A second wave of cyber attacks in Ukraine knocked a number of websites offline temporarily, including the Defense Ministry’s public-facing site and two major banks.
An earlier round of attacks in mid-January focused on defacing government websites and making threats, but did not do any known damage beyond that. The current cyber attacks appeared to use distributed denial of service (DDoS) techniques to take several websites offline for several hours.
Ukrainian government websites face cyber attacks for the second time in a month
A Facebook post from the Ukraine Center for Strategic Communications indicated that the military’s primary website for the public was taken offline, along with the websites of two of the country’s larger banks: PrivatBank and Oscadbank.
At the same time, a separate attack sent spam text messages to Ukrainian citizens claiming that ATMs were not functioning. It remains unclear if any ATMs were actually disabled, or if the text messages were related to the DDoS attack.
Those with PrivatBank accounts did temporarily lose access to their online logins and the app was rendered non-functional for some time, but there is no indication of theft of funds or personal information. The situation appears to have been similar with Oscadbank.
The impacted organizations took to Facebook and other social media platforms to communicate with the public while their websites were down. The downtime was not thought to cause any serious problems, however, as the organizations were able to weather the DDoS cyber attack and restore function within the same day.
Russia once again the primary suspect
It’s natural to assume that Russia is behind the cyber attacks on Ukraine’s government websites, but the seeming lack of effort and damage does raise some questions. The first wave of attacks in January, which amounted to nothing more than defacement of a number of government websites, was eventually attributed to a hacking team linked to Belarus intelligence. The Ukrainian security officials believe that the defacements may have been cover for something more serious, and “wiper” malware was reportedly found stashed away on some systems, but the only escalation thus far has been the DDoS attacks which seem to have been fairly easily recovered from.
This does not exactly track with Russia’s cyber attack history in Ukraine since 2014; Russian hackers have shut down segments of the power grid several times, knocked banks offline, and attacked election systems. These “advanced persistent threat” hacking groups are also known to use more destructive means, such as malware that permanently deletes files and ransomware; the most notorious example of this was the NotPetya ransomware unleashed in 2017. The current conflict has not seen any cyber attacks of this caliber as of yet.
Nevertheless, Russia is easily the world’s most capable and motivated party and is probably a safe bet (or an allied group working on their behalf, such as Belarus intelligence). Russia had claimed that it was beginning to withdraw troops from the Ukraine border as “defense drills” wrapped up, but NATO says that is a false claim and that 7,000 new troops have actually been added in recent days.
Russia has also made use of DDoS attacks in the past as part of an entry strategy, as Rick Holland (Chief Information Security Officer, Vice President Strategy at Digital Shadows) notes: “Threat actors with Russian affiliations have certainly leveraged massive DDoS attacks in the past, as we saw in Estonia in 2007. Those attacks crippled the Estonian economy, but thus far, the DDoS attacks against the Ukrainian defense ministry and financial institutions appear to be harassment similar to the previous DDoS attacks seen in January. They could be a precursor to a significant attack or a component of a broader campaign to intimidate and confuse Ukraine. Threat actors not associated with Russia could be responsible for the DDoS attacks; however, as with anything attribution-related, evidence to substantiate this would be required.”
And though the actual damage ended up being limited, the Deputy Prime Minister of Ukraine said that the attack on the government websites was the largest DDoS to ever take place in the country. Ukraine firmly believes that Russia was behind the attempt, in a bid to sow “panic” and “chaos” in the country. But, as is common with these types of cyber attacks, there is no hard evidence to make a positive identification and most likely never will be. The Ukraine state security service said that part of the DDoS attack on the government websites came from devices in Russia, but it was also distributed among devices in China, Uzbekistan and the Czech Republic.
As long as cyber attacks with this layer of plausible deniability are the only form of engagement, the situation is unlikely to escalate. President Biden and NATO allies have drawn a red line at any physical incursion by Russian military forces into Ukraine (with “strong sanctions” as a minimum response), but despite promises and rumors of such attacks being imminent nothing has happened as of yet. Defacing and temporarily inconveniencing government websites certainly is not a viable cause for starting a hot war.
There does remain the possibility that criminal actors are attempting to take advantage of this tense situation. While a DDoS is not generally used for profit, it can be used as a smokescreen to distract the IT teams and security response of organizations while a breach attempt is made. The fact that two banks were prioritized as a point of attack (and only one of the country’s government websites) does lend some credence to this theory, particularly when paired with the odd timing of the text message campaign claiming that the country’s ATMs were going down.
James McQuiggan, security awareness advocate at KnowBe4, notes that organizations need to anticipate DDoS being used as part of a cyber attack cocktail in this fashion: “Technology exists to reduce a DDoS attack; however, it is difficult to stop the attack once it starts without disabling the equipment. Organizations can consider having non-essential systems in a cloud environment like their main website or email. They can install and configure anti-DDoS hardware or software in a cloud environment. Most importantly, having a DDoS incident response plan is critical so IT personnel can quickly implement the necessary actions to minimize the attack and effectively return the systems to operation.”