Russian cyber attacks on Ukraine: What we know so far
A score of additional attacks on the Ukrainian government and other critical services have been reported this week, as Russia officially declares war on the country
Numerous reports of cyber attacks targeting Ukrainian government departments and soldiers themselves have mounted this week, including instances of destructive malware and denial of services.
The cyber attacks form part of Russia’s apparent hybrid approach to warfare as Ukraine’s Stratcom Centre confirmed today that Russia has officially begun its invasion of Ukraine.
Early indications Russia was planning an invasion of Ukraine have been monitored for months and the event seemed increasingly likely after western leaders failed to reach an agreement with Russia during a series of negotiations held in January.
Belarusian activists took matters into their own hands later that month as news of Russian troops mobilising at the Ukrainian border started to surface.
Destructive wiper malware
Cyber security research organisation ESET said on Wednesday that it observed data showing wiper malware had been deployed on “hundreds of machines” in Ukraine.
The research group said data from the observed malware sample, first gathered on Wednesday afternoon, indicated that it may have been created in December 2021. The finding indicates that Russia may have been planning the attack for months.
ESET said further investigations revealed that the attackers had likely taken control of the Active Directory server in victim machines. The wiper malware appeared to have been dropped via the default domain policy, it said.
ESET’s findings were also corroborated by Symantec’s Threat Intelligence group.
The wiper works by abusing legitimate drivers from the EaseUS Partition Master software in order to corrupt data, before rebooting the machine as a final measure.
According to a deeper analysis by Cisco Talos, the wiper dubbed 'Hermetic Wiper' starts by enumerating the system's physical drives and corrupting the first 512 bytes to destroy the master boot record, ensuring the PC will not function properly, even if the malware failed part-way through its process.
Hermetic Wiper will then analyse the individual partitions, disable the Volume Shadow Copy Service, and then deploy different destructive mechanisms depending on the drive type: FAT or NTFS.
Various housekeeping files will also be targeted, it will then wait for all sleeping threads to complete before rebooting the machine to complete the wiping process, the researchers said.
Wiper malware was one of the key trends expected to define cyber warfare in 2022, as outlined by Maya Horowitz, director of threat intelligence and research products at Check Point, to IT Pro last month.
“In some cases, especially around hacktivists, they don’t really want to invest in doing all of the encryption [involved in ransomware], it’s just easier to ruin the machines, not being able to restore them,” she said.
“Wipers are also very relevant when it comes to hacktivists and we’re seeing more cyber hacktivists these days, so we’ll probably see more wipers as well.”
Distributed denial of service attacks
Reports also suggest a number of Ukrainian government departments have been hit by distributed denial of service (DDoS) attacks over the past few weeks, with another surge occurring on Wednesday.
According to web monitoring outfit NetBlocks, the websites belonging to Ukraine’s Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, the Security Service of Ukraine, and Cabinet of Ministers all experienced disruptions on Wednesday.
All websites seem to be operational at the time of writing, other than the Security Service of Ukraine, which appears to still be suffering an outage.
The websites for Ukraine’s Ministry of Defense and Ministry of Internal Affairs both seem to be actively under protection from Cloudflare as its DDoS protection landing page appears before loading the website. The country’s Centre for Strategic Communications is also seemingly being protected.
As reported by wider media outlets, Cloudflare said it has seen an uptick in activity in the past week, but it's still not as much as it observed affecting Ukraine in January. The company also said the size of the attacks aren't as big as some it has dealt with in the past.
"The Internet continues to operate in Ukraine for the most part," said John Graham-Cumming, CTO at Cloudflare to IT Pro. "We saw an increase in Internet use after 0330 UTC perhaps indicating Ukrainians using the Internet for news and information.
"Currently, we are seeing about 80% of the load we usually see in Ukraine in certain areas. There has been a small uptick in cyberattacks against Ukrainian websites, particularly government websites," he added.
Cloudflare data seen by IT Pro revealed inconsistent increases in traffic against Ukraine starting from December and eventually peaking on 22 January 2022. The traffic into Ukraine was around twice as high between December 2021 and January 2022 compared to October-November 2021, and around four times more than during the same period a year earlier.
The Ministry of Defence confirmed its website “was probably attacked by DDoS – an excessive number of requests per second were recorded,” it said in a tweet.
Government departments have also said they will be continuing communications on social media amid mounting attempts to disrupt the typical official channels.
This week’s DDoS attacks follow a number of incidents that occurred between 15-16 February, which saw the Ukrainian banking sector targeted with similar denial of service attacks.
The UK’s Foreign, Commonwealth & Development Office (FCDO) and National Cyber Security Centre (NCSC) together officially attributed the attacks to the Russian Main Intelligence Directorate (GRU), saying it was “almost certainly involved”.
“The attack showed a continued disregard for Ukrainian sovereignty. This activity is yet another example of Russia’s aggressive acts against Ukraine,” said an FCDO spokesperson at the time.
The attacks preceded a post on popular hacking-related community RaidForums, observed by the Computer Emergency Response Team of Ukraine (CERT-UA), which revealed an unknown actor warning Ukraine that dedicated servers would be attacking websites that have a direct impact on the country, including banks, government portals, and military websites.
A journalist at the Kyiv Independent has also since confirmed that the Ukrainian Parliament’s chairman Ruslan Stefanchuk said numerous cyber attacks had been targeting him, including attempts to break into his, and his family’s, email accounts and block their bank cards.
Russia's military website Mil.ru experienced an outage the day it announced an invasion and further reports show that it is returning a 418 error, suggesting Russia has closed off the access to the website for users outside the country.
Ukraine officially confirmed Russia had invaded as of Thursday morning, but there is currently no official indication that Ukraine has launched retaliatory cyber attacks against Russia.
Although, a senior Ukrainian Defence Ministry official is thought to have instructed a private sector cyber security partner to rally groups of ethical hackers to launch an offensive against Russia in cyber space, on behalf of the Ukrainian government, according to a Reuters report.
Enthusiastic ethical hackers based in Ukraine were allegedly asked to enrol in the initiative via a Google Docs form, listing their areas of expertise and professional preferences.
They would then be separated into teams dedicated to attack and defence, the latter of which would be charged with protecting critical infrastructure – a key concern following Russia's 2015 attack on Ukraine which cut power to hundreds of thousands of Ukrainian nationals.
The Ukrainian Center for Strategic Communications tweeted: "the Supreme Commander-in-Chief of the Armed Forces of Ukraine gave orders to inflict the maximum losses to the aggressor", on Thursday shortly after the invasion was confirmed.
We will update the story as further developments regarding Ukraine's response come to light.
Chester Wisniewski, principal research scientist at Sophos, discussed similar events that have occurred in the past and what they may indicate about how the future of this cyber warfare will unfold.
Wisniewski said Russia’s experience with DDoS dates back to 2007, when it launched such attacks on Estonia after the country moved a statue commemorating the Societ Union’s liberation of Estonia from the Nazis to a less prominent location, an act which sparked protests in Moscow.
Russia also carried out DDoS attacks in 2008 against Georgia before it invaded a region in the country, he said.
Russia’s telltale method of operations are once again visible in the attacks of the past few weeks, according to Wisniewski. The attacks are also unlikely to stop any time soon.
“Regardless of whether things continue to escalate, cyber operations are sure to continue,” he said. “Ukraine has been under a constant barrage of attacks with varying degrees of peaks and troughs since Viktor Yanukovych was deposed in 2014.
“False flags, misattribution, disrupted communications, and social media manipulation are all key components of Russia’s information warfare playbook. They don’t need to create a permanent cover for activities on the ground and elsewhere, they simply need to cause enough delay, confusion and contradiction to enable other simultaneous operations to accomplish their objectives.”
Accelerating AI modernisation with data infrastructure
Generate business value from your AI initiativesFree Download
Recommendations for managing AI risks
Integrate your external AI tool findings into your broader security programsFree Download
Modernise your legacy databases in the cloud
An introduction to cloud databasesFree Download
Powering through to innovation
IT agility drive digital transformationFree Download