Ukrainian government websites were knocked offline Wednesday in a new wave of cyberattacks pummeling Ukraine, just as Russian forces are starting to roll into the country and Ukraine declares a nationwide state of emergency over Russia’s recent aggression.
The sites of Ukraine’s Ministry of Foreign Affairs, its Security Service or SBU, and Cabinet of Ministers were all down Wednesday. Banks are also affected, Ukraine’s minister of digital transformation, Mykhailo Fedorov, said on his Telegram channel. Ukrainian soldiers have also recently reported receiving alarming text messages urging them to flee or be killed, in what appeared to be an attempt to degrade their morale.
Hackers have also recently deployed wiper malware, or destructive software, in Ukraine, cybersecurity researchers at ESET said Wednesday.
ADVERTISEMENT
It was not immediately clear who was responsible for the website downs, hacking, or the SMS messages, or if it was the same actor, but it reeks of the same playbook the Russian government has used in recent days to try to use cyber-operations to sow confusion and doubt in Ukraine in advance of an invasion.
According to the U.S. and U.K. intelligence communities’ assessments, Russia's GRU, its main intelligence directorate, was responsible for a similar cyber-operation known as a DDoS that knocked Ukraine’s Ministry of Defense and Armed Services websites offline and hit Ukrainian banks just last week, Anne Neuberger, Biden's Deputy National Security Adviser for Cyber and Emerging Technology, said in recent days.
The attack appeared to have multiple prongs, including psychological effects: Ukrainians also received SMS messages alerting them that ATMs weren’t working in an apparent attempt to create panic in the country. The messages were fake, according to Ukraine’s police force.
Fedorov said the attacks on the websites in this case are DDoS operations as well, which is a cyber-operation when attackers overwhelm a site to the point it malfunctions and shuts down. Ukraine’s cybersecurity agency, the State Service for Special Communication and Information Protection confirmed to The Daily Beast Wednesday that DDoS attacks had pummeled government websites and banks.
Cloudflare, a cybersecurity firm, told The Daily Beast that DDoS attacks have been on the uptick in Ukraine lately.
“We’ve seen sporadic DDoS activity in Ukraine. We've seen more DDoS activity this week than last week, but less than a month ago,” a spokesperson told The Daily Beast.
Hackers suspected to have ties to Russia last month also deployed wiper malware in Ukraine.
The hackers behind the destructive malware found Wednesday in Ukraine created it two months ago, ESET's Head of Threat Research told The Daily Beast, and only deployed it in Ukraine, suggesting a highly targeted attack.
Already, though, the attack seems to be spreading to other countries: Entities in Latvia and Lithuania, including at a government contractor, are affected by the wiper malware, Vikram Thakur, a Symantec technical director, told The Daily Beast.
It’s not clear the threatening SMS messages troops are receiving now, the hacking, and the fresh website downs are related.
But they appear to be a page out of Russia’s operations playbook, Steve Hall, the former CIA chief of Russia operations, told The Daily Beast.
“This is the old script that the Russians used—and that all militaries used. You’re always going to prepare the battlefield with some sort of propaganda efforts,” Hall told The Daily Beast. “Whether you’re dropping leaflets behind enemy lines… now it’s much easier these days you just go on the internet and send these leaflets in electronic format… you’re preparing the battlefield, you’re preparing the battlespace so that you soften resistance.”
Ukrainians have long received threatening text messages suspected to come from the Kremlin just like the ones they’re receiving this week, according to the Associated Press. After fighting increased in Eastern Ukraine in 2014, Ukrainians began receiving messages their forces were being decimated. In 2017, similar messages arrived:
“Ukrainian soldiers,” the messages warned, according to the AP, “they’ll find your bodies when the snow melts.”
Now, the messages warn Ukrainians to run for their lives.
“There is still time to save your life and leave the JFO zone,” the messages read, according to InformNapalm, a Ukrainian activist group, reported Focus, a Ukrainian news outlet.
Ukraine's information minister, Tkachenko Oleksandr, told Sky News the new cyber-operations are likely aimed at keeping Ukrainians under pressure.
“It is part of hybrid war to keep us in tension all the time," he said.
Russia’s GRU could have more cyber-operations in the pipeline, including hack and leaks and destructive operations, John Hultquist, Vice President at Mandiant Threat Intelligence, told The Daily Beast.
“We expect a lengthy campaign of incidents that may range from simplistic to complex,” Hultquist told The Daily Beast. “In the past, we've seen the GRU carry out a protracted campaign that included DDoS, defacement, hack and leaks, and destructive attack. The incessant nature of the incidents ensures they are harder to ignore.”
The psychological operations like this and the cyberattacks from Russia are only likely to increase, and their arrival, just as Russia recognizes two breakaway territories in Ukraine and moves in for the jugular, suggests Russia is likely about to ramp things up even more, Hall said.
“It almost certainly presages more military operations.”
