‘Be Afraid:’ Massive Cyberattack Downs Ukrainian Gov’t Sites

Cyberattackers brought down around 70 Ukrainian government websites on Friday, defacing the site of the foreign ministry with a message to “Be afraid and expect the worst.”

The huge attack hit on Friday, unfolding hours after Russia and Western allies wrapped up fruitless talks intended to forestall a threatened Russian invasion of Ukraine.

The threatening message, which appeared in Ukrainian, Russian and Polish on the foreign ministry’s website, also alleged that Ukrainians’ personal data had been compromised: “Ukrainians! … All information about you has become public,” the message said. “Be afraid and expect worse. It’s your past, present and future.”

BuzzFeed News’ Christopher Miller shared an image of the message on Twitter. It displayed a crossed-out Ukrainian flag, map and coat of arms.

> NEWS IN KYIV: Several Ukrainian government websites down due to a major a cyberattack. Below is the @MFA_Ukraine website now. It reads in part: “Ukrainians!…All information about you has become public, be afraid and expect worse.” Sites of MOD and Education ministry also down. pic.twitter.com/3lbA06Q3Fl
>
> — Christopher Miller (@ChristopherJM) January 14, 2022

The message reportedly also referenced “historical land” and dropped the name of the Ukrainian insurgent army, or UPA. UPA is a Ukrainian nationalist paramilitary group that engaged in guerrilla warfare against the Soviet Union, the Polish Underground State, Communist Poland and Nazi Germany during World War II.

The foreign ministry’s spokesperson, Oleg Nikolenko, told The Guardian that the “massive cyberattack” has knocked the website of the ministry of foreign affairs offline temporarily.

According to the New York Times, the attack also crippled the sites of the cabinet of ministers, along with the ministries of energy, sports, agriculture, veterans’ affairs and ecology, among many other government websites. The websites of the president and the defense ministry reportedly weren’t affected.

“Our specialists have already started restoring the work of IT systems, and the cyber-police has opened an investigation,” Nikolenko told The Guardian.

The attack comes amid a tense time for the region, with the Kremlin demanding assurances that Ukraine won’t join NATO. Russia has amassed some 100,000 troops near the border with Ukraine.

On Friday, the E.U.’s top diplomat, Josep Borrell, condemned the attacks and offered help to Ukraine, saying that the attacks aren’t surprising. “We are going to mobilize all our resources to help Ukraine cope with these cyberattacks,” Borrell said. “Sadly, we expected this could happen.”

He added: “I can’t blame anybody as I have no proof. But we can imagine.”

Attribution Is ‘Impossible’ – False Flag?

Toby Lewis, head of threat analysis for Darktrace, agreed with Borrell that it is, indeed, “too early to discuss technical details,” he told Threatpost on Friday, but noted that the attacks may be a false-flag operation.

With regards to the extent of the attacks, he noted that government sites “are typically built on common software, which explains the domino effect of website shutdowns that we are seeing.”

Though it’s still early, we should be cautious about labeling it a “sophisticated” attack, he said.

“Some cyberattacks are more successful than others, some are advanced and others less so,” Lewis noted. “A distributed denial of service (DDoS) attack, for example, which is an attempt to bring down websites or networks by overwhelming the web server with internet traffic, is not particularly sophisticated and relatively easy to mitigate.”

As far as the website defacements go, they should be taken with a generous grain of salt, he said, being “designed to mimic ‘nationalist/separatist groups’ with claims that the attack was done in the name of the UPA (Ukrainian Separatist Army)” – a paramilitary group that hasn’t existed for more than 50 years.

“Attribution is impossible to do with digital data alone, and it is not unlikely that this is a false flag to divert attention away from the true perpetrators, to stir up unrest or simply impact the credibility of the website owners,” Lewis said.

Johannes Ullrich, dean of research for SANS Technology Institut and founder of the Internet Storm Center, downplayed the possibility of the effort being a nation-state attack.

“Based on past experience, this may very well be the work of hacktivists emboldened by current propaganda,” he said via email. “The defaced websites were only informational and likely did not hold sensitive information. Websites like this are often maintained using off-the-shelf content management systems, which are known to be notoriously vulnerable and are often breached even by low-level actors using either weak password or any number of vulnerabilities in content-management systems.”

Meanwhile, the Ukrainian Government has denied the defacement messages’ claims that data was leaked.

Ukraine: No Sign of Data Leaked

As far as the purported leak of data goes, Ukraine’s State Service of Communication and Information Protection refuted the claim.

The Independent reported that Ukraine’s minister for digital transformation, Mykhailo Fedorov, insisted that personal data was safe, since “the operability of the websites, not the registries,” was affected by the hack.

Fedorov reportedly said that some of the attacked websites were blocked by their administrators in order to contain the damage and investigate the attacks, and that “a large part” of the affected websites have already been restored.

Time will tell the extent of the damage to the sites, Lewis said, but the attackers’ bragging point of data theft does seem unlikely: “If the attacks really have access to sensitive data or have detonated ransomware, why would they shout the loudest about website defacement?”

He said that Darktrace sees these kind of “noisy attack techniques” used “to distract security teams’ attention away from more stealthy attacks,” and that “it remains to be seen if that is the case here.”

Map of Ukraine with European flag, courtesy of Wikimedia Commons, User:Verdy p, User:-xfi-, User:Paddu, User:Nightstallion, User:Funakoshi, User:Jeltz, User:Dbenbenn, User:Zscout370.Licensing details.

Password****Reset: **On-Demand Event: Fortify 2022 with a password security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken.Register & Stream this FREE session today** – sponsored by Specops Software.