Oleh Sych: Antivirus Software Stood no Chance Against Russian Attack on Ukraine’s Power Grid
Oleh Sych is CTO of Zillya! Antivirus — a Kyiv-based software company. The product was launched in 2009 and Zillya!’s business is steadily growing, primarily due to international sales. In Ukraine, Zillya! is still an underdog with about 90% of sales coming from abroad. Sych says a Ukrainian inferiority complex is the main reason for this disparity as many Ukrainian corporations and state agencies prefer to use [ed.: the text of this hyperlink is in the Ukrainian language] Russian Kaspersky and Dr. Web, even after the war in Donbas started.
Nevertheless, a friend in need is a friend indeed. Zillya! helped the SBU to investigate the largest and most successful hacker attack in Ukraine’s history [ed.: the text of this hyperlink is in the Ukrainian language], when Prykarpattyaoblenergo was forced to black out, leaving parts of the city of Ivano-Frankivsk and a number of towns and villages in Ivano-Frankivsk Oblast without electricity days before Catholic Christmas. Other Ukrainian electricity generating facilities came under the same attack as well. A number of security experts voiced concerns [ed.: the text of this hyperlink is in the Ukrainian language] that the Russian government might be behind the attack.
In an interview to Ekonomichna Pravda, Oleh Sych told how Ukrainian antivirus software manages to compete with global brands, why Zillya! has relatively few clients in Ukraine and what is the difference between good and bad antivirus software.
— Oleh, how did you meet the founder of Zillya! Oleksiy Orlovsky? What was Orlovsky’s business before founding the company? Why did he decide to start such a niche business?
— In 2009 one of the managers of Zillya! asked me to join the project. Oleksiy, its founder, was involved in IT outsourcing and he wanted to create his own product. He was interested in IT security and understood that he needed to create an antivirus software product. Nevertheless, being a founder he was primarily involved in the strategy and global issues of this business, with no time left for managing day-to-day activities. That is why he hired me.
— Is it difficult to find computer virus experts in Ukraine?
— This is a complex issue. There are no institutions in Ukraine that can educate this type of specialists and our country has very few businesses working in this field for us to headhunt these people from there. The only path leads to the IT underground. Ukrainian hackers break into other people’s computers when somebody asks to do this for money, or they just write viruses for fun. Usually these people don’t do this as a regular job, just as a hobby. Yet, they are gifted. Their endless experiments give them a kind of knowledge that no other computer specialist with an official diploma can offer. We try to find these people and offer them a full-time well-paid legitimate job.
— What is their salary?
— The salary of a specialist in computer virus analysis is comparable to the average salary of Ukrainian mid-level programmers. They deserve more, but that is what we can currently offer. I would love to pay them more, if we were something like Symantec.
— Speaking of the leaders like Symantec, ESET and Kaspersky — are they stealing your best talent?
— They are trying. A competitor based in Israel was recently headhunting our analysts. Samsung added cybersecurity competence to their R&D Center in Kyiv. Yet, Samsung is primarily interested in Android devices, while our primary focus is Windows.
— On how many computers is your product currently installed?
— The total amount of computers, including white label products, is 3 million. In Ukraine we have 0.5 million active installs and the total number of customers who tried our product in Ukraine is close to 2 million. Most Ukrainians are using the free version of our product.
— How many installs you have in the private, corporate and government sectors?
— To give an answer to this question I have to explain our business model. Our major income comes from selling our technology abroad under the brands of our trusted partners. Currently more than 30 other antivirus software products are created on the basis of Zillya! technology and we are getting royalties. Our software works in India, the US, Nigeria and a number of other countries on the African continent. The customers are local ISPs and retail chains.
Unfortunately, our market share in Ukraine, our home country, is still very small. To have success in Ukraine an IT product has to get global recognition. Only after you get it — Ukrainian customers start taking you seriously. Everyday we have to prove to our local Ukrainian customers that Zillya! is worthwhile.
— What is Ukraine’s share among your global sales?
— Close to 10:1, where ‘1’ is Ukraine.
— What is the private to corporate sales ratio in Ukraine?
— Financially it is 50:50. Our major successes in the corporate sector came in 2015.
— Can these successes be explained by the boycott [ed.: the text of this hyperlink is in the Ukrainian language] of Russian antivirus software by the Ukrainian corporate segment?
— Yes, to some extent this influences our sales, yet this is not a key factor. Currently, one out of five of our corporate prospects in Ukraine is a local business switching from Russian antiviruses.
— What is the structure of antiviruses in the government sector then?
— ESET is definitely number one. In July 2014 ESET NOD32 was installed on two thirds of computers belonging to the Ukrainian government. Before the boycott of Russian software, Kaspersky indeed had an impressive market share. McAfee and Symantec have visible market shares in the corporate sector.
After the boycott of Russian antiviruses not everybody rushed to buy Zillya! There is a tradition: Americans prefer American, Japanese prefer Japanese, but Ukrainians have a stereotype that Ukrainian is bad. In order to be noticed at home you have to achieve international recognition.
— Can you name five markets where you product sells best?
— India came as a true discovery to us. We started promoting our technology there. They like our products because of simplicity and effectiveness. We have several partners in Nigeria, Indonesia and the Philippines. Our Chinese partners are growing their sales very fast.
One of our most successful partners is a company from the United States. A lot of friends and business rivals recommended us to ‘stay home, make money and forget about the West’. Our US partner proved this to be wrong. They made us believe we can successfully compete in the United States and Western Europe.
— When it is wise to buy a commercial antivirus and when it is a free version that will do the job?
— Commercial and free versions of the recognized brands will provide the same level of protection. Usually, vendors of antivirus software never try to undermine the virus protection level of their free versions as it would tarnish their brand. Usually the differences between the free and commercial versions of the product appear in the additional services: customer support, technical assistance, etc.
— What is the difference between good and bad antivirus software?
— When we were collecting statistics on the existing antiviruses, we stopped counting upon reaching 350. Of course some of these will harm your computer instead of protecting it. Among the top known antiviruses I cannot name any that is ‘bad’. Yet, there are some known vendors, who are not very careful with their public relations and there are known solutions that are applied in a wrong manner.
Installing an antivirus is not a guarantee of protection. When a diligent hacker is creating a trojan, he is checking it with all the known antiviruses. If his ‘creation’ is detected — he will continue improving it until all known instruments fail to detect. The resulting virus will be invisible to antivirus software until the infected file is inspected by the specialists.
— It is rumored that antivirus companies create viruses as a kind of ‘business development’. Have you ever created viruses yourself?
— This is a widespread myth, that offends any antivirus professional. We might as well assume that firefighters burn homes and doctors intentionally infect their patients. This type of reasoning is used by people who do not understand the nuances of cybercrime and cybersecurity.
Writing viruses might be alluring to those who dream of easy money. There are many paths available: adware, spyware, ransomware, etc. It is hard to catch a truly talented cybercheat. However, in the end it is their greed which almost always plays bad jokes.
Of course I experimented with viruses. You cannot be a computer virus analyst without having ever written a virus. Now I have no time for that. Managing business workflow and analyzing virus threats takes all my time.
— Was the main cause of success of the cyberattacks [ed.: the text of this hyperlink is in the Ukrainian language] on Ukraine’s power distribution grid in December 2015 the ignorance of the IT personnel of Ukraine’s energy companies or the talent of the perpetrators? Why did antivirus software not stop the attacks?
— The attacks were sophisticated and used social engineering. 100% of the attack’s success came from the ignorance of the personnel and violation of the basic principles for building information networks of this type. The internal network of the affected energy distributing company was physically connected to the Internet. This same network was used to manage the electrical substations. The attackers hacked the company’s Internet proxy server to gain access to the company’s intranet and the computers’ managing substations.
While the architecture and technology of the attack were not so complicated, the attack was well organized and coordinated. Several regional power distribution grids were attacked simultaneously. Several hackers simultaneously operated the affected computers within the affected internal network. At the same time, a DDoS attack was organized to take down the company’s call center and spread panic.
It all could have been avoided if the affected company timely implemented its information security policy and conducted information security training for its employees. It is all about the human factor. Antivirus software stood no chance in this case.
We conducted an experiment and checked this trojan with all the major antivirus software using virus databases that were up to date at the moment when the incident occurred. No antivirus could locate this malware. The trojan we are now discussing was created specifically for this attack. Its main purpose was to stay unnoticed as long as possible.
— Ukrainian companies and government agencies are quitting using Russian-made antivirus software, fearing the FSB might get their sensitive information [ed.: the text of this hyperlink is in the Ukrainian language]. Can antivirus software steal user data from a computer or enable its remote control?
— In theory it can, if the vendor so decides. Antivirus software usually has extensive access rights to the computer operating system. It can edit, move and delete files, update antivirus database, track browsing and documents history, software launches and messengers.
However, I doubt that any antivirus company would risk its reputation. If this gets discovered — the company will cease to exist. The cybersecurity business is built on trust. Why would multimillion dollar businesses risk it? However, an insider job cannot be completely ruled out. Employees of an antivirus company can be spies. Virus analysts and programmers can create bugs in their company’s software.
Another opportunity for spying is that modern antivirus software is collecting a lot of sensitive information to be then sent to the servers of the antivirus company and analyzed. This is explicitly authorized by the customer when he signs the end user license agreement and this information helps improve the product. What can a government intelligence professional do with this information — this is a good question to ask.
— What are Zillya!’s plans for 2016?
— In 2015 we strengthened our antivirus lab, invested a lot of effort in our antivirus core and behavior analysis engine. Now our software is tested by the major international certification centers and we hope that they will see the value in our solutions. Recently we launched our first Android antivirus product. Now we are designing our next product for this platform and are considering expanding into other mobile platforms.
Nota Bene! Publications of the English version of Ukrayinska Pravda are not verbatim translations of the source publications from the Ukrainian or Russian language versions of our website. For the sake of clarity and editorial effectiveness our translators might take the liberty of shortening and retelling parts of the source publications. Please consult the text of original publication or the English editorial staff of Ukrainska Pravda prior to quoting our English translations.