‘Massive’ Cyberattack on Ukraine Cripples Gov’t Websites
Hackers launched attacks on dozens of Ukrainian government websites Thursday night, crippling many and threatening to expose sensitive data.
“As a result of a massive cyberattack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down,” the country’s foreign ministry spokesperson Oleeg Nikolenko tweeted. “Our specialists have already started restoring the work of IT systems and cyberpolice has opened an investigation.”
The threat actors seemed to indicate that the attacks were pushback against the government’s pro-Western posture and threatened to expose sensitive information on the country’s citizens.
“Ukrainians! All of your personal data … have been deleted and are impossible to restore. All information about you has become public, be afraid and expect the worst,” they wrote in a message that appeared on the ministry website. “This is for your past, present and future. For Volyn, OUN, UPA, Galitsia, Polesye and for historical lands.” Those groups are widely known in Ukraine for their nationalist stances.
“This is not surprising. It’s cyber harassment typical of Russian active measures doctrine, which uses disinformation, propaganda and deception in an attempt to influence world events and disrupt governments,” said Elizabeth Wharton, vice president, operations, at SCYTHE.
“This attack reportedly targeted 15 websites in Ukraine that used the October content management system and resulted in websites being defaced. This included the Ministry of Foreign Affairs, Cabinet of Ministers, Treasury and others,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
Was Russia Behind the Ukraine Cyberattack?
Morgan noted that while attribution has not been confirmed, “initial indicators likely point to the work of Russian or affiliated actors operating in reaction to current events. The attack coincided with significant tensions between Russia and Ukraine, with Russia conducting a build-up of more than 100,000 of its forces along the Ukrainian border and conducting several military exercises.”
The attacks, which occurred overnight, were launched soon after the U.S. announced the arrests of leaders of a Ukrainian ransomware group and Russia’s Federal Security Service (FSB) claimed credit for shutting down prolific ransomware group REvil. The attacks closely followed a warning from CISA and the NSA that critical infrastructure organizations needed to bolster their security against attacks by Russian operatives. On Friday, the White House also accused Russia of a false flag operation in Ukraine meant to be a smokescreen for its eventual co-opting of the country.
“It is interesting that this is happening on the heels of the REvil arrests as well as right when talks have ended in a stalemate. It shows how cyberwarfare is becoming a major tool for nation-states to augment conventional means,” said Saumitra Das, CTO and co-founder of Blue Hexagon. “The arrest by the authorities related to the REvil group is a major win for law enforcement, but make no mistake—another group will attempt to fill their shoes and attempt to recycle the extensive network set up by the REvil group.”
And YouAttest CEO Garret Grajek reiterated that following a “set of alerts focused directly on the activities of Russia and its aggressive cross-border sponsored hacking, it’s important to note—CISA is part of the U.S. Department of Homeland Security.”
The mish-mash of events; the complicated, convoluted and tense relationships between Russia, Ukraine and the U.S.—all are indicative of how cyber can impact foreign policy.
“Recent talks between the West and Russia in defusing the crisis also appear to have reached an impasse; this week, a top Russian negotiator said diplomacy had reached a ‘dead end,’” said Morgan. “There are credible fears of a Russian invasion into Ukraine once again, with Russia reportedly compelled to react to Ukraine’s attempts to move towards NATO membership, which would result in deepening military and economic ties with the West.”
President Biden has pressed Russian President Vladimir Putin repeatedly to shut down the ransomware gangs and other bad actors responsible for attacks on U.S. and business interests, such as the Colonial Pipeline attack early last year and the SolarWinds campaign aimed at software supply chains in late 2020. The REvil takedown is widely viewed as Russia’s attempt to offer a sacrifice on the altar of diplomatic relations to soothe the U.S.’s temper.
Morgan expects specific details on the defacement attacks to emerge in the coming weeks. He stressed, though, that the attacks bear many hallmarks of Russian cyberaggression, but he doesn’t rule out a third party. “The cyberattack against Ukraine does fit a consistent model frequently employed by Russian actors who have historically conducted hybrid warfare tactics involving coinciding cyberattacks ahead of movement of its military forces,” he said. “However, given the unsophisticated nature of the attacks, it is possibly the work of third-party Russian hacktivist or cybercriminal actors who are either encouraged by, or otherwise working independently of, the Russian state.”
The as-of-yet unattributed attacks on Ukrainian websites show cyber has become a formidable battlefield. “Cyber has joined land, sea and air to become the fourth conflict theatre. From a risk/reward perspective, it’s a theatre of operations that offers a lot of advantages. For instance, attacks can be carried out with little or no repercussions, yet have devastating practical consequences,” said Glasswall CEO Danny Lopez. “Attackers are not waging war or committing acts of aggression in the traditional sense, and there are few examples where attacks have caused human casualties. However, each incident adds to the underlying tension and suspicion that exists on the international stage.”
Grajek agreed. “If there is any proof needed that cyberwarfare is now as much part of warfare as bullets and tanks—this is it. In fact, the ability to undermine a nation’s economy, political systems and infrastructure are all now available via a remote keyboard and make the other mechanisms arcane and less attractive,” Grajek said. “But there is nothing clean and harmless about cyberwarfare—shutting down a country’s ability to feed, hospitalize and care for its own people is as much an act of war as bombing or attacking through other means.”
Cybercrime Doesn’t Care About Borders
And “the news that a ransomware group based in Kyiv, Ukraine, has been arrested is yet another reminder that a small group of people with a few computer resources and an internet connection can cause an incredible amount of damage and financial costs to organizations all around the world,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify. “Cybercrime does not care about borders, nationality, gender or age and will target any company or person to threaten them, forcing victims to give up large sums of money in return for their digital lives or business.”
The arrest of hackers and the shutdown of REvil are a spot of good news in the fight against nation-state actors and cybercriminals. “Combined with the arrest in Russia of alleged members of REvil, it’s been a rough week for ransomware operators,” said John Bambenek, principal threat hunter at Netenrich. “The sphere of influence where they can operate safely is narrowing and Ukraine has always been helpful when we’ve done the work to identify criminals operating in their jurisdiction.” Bambenek said that “when arrests like this become a weekly occurrence, we will start to see a reduction in ransomware. The only way to make this stop is to hold the people responsible to account.”
But organizations must also step up, as the CISA/NSA advisory noted. “As the ‘weaponization’ of information technology escalates at an alarming rate, organizations must significantly improve their ability to proactively identify and defend against attacks, irrespective of their source and motivation,” said Lopez. “Failure to do so will leave more organizations at even greater risk of disruption and damage, tactically outmatched by adversaries who are relying on the weaknesses inherent in many of today’s IT networks for their success.”
As “nation-state threat actors continue to take an active role in destabilizing infrastructure, governments and businesses—whether for profit or pure political objectives—security can no longer continue to be an insurance policy. It must become a critical part of the infrastructure at every step,” said Saryu Nayyar, CEO and founder at Gurucul.
That means “world governments must start funding and investing in cybersecurity training, educational programs and awareness,” said Nayyar. “In addition, without continuous evaluation and investment in next-generation security technologies that optimize security operations, threat actor groups will continue to be able to disrupt governments and economies.”
