Ukraine’s parliament and other government and banking websites were hit with a fresh wave of distributed-denial-of-service attacks on Wednesday (February 23).
Cybersecurity researchers also said that unidentified attackers had also infected hundreds of computers with destructive malware.
Officials have long said that they expect cyber-attacks to precede and accompany any Russian military incursion, and analysts said that the incidents hew to a nearly two-decade-old Russian playbook of wedding cyber operations with real-world aggression.
ESET Research Labs said that it detected a new data-wiping piece of malware in Ukraine on hundreds of machines in the country. It was not clear, however, how many networks were affected.
“With regards whether the malware was successful in its wiping capability, we assume that this indeed was the case and affected machines were wiped,” ESET research chief Jean-Ian Boutin said in response to questions from The Associated Press.
Boutin said that he would not name the targets to protect the victims, but these were large organizations that have been affected. He added that while ESET is unable to say who was responsible, the attack appears to be related to the ongoing crisis in Ukraine.
Vikram Thakur, technical director at Symantec Threat Intelligence, said that his outfit detected three organisations which were hit by the wiper malware — Ukrainian government contractors in Latvia and Lithuania and a financial institution in Ukraine.
“All three had close affiliation with the government of Ukraine,” Thakur said, indicating the attacks were anything but randomly targeted. He said that roughly 50 computers at the financial organization were impacted by the malware, some with data wiped.
Senior Ukrainian cyber defense official Victor Zhora denied to comment on the issue.
Boutin said that the malware’s timestamp indicates that it was created last December. He said that it has only been seen in Ukraine.
“Russia likely has been planning this for months, so it is hard to say how many organisations or agencies have been backdoored in preparation for these attacks,” said Chester Wisniewski, principal research scientist at the cybersecurity firm Sophos.
Wisniewski guessed that the Kremlin intended with the malware to send the message that they have compromised a significant amount of Ukrainian infrastructure and these are just “little morsels” to show how ubiquitous their penetration is.
Word of the wiper follows a mid-January attack that Ukrainian officials blamed on Russia, in which the defacement of some 70 government websites was used to mask intrusions into government networks, in which at least two servers were damaged with wiper malware masquerading as ransomware.
Thakur said that it was too early to say if the malware attack discovered on Wednesday was as serious as the variety that damaged servers in January.
Cyberattacks have been a key tool of Russian aggression in Ukraine since before 2014, when the Kremlin annexed Crimea and hackers tried to thwart elections. They were also used against Estonia in 2007 and Georgia in 2008.
Distributed-denial-of-service attacks are among the least impactful because they do not entail network intrusion. Such attacks barrage websites with junk traffic, so they become unreachable.
The DDoS targets on Wednesday included the defence and foreign ministries, the Council of Ministers and Privatbank, the country’s largest commercial bank. Many of the same sites were similarly knocked offline on February 13-14 in DDoS attacks that the US and UK governments quickly blamed on Russia’s GRU military intelligence agency. Wednesday’s DDoS attacks appeared less impactful than the earlier onslaught with targeted sites soon reachable again as emergency responders blunted them.
Zhora’s office, Ukraine’s information protection agency, said that responders switched to a different DDoS protection service provider.
Doug Madory, director of internet analysis at the network management firm Kentik Inc., recorded two attack waves each lasting more than an hour.
A spokesman for California-based Cloudflare, which provides services to some of the targeted sites, said, “DDoS attacks in Ukraine have been sporadic and on the rise in the past month but relatively modest compared to large DDoS attacks we have handled in the past.”
The West blames Russia’s GRU for some of the most damaging cyber attacks on record, including a pair in 2015 and 2016 that briefly knocked out parts of Ukraine’s power grid and the NotPetya wiper virus of 2017, which caused more than $10 billion of damage globally by infecting companies that do business in Ukraine with malware seeded through a tax preparation software update.
The wiper malware detected in Ukraine this year has so far been manually activated, as opposed to a worm like NotPetya, which can spread out of control across borders.
(With inputs from Agencies)