At the end of June, the largest-ever virus attack in Ukrainian history descended upon it. Thousands of enterprises were in whole or in part paralyzed by computer virus, which got into the network along with the update of M.E.Doc accounting software. And despite the fact that sufficient time has passed from the attack, companies are still restoring systems operation and conduct internal investigations, trying to figure out how the virus got into the network.
Mikhail Shelemba, Head of private telecom operator “Datagroup”, and Igor Smelyansky, Head state-owned national postal operator of Ukraine “Ukrposhta”, share their personal experiences: how they overcome the attack and at what conclusions they have arrived.
Mikhail Shelemba, CEO of “Datagroup”
It so happened that that the news about Petya.A reached me when I was on vacation. I immediately started to contact customers and partners for me to understand the scope of the tragedy. After all, Ukraine is still not yet ready to resist such attacks. Having sized up the situation, I changed my tickets and returned to office. We have collected all the information and sequence of events, and here are conclusions I have arrived at:
Fight against computer viruses is similar to fight against viruses affecting the human. In both cases, prevention is the best precaution. And in both cases, no one will give you 100-percent guarantee that you will be able to avoid the attack.
When on June 27 more than one thousand Ukrainian companies became victims of Petya.A virus, “Datagroup” was no exception. But, unlike many others, we were ready for such a scenario and got over it without much pain – infection of several workstations in call centre and head office. As early as in Spring we audited the vulnerabilities, detected our weaknesses and created the roadmap of corrective measures. As a part of preparation process, we separated local and core area networks. First and foremost, we strengthened core area network perimeter, enhanced its error tolerance. Therefore, the virus could not penetrate it and affect the operability of our services. Moreover, since March we started using Office 365 that helped us to stay in the standard operating mode, despite the cyberattack.
But the virus hit the local area network. We continue our internal investigation to make it clear through which channel it has penetrated us. Important fact, which is often left out of account – it was not just Petya.A, but a whole bunch of viruses, configured to various types of system affections: from files renaming to full encryption of data, while each of virus elements was targeted at its affection section, for instance, at local machines, virtual and domain servers, etc.
It is fortunate that we had plan of actions for Z-hour – well in advance we have provided ourselves with “clean” standby computes that, on worst case scenario, may be used to deploy local area network. Having detected the first infection cases, we “extinguished” domain controller of local area network and quickly deployed a parallel “clean” local area network using the standby computes. Then we started to restore functions that have a direct impact on customer service, for instance, call centre. Thus, if infection cases were detected at 2 p.m., then late in the afternoon all the functions interacting with the customer were restored.
At the same time, we created working groups of technical experts, who checked the workstations, restored backup copies, where necessary, following which we connected stations to newly created local area network. The process was slightly decelerated in view of the fact that infection cases were detected throughout the regions as well, but guys managed to restore access to systems of vital importance in a speedy fashion.
And main conclusion is as follows: own network protection – is the rule number one that shall be complied with by every company. Moreover, one shall ensure high protection level of cyberspace ecosystem throughout the country. Unless and until such two elements are combined we will be able to ensure the maximum level of protection.
Igor Smelyansky, CEO of “Ukrposhta”
Unfortunately, even two weeks following the attack, for some period of time we will still check our systems, databases, we will restore our reporting, but invisibly to the eyes of the customers. The situation differs from one region to another, and in a short time we hope to finish this process.
When the attack happened, I was on a business trip in Lviv city. I was holding the meeting with potential partners. And all of the sudden the employees started to send me photos of their computers with red and black computer monitors. Then I saw the same photos in Facebook. Unfortunately, at that point in time, I received no official notifications – at present we study out why it happened so.
Therefore, I instinctively ordered to turn off and block the network. Just to pull out wires.
Is it possible to avoid such situations in the future? No, it is impossible to avoid them by 100 percent. We may reduce the risk. Nevertheless, each percent of such risk reduction is rather costly. And we shall find a balance here. We may build up tolerance against that very virus, which is already known to us. And that is not going to work for the virus, which is unknown to you. And considering that this “disease” constantly mutates, there will be no total protection.
IT-security, which is popular gossiping topic nowadays, is only one of the “bricks” in this wall of tolerance. Therefore, in the short run we will be focused not on the IT-security only, but on the development of response plan for such technogenic disasters as well to minimize their damage. This is the package of measures for such cases as loss of energy, mobile and fixed-line communication, attacks on computer networks. Employees shall know what to do; when and what services we will continue to render, if, for instance, computers are turned off; were to get pre-printed headed papers, emergency stock of gasoline; how to ensure pension payments.
By all means, we will work closely with other major infrastructure companies, banks, defense and law enforcement agencies to coordinate this kind of activities. Well, we will surely enough study the experience of other countries located in “aggressive environment”, such as Israel, for instance. I would like to express my appreciation to many companies, embassies that have already offered help to us. We will definitely use it.