calinn - stock.adobe.com
As diplomatic efforts to stave off armed conflict in Ukraine continue this week, a series of distributed denial of service (DDoS) attacks on targets in Ukraine that took place on 15 February 2022 are now being firmly attributed to malicious actors backed by the Russian government.
The attacks rendered the website of Ukraine’s Ministry of Defence inaccessible for a time, and also hit at least two banks and a web hosting firm at the same time.
Although Ukrainian authorities initially declined to firmly attribute the cyber attacks to any one actor, it later reversed course, saying there was only one country that was interested in conducting such attacks on Ukraine – Russia – and has been backed by both the US and the UK in this.
The Foreign, Commonwealth and Development Office (FCDO) – itself the subject of a recent cyber attack – said late on Friday 18 February that the National Cyber Security Centre (NCSC) was now able to assess from technical information that the Russian Main Intelligence Directorate (GRU) was “almost certainly” involved.
“The UK government judges that the Russian Main Intelligence Directorate (GRU) were involved in this week’s distributed denial of service attacks against the financial sector in Ukraine,” said an FCDO spokesperson.
“The attack showed a continued disregard for Ukrainian sovereignty. This activity is yet another example of Russia’s aggressive acts against Ukraine. This disruptive behaviour is unacceptable – Russia must stop this activity and respect Ukrainian sovereignty. We are steadfast in our support for Ukraine in the face of Russian aggression.”
At about the same time, Anne Neuberger, the US deputy national security advisor for cyber and emerging technology, said: “Russia likes to move in the shadows and counts on a long process of attribution so it can continue its malicious behaviour against Ukraine in cyber space, including pre-positioning for its potential invasion. In light of that, we’re moving quickly to attribute the DDoS attacks.
“We believe that the Russian government is responsible for wide-scale cyber attacks on Ukrainian banks this week. We have technical information that links…the Russian Main Intelligence Directorate, or GRU, as known GRU infrastructure was seen transmitting high volumes of communications to Ukraine-based IP addresses and domains.”
Neuberger said the speed of this attribution was somewhat unusual, but added that the US had taken the decision to call out Russia more quickly than it usually might because of a need to hold nation-states accountable when conducting “disruptive or destabilising” cyber attacks.
Neuberger said that the US had been increasing cyber support to Ukraine since November, and was working behind the scenes to help the country respond to and recover from attacks, and strengthen the resilience of Ukraine’s critical national infrastructure (CNI).
Last week’s attacks on Ukraine may well have been commissioned by the Russian intelligence services, but analysis of network traffic conducted by Netscout has shown that in many regards the attacks were well within established norms in terms of their size and methods.
The attackers likely used standard DDoS-capable botnets to carry out the attacks, said Netscout, with nodes located in New Zealand, Portugal, Russia, the UK, the US, and even from within Ukraine itself. The botnet in question was likely a typical Mirai botnet, with an command and control (C2) node located in the Netherlands.
Read more about the cyber crisis in Ukraine
- A further wave of cyber attacks has taken place against targets in Ukraine amid heightened tension in the region.
- Even though the average organisation is an unlikely target for a Russian state cyber attack, here’s why security teams still need to watch what Russian threat groups are up to.
- The National Cyber Security Centre is urging UK organisations to take steps to bolster their cyber security resilience in response to the ongoing Ukraine crisis.
- Security experts have been poring over the WhisperGate malware with which alleged Russia-backed entities targeted Ukrainian government websites.
- A fresh alert from the US Department of Homeland Security may have IT security teams jumpy over the possibility that their organisations could be targeted by Russian state actors.
- More cyber attacks like those perpetrated against targets in Ukraine are to be expected, and they may become more destructive.
- Speculation mounts that Russia is behind a cyber attack that defaced Ukrainian government websites amid growing international tension.
- Kyiv claims that a hacking group in Belarus – a close ally of Russia – was responsible for hacking Ukrainian government websites amid threats of military action.