New wave of cyber attacks on Ukraine preceded Russian invasion

In the hours leading up to Russia’s invasion of Ukraine this morning, a number of government websites and financial institutions in Ukraine were targeted by a series of distributed denial of service (DDoS) attacks, rendering them inaccessible in a repeat of an incident last week, later attributed to Kremlin-backed threat actors.

A DDoS attack involves the target system being bombarded with incoming messages, connection requests or malformed packets to force them to slow or shut down. They are accomplished quickly and easily and do limited damage beyond service outage. For this reason, they have at times been used by more sophisticated threat actors as cover for deeper and more destructive cyber attacks.

In a statement, Ukraine’s State Service of Special Communication and Information Protection said: “Today, websites of a number of government and banking institutions have undergone a massive DDoS attack again. Some of the attacked information systems are not available or work intermittently. This is due to switching traffic to another provider to minimise damage. Other websites effectively resist the attack and work normally.

“Currently, the State Service of Special Communications and Information Protection of Ukraine and other subjects of the national cyber security system are working on countering the attacks, collecting and analysing information. We ask all authorities that have been attacked, or are suspected to have been attacked, to contact the Government Computer Emergency Response Team CERT-UA.

“The State Service of Special Communications and Information Protection of Ukraine will continue to promptly inform about the current course of the situation through official communication channels.”

Alongside these attacks, researchers at ESET uncovered a new form of wiper malware in action in the region, similar to that deployed against Ukrainian targets in January. The research analysts said it had been installed on hundreds of systems in the country.

The wiper binary is signed using a legitimate code signing certificate issued to Hermetica Digital (possibly a shell or defunct company) – and for this reason ESET and others have jointly named it HermeticWiper. It abuses legitimate drivers from the EaseUS Partition Master software to corrupt data, at which point it then reboots the system.

ESET said that in one organisation targeted, HermeticWiper was dropped via the default (domain policy) GPO, which means the attackers had probably taken over the Active Directory server.

ESET first spotted HermeticWiper in the wild at about 3pm UK time on 23 February, but the compilation timestamp on one of the samples shows it dates back to 28 December 2021, which would suggest the attack was long planned.

More technical details on HermeticWiper have been compiled by SentinelOne’s Juan Andrés Guerrero-Saade, and can be read here.

Sophos’ Chester Wisniewski said the latest round of attacks had clearly been a sign that a Russian invasion was imminent. “Russia’s official The Military Doctrine of the Russian Federation from 2010 states: ‘The prior implementation of measures of information warfare in order to achieve political objectives without the utilisation of military force and, subsequently, in the interest of shaping a favourable response from the world community to the utilisation of military force’,” he said.

“Information warfare is how the Kremlin can try to control the rest of the world’s response to actions in Ukraine or any other target of attack.

“False flags, misattribution, disrupted communications and social media manipulation are all key components of Russia’s information warfare playbook. They don’t need to create a permanent cover for activities on the ground and elsewhere, they simply need to cause enough delay, confusion and contradiction to enable other simultaneous operations to accomplish their objectives.”