‘Be Afraid:’ Massive Cyberattack Downs Ukrainian Gov’t Sites

7 months ago

As Moscow moves troops and threatens subject action, astir 70 Ukrainian authorities sites were hit. “Be afraid” was scrawled connected the Foreign Ministry site.

Cyberattackers brought down astir 70 Ukrainian authorities websites connected Friday, defacing the tract of the overseas ministry with a connection to “Be acrophobic and expect the worst.”

The huge attack deed connected Friday, unfolding hours aft Russia and Western allies wrapped up fruitless talks intended to forestall a threatened Russian penetration of Ukraine.

The threatening message, which appeared successful Ukrainian, Russian and Polish connected the overseas ministry’s website, besides alleged that Ukrainians’ idiosyncratic information had been compromised: “Ukrainians! … All accusation astir you has go public,” the connection said. “Be acrophobic and expect worse. It’s your past, contiguous and future.”

Infosec Insiders Newsletter

BuzzFeed News’ Christopher Miller shared an representation of the connection connected Twitter. It displayed a crossed-out Ukrainian flag, representation and overgarment of arms.

NEWS IN KYIV: Several Ukrainian authorities websites down owed to a large a cyberattack. Below is the @MFA_Ukraine website now. It reads successful part: "Ukrainians!…All accusation astir you has go public, beryllium acrophobic and expect worse." Sites of MOD and Education ministry besides down. pic.twitter.com/3lbA06Q3Fl

— Christopher Miller (@ChristopherJM) January 14, 2022

The connection reportedly besides referenced “historical land” and dropped the sanction of the Ukrainian insurgent army, oregon UPA. UPA is simply a Ukrainian nationalist paramilitary radical that engaged successful guerrilla warfare against the Soviet Union, the Polish Underground State, Communist Poland and Nazi Germany during World War II.

The overseas ministry’s spokesperson, Oleg Nikolenko, told The Guardian that the “massive cyberattack” has knocked the website of the ministry of overseas affairs offline temporarily.

According to the New York Times, the onslaught besides crippled the sites of the furniture of ministers, on with the ministries of energy, sports, agriculture, veterans’ affairs and ecology, among galore different authorities websites. The websites of the president and the defence ministry reportedly weren’t affected.

“Our specialists person already started restoring the enactment of IT systems, and the cyber-police has opened an investigation,” Nikolenko told The Guardian.

The onslaught comes amid a tense clip for the region, with the Kremlin demanding assurances that Ukraine won’t articulation NATO. Russia has amassed immoderate 100,000 troops adjacent the borderline with Ukraine.

On Friday, the E.U.’s apical diplomat, Josep Borrell, condemned the attacks and offered assistance to Ukraine, saying that the attacks aren’t surprising. “We are going to mobilize each our resources to assistance Ukraine header with these cyberattacks,” Borrell said. “Sadly, we expected this could happen.”

He added: “I can’t blasted anybody arsenic I person nary proof. But we tin imagine.”

Attribution Is ‘Impossible’ – False Flag?

Toby Lewis, caput of menace investigation for Darktrace, agreed with Borrell that it is, indeed, “too aboriginal to sermon method details,” helium told Threatpost connected Friday, but noted that the attacks whitethorn beryllium a false-flag operation.

With regards to the grade of the attacks, helium noted that authorities sites “are typically built connected communal software, which explains the domino effect of website shutdowns that we are seeing.”

Though it’s inactive early, we should beryllium cautious astir labeling it a “sophisticated” attack, helium said.

“Some cyberattacks are much palmy than others, immoderate are precocious and others little so,” Lewis noted. “A distributed denial of work (DDoS) attack, for example, which is an effort to bring down websites oregon networks by overwhelming the web server with net traffic, is not peculiarly blase and comparatively casual to mitigate.”

As acold arsenic the website defacements go, they should beryllium taken with a generous atom of salt, helium said, being “designed to mimic ‘nationalist/separatist groups’ with claims that the onslaught was done successful the sanction of the UPA (Ukrainian Separatist Army)” – a paramilitary radical that hasn’t existed for much than 50 years.

“Attribution is intolerable to bash with integer information alone, and it is not improbable that this is simply a mendacious emblem to divert attraction distant from the existent perpetrators, to disturbance up unrest oregon simply interaction the credibility of the website owners,” Lewis said.

Johannes Ullrich, dean of probe for SANS Technology Institut and laminitis of the Internet Storm Center, downplayed the anticipation of the effort being a nation-state attack.

“Based connected past experience, this whitethorn precise good beryllium the enactment of hacktivists emboldened by existent propaganda,” helium said via email. “The defaced websites were lone informational and apt did not clasp delicate information. Websites similar this are often maintained utilizing off-the-shelf contented absorption systems, which are known to beryllium notoriously susceptible and are often breached adjacent by low-level actors utilizing either anemic password oregon immoderate fig of vulnerabilities successful content-management systems.”

Meanwhile, the Ukrainian Government has denied the defacement messages’ claims that information was leaked.

Ukraine: No Sign of Data Leaked

As acold arsenic the purported leak of information goes, Ukraine’s State Service of Communication and Information Protection refuted the claim.

The Independent reported that Ukraine’s curate for integer transformation, Mykhailo Fedorov, insisted that idiosyncratic information was safe, since “the operability of the websites, not the registries,” was affected by the hack.

Fedorov reportedly said that immoderate of the attacked websites were blocked by their administrators successful bid to incorporate the harm and analyse the attacks, and that “a ample part” of the affected websites person already been restored.

Time volition archer the grade of the harm to the sites, Lewis said, but the attackers’ bragging constituent of information theft does look unlikely: “If the attacks truly person entree to delicate information oregon person detonated ransomware, wherefore would they outcry the loudest astir website defacement?”

He said that Darktrace sees these benignant of “noisy onslaught techniques” utilized “to distract information teams’ attraction distant from much stealthy attacks,” and that “it remains to beryllium seen if that is the lawsuit here.”

Map of Ukraine with European flag, courtesy of Wikimedia Commons, User:Verdy p, User:-xfi-, User:Paddu, User:Nightstallion, User:Funakoshi, User:Jeltz, User:Dbenbenn, User:Zscout370.Licensing details.

Password Reset: On-Demand Event: Fortify 2022 with a password information strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers connected endeavor credential management, the caller password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defence evangelist astatine KnowBe4 and Threatpost big Becky Bracken. Register & Stream this FREE league today – sponsored by Specops Software.