Many cybersecurity experts had predicted that Russia’s current conflict with Ukraine would largely play out in the form of cyber attacks rather than physical warfare. A series of attacks on that country’s government websites appears to be the opening salvo, as suspected Russian hacking teams left messages threatening the country’s residents.
Attackers briefly knocked out the public-facing websites for several of Ukraine’s government agencies, and defaced some sites with pro-Russia messages that brought up Ukrainian history. The hackers also left a warning on at least one page claiming that the country’s personal information was not safe and might be made public.
Government websites hacked as Russia-Ukraine conflict deepens
The spate of cyber attacks against the Ukraine government websites came shortly after talks between Russia and NATO broke down, and Russia raised the possibility of military deployments to Cuba and Venezuela in response to United States actions. A spokesperson for Ukraine said that about 70 websites were impacted including those of regional governments.
The attacks briefly took down the Ukraine ministry of foreign affairs and the education ministry websites among others. The threat to dox residents of Ukraine was left on the foreign affairs ministry website, reading as follows: “Ukrainians! … All information about you has become public. Be afraid and expect worse. It’s your past, present and future.”
Following the cyber attacks, the Ukraine security service issued a statement indicating that no personal data had been breached and that most of the affected government websites had been restored to full function.
The messages also included references to the UIA and OUN, defunct nationalist groups that fought against the Soviets. Some analysts believe this was a very basic attempt to cover the actual origin of the cyber attacks.
The NATO secretary general would not formally place blame on Russia, but said it was not hard to imagine who was responsible. This refers to a roughly eight year history of on-and-off cyber attacks from Russia against Ukraine as tensions have flared up again and again. NATO said that it was mobilizing a response and would soon be signing a cyber cooperation agreement with the Ukraine government. Elizabeth Wharton, VP Operations for SCYTHE, represents the view of many cybersecurity experts that don’t need to see anything else to assume that Russia is behind it: “This is not surprising. It’s cyber harassment typical with Russian active measures doctrine, which uses disinformation, propaganda, and deception in an attempt to influence world events and disrupt governments.”
On its end, Russia’s demands have ranged beyond a change of government or the handover of any disputed territory in Ukraine. The country used the recent NATO discussions as an opportunity to demand that Ukraine and Georgia be formally denied entry into the alliance, along with a withdrawal of all troops and equipment from Eastern Europe.
Cyber attacks reflect previous actions against Ukraine
According to the Ukraine technical security and intelligence service, there is a common thread between the particular government websites that suffered cyber attacks. All were serviced by a third-party firm called Kitsoft that had apparently built each site for the agencies. A forensic investigation is pending and it will remain unclear whether some sort of vendor compromise of Kitsoft was the root cause until it is completed; the CEO of the firm said that it provides software that is independently run by each agency, and that the breached government websites did not opt for ongoing support from the firm.
Katie Nickels, Director of Intelligence for Red Canary, provides insight on a known vulnerability that may have been exploited to access the government websites: “Based on this initial information, the defaced Ukrainian websites may have been compromised due to a vulnerability in a content management system called October. The vendor reportedly patched the vulnerability in August 2021, so it’s not a zero-day and it is not particularly complex to exploit … Although the defacements aren’t difficult to conduct and website downtime is a minor nuisance, these defacements can have psychological influence during a tense situation.”
The modern conflict between Russia and Ukraine dates back to 2014, when a pro-Russian separitist movement engaged in armed conflict within the latter country’s borders and Russia annexed Crimea by force. Ukraine has increasingly allied itself with the West, which has prompted continued aggression from Russia that has mostly manifested in the form of cyber attacks. Sporadic Russian attacks on Ukraine’s infrastructure have disabled electricity, banking services, and even the freezer systems at grocery stores. The NotPetya virus that plagued the world in 2017 is thought to have escaped the region after beginning as one of these cyber attack campaigns. And the Ukraine Central Election Commission was hacked during that country’s 2014 elections, with traces of the malware used there later linked to the hacking of the US Democratic National Committee in 2016.
One of the central events prompting the recent flare-up of hostilities is the seemingly increasing possibility of Ukraine joining NATO, which would entitle it to automatic military assistance in defense from NATO allies if it was attacked by Russia. At a summit in June 2021 NATO leaders seemed to confirm a path for Ukraine to eventually join the alliance (the “Membership Action Plan”). This came several months after Russia began to once again mass troops on the country’s border.
Ukraine’s security service says that it now neutralizes about 1,200 attempted attacks coming from Russia each year. Aside from fitting the general pattern of cyber attacks that dates back to 2014 (and even to 2008 when including attacks on Georgia), Ukrainian officials say that they have evidence that a paramilitary Belarus intelligence group with links to Russia was behind the recent attacks on the government websites. Russia’s foreign ministry has yet to respond to the charges, but has always denied responsibility for such cyber attacks in the past.