Vulnerability Management, Threat Management

‘The time is now and the place is here’: Cyber vendors, volunteers rush free security to Ukraine

Two people draped in Ukrainian flags embrace at a “Stand With Ukraine” rally in Times Square on Feb. 26, 2022, in New York City. Cybersecurity vendors are rallying to provide free products and services to support Ukraine amid the Russian invasion. (Photo by Alexi Rosenfeld/Getty Images)

Well before Russia invaded Ukraine, before two rounds of DDoS attacks to financial institutions and malware sent to "hundreds" of Ukrainian targets, it was clear that Russia would likely incorporate cyberwarfare into its approach. Over the past decade, Russia launched devastating attacks against Ukraine during peacetime; why would war be different?

Since the start of the conflict, Ukraine has tried to assemble a mismatched team for cybersecurity response against the full force of a major cyber power. They have asked domestic hackers to volunteer for offensive and defensive missions and South Korea for help with general cybersecurity. But they have also started to receive varying degrees of help from cybersecurity firms. Many are offering free software and services to Ukrainian enterprises; some are offering even more.

"There's a gentleman from a small company in Serbia called Cybernite who offered offensive and defensive operations services for the Ukrainian government. And then he also mentioned that he had a four-room apartment in Belgrade for displaced persons," said Chris Culling, a threat intelligence analyst who has been maintaining a list of free products being offered to Ukrainian services from his Twitter account.

Culling's list is more than a dozen cyber entries long at this point, ranging from well-known vendors offering products (including Dragos, Prevailion and Krebs Stamos Group) to individuals offering advice. He also started adding links to refugee services.

GreyNoise appears to be the first company to start offering free products to Ukrainian businesses. Culling said he got the idea to start a coordinated list after seeing Prevailion follow soon after and realizing that there was no centralized resource.

The list continues to grow.

Early in the afternoon on, Thursday — less than a day after the announcement of the latest Russian wiper attack on Ukraine and the subsequent land invasion — GreyNoise founder Andrew Morris tweeted the company would provide free product and assistance to Ukrainians who needed it. "I understand that the impact will be small all things considered, but this is just where we are," he wrote.

GreyNoise actually made two announcements in his tweet thread — full, immediate VIP access to all accounts registered to Ukrainians, with no efforts to upsell those users, including upgrades from the free tier, and that he would dedicate resources to researching Russian cyberattacks on Ukraine.

The research followed hours later. GreyNoise, which analyzes internet traffic through global sensors, identified a set of eight IP addresses making multiple untargeted attacks against targets in Ukraine but nowhere else.

Morris told SC Media that you could make a complex case to offer free products, incorporating patriotism and business concerns, but the reason why he did it was a lot more simple.

"I can answer that question as an American. I can answer that question as the CEO of GreyNoise. I can answer that question like a human. I can try to answer that question as some of those, all of those, or many of those. But really they needed help," said Morris. "There's a time and a place to help. The time is now and the place is here."

He does not see it as a Herculean effort for software vendors to get involved. Software products have a low cost to implement making them ultimately a low material cost humanitarian offering to Ukrainians.

If GreyNoise was to first to offer free product, it was not the first to offer free aid to bolster Ukrainians' defenses. That may have happened inadvertently. Microsoft released information on the WhisperGate wiper in January as Russian forces began to assemble on the Ukrainian border. ESET, Symantec and SentinelOne published major research on the HermeticWiper attacking Ukraine on Wednesday after Russia announced troop deployment under the guise of peacekeeping missions.

Analyzing attacks, malware and actors is a common industry occurrence. There is a lot of research produced any year. But there is no precedent for that research during times of Ukraine-type conflict.

Symantec is owned by Broadcom, a Fortune 500 company. SentinelOne, with the smallest revenue of the companies that looked at HermeticWiper, is still a $10 billion company. Both have waded into nation-state espionage and sabotage in the past. But their work on the wiper may be the first time cybersecurity firms actively worked to thwart the likely efforts of a nuclear power in an active, kinetic war, involving multiple superpowers.

The scope of that contribution is much more in keeping with the normal day-to-day for either firms research division than offering free product is for a firm like GreyNoise. Still, even while no group has definitively attributed the wiper to Russia, there is an expectation across security analysts that, when an attribution does come it will be to Russia. Security companies will say they are neutral to nations and on the side of anyone being breached. Approaching a contest with a nation whose guns are out and firing is a test of neutrality.

Morris says he is clear-eyed about who the services he is offering to Ukraine will be used against.

"There's the exact same amount of ambiguity for the world on our tweet as there is for whether or not there are soldiers or tanks in Ukraine," said Morris.

As he has worked with people in Ukraine needing services, both government and private, Morris has found that the products are not always the most important part of the equation. Sometimes being experienced, weathered, and connected to the community was a more important thing to offer.

There have been times when "GreyNoise was helpful, but what they really needed was this other thing. And fortunately, I knew the person who could get them the other thing," he said.

Connecting the right people to each other can be a major component of the problem. Culling said his biggest worry has been that the resource he has set up has been seen more by the industry people who want to help than by Ukrainians who could best use it. He is still working on strategies to make those connections.

There is a sizable chunk of Americans and Europeans looking for ways to help Ukraine, dissuaded by the scope of the crisis and detached by miles or even oceans from the conflict. As Culling started his list, he tweeted "I feel so small and useless rn with what's going on in #Ukraine and wish I could do so much more to help…"

For people with cybersecurity backgrounds, there may be avenues to help beyond providing funding.

"People who work in the industry...we all have different, varying motivations for working here. But one of the motivations that is pretty common and pretty universal is we all want to have the largest impact humanly possible," said Morris. "There haven't been many other examples where dropping everything and lining up my entire company to get a number of different things done will have the same impact on the world and on many millions of people. It's a very clear time we can help."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.