With a sharp rise in cyberattacks in Ukraine, the people and organisations keeping the country’s critical infrastructure running through bombings and air raid sirens.
To deal with the cyber threat, Ukrainian authorities on April 5 certified the government’s use of physical security keys, which are small portable devices that give an additional layer of security.
Ukraine is now issuing the keys to as many government agencies as possible, said Oleksandr Potii, deputy chief of the State Service of Special Communication and Information Protection. The government wants to “to push phishing proof, password-less authentication solutions in Ukraine,” he said.
They’ve received some help from Yubico Inc., a Palo Alto, California-based company that said it has donated 20,000 “Yubikeys,” and Hideez Group, a Herndon, Virginia-based cybersecurity company that operates in Ukraine and is aiding with the logistics.
The assistance has come none too soon. Ukrainian workers at one state-owned company in the critical infrastructure sector are so stressed by the war that many are forgetting their passwords and changing them to weak, easy-to-remember, versions, according to the company’s head of cybersecurity. Attackers are also automating password attempts twice an hour to avoid triggering security shutdowns, and using old lists of leaked passwords and other techniques to harangue staff, the official said.
A western intelligence official told Bloomberg News it was much easier for hackers to go after people who run essential services than the equipment that underpins it such as substations, telecommunication switches, and others. Engendering a stress response from their human targets is essential to the hackers’ success, the official added, describing phishing as a personal attack rather than a technical one.
Security keys are a method of additional authentication that rely on public-key cryptography, verifying a user’s identity by checking information stored on a chip against online servers. They are less susceptible to compromise than usernames and passwords, which can be guessed by bots or stolen and sold on dark web forums.