Ukrainian gov't sites disrupted by DDoS, wiper malware discovered
Ukraine's State Service of Special Communications and Information Protection said a number of government websites and banks are dealing with a "massive DDoS attack" as the country prepares for a potential invasion by Russian-backed forces.
The websites for the Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, Security Service (SBU) and Cabinet of Ministers all faced outages confirmed both by the State Service of Special Communications and Information Protection and Netblocks, an organization tracking internet outages around the world.
⚠️ Confirmed: #Ukraine's Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, the Security Service of Ukraine and Cabinet of Ministers websites have just been impacted by network disruptions; the incident appears consistent with recent DDOS attacks 📉 pic.twitter.com/EVyy7mzZRr
— NetBlocks (@netblocks) February 23, 2022
PrivatBank, the largest commercial bank in Ukraine, and Oschadbank, the State Savings Bank of Ukraine, both dealt with outages too.
Cloudflare told ZDNet that they have seen sporadic DDoS activity in Ukraine.
"We've seen more DDoS activity this week than last week, but less than a month ago. There have been attacks against individual websites in Ukraine which have been disruptive," a Cloudflare spokesperson said.
"So far they have been relatively modest compared to large DDoS attacks we've handled in the past."
A screenshot of the message left on the Privatbank website.
"Today, websites of a number of government and banking institutions have undergone a massive DDoS attack again. Some of the attacked information systems are not available or work intermittently. This is due to switching traffic to another provider to minimize damage. Other websites effectively resist the attack and work normally," the Service of Special Communications and Information Protection said in a statement.
"Currently, the State Service of Special Communications and Information Protection of Ukraine and other subjects of the national cybersecurity system are working on countering the attacks, collecting and analyzing information. We ask all authorities that have been attacked or are suspected to have been attacked to contact the Government Computer Emergency Response Team CERT-UA."
Later in the day, researchers at ESET discovered a new data wiper malware used in Ukraine. ESET telemetry allegedly showed that the wiper was installed on hundreds of machines.
"The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data. As a final step the wiper reboots the computer," ESET said.
"In one of the targeted organizations, the wiper was dropped via the default (domain policy) GPO meaning that attackers had likely taken control of the Active Directory server."
The Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd 3/n pic.twitter.com/sGCl3Lbqc1
— ESET research (@ESETresearch) February 23, 2022
As many have noted online, the attack began around 4pm local time, right as Ukraine's parliament began to discuss a state of emergency declaration. The 30-day state of emergency was approved by the Ukrainian government as both US and NATO warned that a Russian invasion is likely. Russian forces moved into eastern parts of the country over the last two days.
Ukrainian journalists reported that Ruslan Stefanchuk, the chairman of parliament, said he and his family were repeatedly hit with cyberattacks. Hackers allegedly attempted to get into their email accounts, block access to their bank accounts and more, according to Kyiv Independent reporter Anastasiia Lapatina.
Many of the same websites were attacked last week in a series of DDoS incidents that the US attributed to Russia. The UK Foreign, Commonwealth & Development Office added that the Russian Main Intelligence Directorate (GRU) was involved in the attack.
US Deputy National Security Advisor for Cyber Anne Neuberger told the press that they have technical information showing that "GRU infrastructure was seen transmitting high volumes of communication to Ukraine-based IP addresses and domains."
In a detailed breakdown of that DDoS incident, CERT-UA said the attacks involved both the Mirai and Meris botnets and included a supplementary SMS disinformation message campaign.
That attack followed the defacement of more than 70 Ukrainian government websites in January.
Christian Sorensen, former leader of the international cyber warfare team at US CYBERCOM, said these attacks are designed to ratchet up attention and pressure.
"It doesn't sound like much impact yet. In the coming hours/days, I would anticipate more activities to isolate and disrupt Ukrainian citizens and especially government activities," said Sorensen, who is now CEO of cybersecurity firm SightGain.
"The purpose at this stage is to cause chaos and seed doubt in the government and economy. Next stage will be impactful and continue deterrence for other countries to get involved."