KIEV (Reuters) - When the chief of Microsoft Ukraine switched jobs to work for President Petro Poroshenko, he found that everyone in the office used the same login password. It wasn’t the only symptom of lax IT security in a country suffering crippling cyber attacks.
Sometimes pressing the spacebar was enough to open a PC, according to Dmytro Shymkiv, who became Deputy Head of the Presidential Administration with a reform brief in 2014.
Today discipline is far tighter in the president’s office. But Ukraine - regarded by some, despite Kremlin denials, as a guinea pig for Russian state-sponsored hacks - is fighting an uphill battle in turning pockets of protection into a national strategy to keep state institutions and systemic companies safe.
As in many aspects of Ukrainian life, corruption is a problem. Most computers run on pirated software, and even when licensed programs are used, they can be years out of date and lack security patches to help keep the hackers at bay.
Three years into the job, Shymkiv is leading the fight back. He has put together a team, led by a former Microsoft colleague, doing drills, sending out email bulletins to educate staff on new viruses and doing practice hacks offsite.
In the early days, staff complacency and resistance to change were as much a problem as insecure equipment.
“I remember the first weeks when we forced people to do a password change,” Shymkiv told Reuters. “My team heard all kind of screams and disrespectful messages ... Over three years, it’s a different organization.”
The team’s small office has a screen with dials, charts and a green spider web showing activity on the network. If there is an attack, a voice shouts “major alarm!” in English, a recording the team downloaded from YouTube.
Eliminating bad practices and introducing good ones is the reason, Shymkiv believes, why the presidential administration was immune to a June 27 virus that spread from Ukraine to cause disruption in companies as far away as India and Australia.
But the country still has a long way to go. Since 2014 repeated cyber attacks have knocked out power supplies, frozen supermarket tills, affected radiation monitoring at the stricken Chernobyl nuclear power plant, and forced the authorities to prop up the hryvnia currency after banks’ IT systems crashed.
Even Poroshenko’s election that year was compromised by a hack on the Central Election Commission’s network, trying to proclaim victory for a far-right candidate -- a foretaste of alleged meddling in the 2016 U.S. presidential election.
Ukraine believes the attacks are part of Russia’s “hybrid war” waged since protests in 2014 moved Ukraine away from Moscow’s orbit and closer to the West. Moscow has denied running hacks on Ukraine.
Shymkiv said the task is to “invest in my team, and upgrade them, and teach them, and connect them with other organizations who are doing the right things”.
“If you do nothing like this, you probably will be wiped out,” he added.
The head of Shymkiv’s IT team, Roman Borodin, said the administration is hit by denial-of-service (DDoS) attacks around once every two weeks, and by viruses specifically designed to target it. The hackers seem mainly interested in stealing information from the defense and foreign relations departments, Borodin told Reuters in his first ever media interview.
Bruised by past experiences, Ukraine is protecting itself better.
Finance Minister Oleksandr Danylyuk told Reuters his ministry overhauled security after a hack in November crashed 90 percent of its network at the height of budget preparations.
Officials couldn’t log into the system that manages budget transactions for 48 hours, something that played on Danylyuk’s mind as he addressed the Verkhovna Rada or parliament.
“Imagine that, knowing this, I went to the Verkhovna Rada to present the budget - the main financial document on which 45 million people live - and at the same time I was thinking about how to save not only the document itself, but also the honor of the ministry,” he said.
“I understood that if I showed even the slightest hint of our nervousness, the organizers of the attack would achieve their goal.”
Consultants uncovered familiar weaknesses: the budget system operated on a platform dating from 2000, and the version of the database management system should have been upgraded in 2006.
The ministry is introducing new systems to detect anomalies and to improve data protection. “We’re completely revising and restructuring the ministry’s IT landscape,” Danylyuk said.
The ministry emerged unscathed from the June 27 attack. Others weren’t so lucky: Deputy Prime Minister Pavlo Rozenko tweeted a picture of a crashed computer in the cabinet office that same day.
Ukraine is also benefiting from help from abroad.
A cyber police force was set up in 2015 with British funding and training in a project coordinated by the Organization for Security and Co-operation in Europe (OSCE).
While Ukraine is not a NATO member, the Western alliance supplied equipment to help piece together who was behind the June attack and is helping the army set up a cyber defense unit.
Ukraine shares intelligence with neighboring Moldova, another ex-Soviet state that has antagonized Moscow by moving closer to the West and complains of persistent Russian cyber attacks on its institutions.
“At the beginning of this year we had attacks on state-owned enterprises. If it were not for cooperation with the guys from Moldova, we would not have identified these criminals,” Serhiy Demedyuk, the head of the Ukrainian cyber police, told Reuters.
Demedyuk said the attack had been staged by a Russian citizen using a server in Moldova, but declined to give further details.
While there has been progress in some areas, Ukraine is still fighting entrenched problems. No less than 82 percent of software is unlicensed, compared with 17 percent in the United States, according to a 2016 survey by the Business Software Alliance, a Washington-based industry group.
Experts say pirated software was not the only factor in the June attack, which also hit up-to-date computers, but the use of unlicensed programs means security patches which could limit the rapid spread of such infections cannot be applied.
Ukraine ranked 60 out of 63 economies in a 2017 survey on digital competitiveness by the International Institute for Management Development. The low ranking is tied to factors such as a weak regulatory framework.
Another problem is that Ukraine has no single agency in charge of ensuring that state bodies and companies of national importance, such as banks, are protected.
This surfaced on June 27, when the NotPetya virus penetrated the company that produces M.E.Doc, an accounting software used by around 80 percent of Ukrainian businesses.
“Locally, the weak spot is accounting, but more generally it is the lack of cyber defenses at a government level. There aren’t agencies analyzing risks at a government level,” said Aleksey Kleschevnikov, the owner of internet provider Wnet, which hosted M.E.Doc’s servers.
Valentyn Petrov, head of the information security department at the National Security and Defence Council, said the state cannot interfere with companies’ security.
“It’s a total disaster from our perspective,” he told Reuters. “All state companies, including state banks, have suffered from attacks, and we really have no influence on them - neither on issuing regulations or checking how they fulfill these regulations.”
Poroshenko signed a decree in February to improve protection of critical institutions. This proposed legislation to spell out which body was in charge of coordinating cyber security and a unified methodology for assessing threats.
The law failed to gather enough votes the day before parliament’s summer recess in July, and MPs voted against extending the session. Shymkiv called that a “big disgrace”.
He added that in many ministries and firms, “we’ve seen very little attention to the IT infrastructures, and it’s something that’s been lagging behind for years”.
Attitudes can be slow to change. Borodin said a policy at the administration to lock computer screens after 15 minutes of inactivity was greeted with indignation. One staffer pointed out that their room was protected by an armed guard.
The staffer said “‘I have a guy with a weapon in my room. Who can steal information from this computer?'” Borodin recounted.
Additional reporting by Pavel Polityuk, Jack Stubbs, Natalia Zinets and Margaryta Chornokondratenko in Kiev, Eric Auchard in Frankfurt and David Mardiste in Tallinn; editing by David Stamp