A Defense Scandal of a National Span

This story is a symbol of f**king disorderliness that cost lives of soldiers fighting for the country at the front. It all happened due to the dereliction of the professional duty such as setting passwords like ‘admin’ or ‘123456’ to the servers of the automated system for the control over the ‘Dnipro’ troops. It let enemies keep on scanning the information about the Ukrainian soldiers right up to the summer of 2018!

According to the documents that I have at my disposal, Dmytro Vlasyuk, database specialist, detected a tremendous problem: the access to a number of servers and switchboards with IP-addresses could be gained per standard logins and passwords. He revealed that on May 22, 2018 while testing networks of the automated system used for the control over the ‘Dnipro’ troops.

According to the CV of Dmytro Vlasyuk, being conscripted, he serves as a reserve officer at a military unit A1586 at the moment.

Vlasyuk notified the duty officer of that military unit A0334 about the weak points of the system. However, his notification was neglected and the passwords were still unchanged. It all turned out later during the adjusting of the equipment. Having discovered that, he called the hotline of the Security Service of Ukraine (SSU) and that very day Mr. Vlasyuk had a meeting with a representative of the military intelligence service. It happened on the territory of the unit Vlasyuk did his military service in.

A similar flaw was detected with the mailbox servers of the Armed Forces of Ukraine on May 25, 2018. It meant that anyone could have free access to switches, routers, APM, servers, VoIP gateways, printers, scanners etc. applying no specific knowledge at all. That is, one could analyze huge arrays of secret data relevant to the Armed Forces of Ukraine.

Regarding such volumes of informational leakage, just a couple of days were quite enough for the enemy to scan the whole network of the automated system for the control over the Dnipro troops (ACS) and make up a network topology regarding kinds of armed forces, their types and structural subdivisions. All of that would be needed in finding the military objectives out. And one can’t but consider the fact that the communication services were provided by Ukrtelekom.

As the application of Vlasyuk to the management of the military unit was ignored he addressed to the National Security and Defense Council and the Foreign Intelligence Service of Ukraine by means of a reference letter on May 25, 2018 setting forth a clear picture of the situation appeared.

In 10 days on June 5, 2018 the application was forwarded by the National Security and Defense Council of Ukraine to the Ministry of Defense of Ukraine (the Security Service of Ukraine) with a signature of Oleg Svynarchuk-Gladkovsky, known as President’s offshore helpmate.

After 8 more days on June 13, 2018 Vlasyuk received a message from the Foreign Intelligence Service of Ukraine. It notified him that the problem with the protection setup of the Dnipro automated control system (ACS) wasn’t within the competence of the Foreign Intelligence Service of Ukraine (FISU). The FISU didn’t use such a system in its operation and couldn’t influence the information systems of other government agencies. Moreover, they said that the cyber-security center was based in the Counter-Espionage Department of the Security Service of Ukraine and the center for cyber-defense of information and telecommunication networks (ITN) was based in the General Communications Agency of the Armed Forces of Ukraine.

So ‘the intelligent agents’ from the FISU resolved that they had nothing to do with the State Service of Special Communication and Information Protection of Ukraine and recommended the applicant to address some other competent agencies. Just ponder over it! The Foreign Intelligence Service of Ukraine didn’t even bother to forward the application to relevant agencies because it just didn’t care.

According to the letter of the National Security and Defense Council of Ukraine (NSDCU), the Ministry of Defense of Ukraine (ВЧ0106) responded to Mr. Vlasyuk. It happened after a month on June 26, 2018. It was pointed out in the letter that the Ministry of Defense and the Armed Forces of Ukraine had undertaken the following activities:

· They forbade usage of weak passwords and obliged the organization to periodically check all the automated control systems, network devices and server equipment of the information and telecommunication networks of the Armed Forces of Ukraine and keep an eye on occurrence of weak passwords and logins.

· They also reported that a number of IP-addresses were used for training only and no enhancement was needed as they thought. Moreover, one of the servers, as they stated, didn’t pose a threat as it was a testing one and one more server wasn’t in use at all.

On July 5, 2018, Vlasyuk received a reply from the Counter Espionage Department on Safeguard of State Interest in the Field of Information Security. It was said that all of the access disruptions in the Dnipro ACS networks had been removed.

However, on July 12, 2018 while testing the Dnipro ACS one more time Vlasyuk found out that a standard password and a standard login were still used on a number of equipment with a specific IP-address. Moreover, in some cases it was possible to access the computer network of the Ministry of Defense without any password at all.

Hereby, the largest part of technical means was used by different military units. That equipment was assigned to concrete servicemen who should bear personal responsibility for any failures occurred.

On July 13, 2018 Vlasyuk repeatedly endeavored to address the National Security and Defense Council of Ukraine (NSDCU) indicating zero reaction to his previous appeal. He simultaneously sent additional information to the Verkhovna Rada of Ukraine. In its turn the Verkhovna Rada of Ukraine replied on July 20, 2018 saying that it had forwarded the information to the Committee on National Security and Defense.

The NSDCU addressed the repeated appeal from Vlasyu saying that the relevant notification had been sent to the Security Service and the Ministry of Defense of Ukraine for another review and the document had been signed by that same Gladkovskyi.

It’s been 4 months since then but the passwords to technical means, servers and computers of the Ministry of Defense remain just the same. They are 123456 and admin…

And when it comes to Mr. Vlasyuk, after his appeal to the NSDCU and the SSU he was completely cut off from the Dnipro ACS networks. Moreover, there was a checkout of the General Staff and now Vlasyuk is threated by criminal prosecution…

I can’t but give you one more interesting detail as a cherry on the top of this story. There are 8 NATO trust funds focused on cyber-defense that are functioning in Ukraine at the moment. They are aimed at developing the operational capacities and assist the transformation of the Armed Forces of Ukraine.

In 2017 there was something around 40mln EUR allocated by the NATO for these purposes. The Security Service of Ukraine was responsible for the project to be implemented…

There was a statement as far back as in February 2018 made by Viktor Muzhenko, Chief of the General Staff of the Armed Forces of Ukraine, saying that the army was mastering new technologies and the staff was being trained by using them. Moreover, he said that the principal elements of the automated system for controlling the troops would be introduced till the end of 2018.

As we can see their success is rather evident.