it will come as soon as possible."
"For us, for the military, this is our time. This is the time we were created for. And we feel that we are needed, that we are effective," he continued. "But we understand that while we are needed and while we are effective, somebody is dying. Somebody is grieving. So let it be over as soon as possible."
But even after the war, it's unlikely the need for Vitiuk's cybersecurity expertise will wane.
"New doctrines will be written and adopted according to what has happened here in Ukraine, according to our experience," said Vitiuk. "And probably that is something we will do after our victory."
Kateryna Malofieieva contributed to this story.