Ukrainian State Service of Special Communications and Information Protection stated that several official government websites and banks had been hit with a “massive DDoS attack” as the country is preparing for a potential invasion by Russia.
This is the second attack on government sites in Ukraine, as in January, websites of the Ministry of Foreign Affairs and other government agencies were targeted by hackers.
The State Service of Special Communications and Information Protection, and Netblocks, an organization that tracks internet outages across the world confirmed that websites for the Ministry of Defence, Ministry of Foreign Affairs, Ministry of Internal Affairs, Security Service (SBU), and the Cabinet faced outages.
⚠️ Confirmed: #Ukraine's Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, the Security Service of Ukraine and Cabinet of Ministers websites have just been impacted by network disruptions; the incident appears consistent with recent DDOS attacks 📉 pic.twitter.com/EVyy7mzZRr
— NetBlocks (@netblocks) February 23, 2022
Other targets include PrivatBank, one of the largest financial institutions in Ukraine, and Oschadbank, Ukraine’s State Savings Bank both dealing with outages.
PrivatBank’s website was down after the attack, and it gave the message on the screen “WAF is watching you.”
According to Cloudflare, infrequent DDoS activity in Ukraine; however, there has been an increase in the activity as compared to last week.
“There have been attacks against individual websites in Ukraine which have been disruptive…So far they have been relatively modest compared to large DDoS attacks we’ve handled in the past.”
The Service of Special Communications and Information Protection said in a statement that websites of a number of institutions and government sectors in Ukraine have suffered from a massive DDoS attack. Some systems are still not available, while other websites have resisted the attack and are back online.
“Currently, the State Service of Special Communications and Information Protection of Ukraine and other subjects of the national cybersecurity system are working on countering the attacks, collecting and analyzing information,” said the Commission.
According to ESET researchers, a new “data wiper malware” was used in the attack on Ukraine websites. According to the report, the malware was installed on hundreds of devices in the country.
“The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data. As a final step the wiper reboots the computer,” said ESET.
It was further observed that in one of the websites that were targeted with malware, the wiper was installed via the default GPO. It means that the attackers had already taken control of the Active Directory server, which made it easy to drop the malware onto devices.
We observed the first sample today around 14h52 UTC / 16h52 local time. The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two months. 2/n
— ESET research (@ESETresearch) February 23, 2022
According to various reports, the cyberattack began around 4 pm local time, the same time as the parliament started the discussion on declaring a state of emergency in Ukraine. As Russian forces moved into eastern parts of the country, taking over two cities, the Ukrainian government imposed a 30-day state of emergency in the country.
Many state officials have also been the victims of cyberattacks. According to reports by local journalists, the chairman of parliament, Ruslan Stefanchuk, and his family were hit by cyberattacks. The hackers made numerous attempts to break into his email accounts and block bank cards, and more. The attempt to log in to his account was made from Russia.
Considering the current Russia-Ukraine tension and increase in cyberattacks in the country, international organizations have been monitoring the situation closely. The UK Foreign, Commonwealth, and Development Office said that the Russian Main Intelligence Directorate (GRU) was involved in the recent attack on Ukrainian government sites.
Anne Neuberger, the US Deputy National Security Advisor for Cyber, said that technical information shows that “GRU infrastructure was seen transmitting high volumes of communication to Ukraine-based IP addresses and domains.”
According to the Computer Emergency Response Team of Ukraine (CERT-UA), the recent DDoS attacks used both Mirai and Meris botnets with an additional SMS disinformation campaign.
Christian Sorensen, a former leader of the international cyberwarfare team at US Cybercom, said that the purpose of these DDoS and cyberattacks is to build up pressure and tension in the country.
“It doesn’t sound like much impact yet. In the coming hours/days, I would anticipate more activities to isolate and disrupt Ukrainian citizens and especially government activities,” said Sorensen.
The main purpose of all this is to cause chaos in the country and make the people and the government unsure about their actions. This is only the first stage, as the next stage might be more impactful and make it hard for other countries to interfere.
In light of the current tension and threat of a potential Russian invasion of Ukraine, DHS in the US, NCSC in the UK, and the ACSC in Australia have warned companies to boost their cybersecurity and prepare for potential cyberattacks in case NATO interferes in Ukraine. The West has also levied sanctions on Russia following the escalation of the Ukraine crisis.