On Tuesday, institutions central to Ukraine’s military and economy were hit with a wave of denial-of-service (DoS) attacks, which sparked an avalanche of headlines around the world. The strike itself had limited impact — but the larger implications for critical infrastructure beyond the Ukraine are worth noting, researchers said.
The targets were core entities to Ukraine: the Armed Forces of Ukraine, the Ministry of Defense, Oschadbank (the State Savings Bank) and Privatbank, the country’s largest commercial bank, servicing nearly 20 million customers. Oschadbank and Privatbank are considered “systemically important” to Ukraine’s financial markets.
Adam Meyers, senior vice president of intelligence at CrowdStrike, said via email that the attacks consisted of “a large volume of traffic, three orders of magnitude more than regularly observed traffic, with 99 percent of this traffic consisting of HTTPs requests.”
What Happened?
By overloading targeted servers, this kind of DoS attack ensured that end users couldn’t access their websites, bank accounts and so on for a period of time. As Ukraine’s Center for Strategic Communications noted in a Facebook post, some Privatbank customers found themselves “completely unable to access” the company’s app, while others’ accounts “do not reflect balance and recent transactions.”
Some customers received SMS messages claiming that ATMs were out of order, according to Ukraine’s Cyberpolice, which tweeted the claim. Those reports however were debunked, according to NPR.
Crucially, the attackers disrupted the availability of these websites and services, but not the integrity of any data. Thus, the transactions, balances and private information associated with bank accounts and military databases appear to be untainted, according to reports.
And, according to Ukraine’s State Special Communications Service, a “working group of experts” convened yesterday to take “all necessary measures to localize and resist the cyberattack.” All affected banking services had resumed by 7:30 p.m. local time on Tuesday, and the websites for the Armed Forces and Ministry of Defense have since been restored.
“The DDoS attacks against the Ukrainian defense ministry and financial institutions appear to be harassment similar to the previous DDoS attacks seen in January,” Rick Holland, CISO at Digital Shadows, said via email. “They could be a precursor to a significant attack or a component of a broader campaign to intimidate and confuse Ukraine.”
Part of a Much Broader Campaign
While limited in impact, these events have come mere hours after the Security Service of Ukraine’s (SSU) reported a “massive wave of hybrid warfare” – 120 cyberattacks against government authorities, and a fake news botnet of more than 18,000 social-media accounts – all designed to “systemically sow panic, spread fake information and distort the real state of affairs” in the country.
The SSU attributed this wave of hostile activity to a single unnamed but obvious “aggressor state.”
Likewise, Tuesday’s attacks have not been officially attributed. Still, their timing, as Russia mobilizes more than 100,000 troops at Ukraine’s northeast border, is inspiring speculation.
“It would be no surprise,” wrote Mike McLellan, director of intelligence at SecureWorks, via email, “if it transpires that they are the result of cyberattacks conducted by Russia, or by threat actors with a pro-Russian agenda.”
He added, “Russia has a history of cyberattacks “designed to distract the Ukrainian government and critical infrastructure operators and undermine the trust among the Ukrainian population.”
And indeed, in the past two months, Russian- advanced persistent threats (APTs) have been tied to an attack on 70 Ukrainian government websites, a wiper targeting government, non-profit and IT organizations, and increased attacks and espionage against military targets.
It’s also worth noting that the 2014 Russian invasion of Crimea coincided with an outbreak of the Turla virus, and targeted espionage attacks against government agencies, politicians and businesses.
Others however noted that there could be many beneficiaries to the fog of potential war.
“What could be a more likely scenario [than Russia carrying out the attacks] is that other countries like China and Iran take advantage of the chaos and fog of war to further their interests and conduct their campaigns against the West,” Holland noted. “As the saying goes, ‘never let a good crisis go to waste.’ The risk of these types of false-flag operations could have unintended consequences, and you can’t close Pandora’s Box once it’s opened.”
Tim Wade, technical director and deputy CTO at Vectra, cautioned against hasty attribution.
“There are no shortage of actors that could stand to benefit from chaos or disruption – ranging from criminal actors to nation states – and that, unlike Hollywood movies, real motivations can be tricky to unwind,” he said via email.
Could Ukraine’s Problems Migrate West?
Besides the direct threat to Ukrainians, increasing cyber-disruption in the region could spill over to affect American and European countries and businesses.
Prior attacks against Ukrainian targets have crippled companies that simply do business or passively interact with Ukrainian organizations. Famously, the 2017 NotPetya malware that breached a Kiev-based accounting software vendor ended up causing billions of dollars of damage to multinational corporations like Maersk, Merck and FedEx.
Government officials have been warning of the potential for similar attacks directed at the United States government and its critical industries. A January bulletin from the Department of Homeland Security (DHS) concluded that “Russia would consider initiating a cyberattack against the Homeland if it perceived a U.S. or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security.”
The DHS and FBI this week also warned of an uptick in Russian scanning of domestic law-enforcement networks and other American targets.
Security researchers noted that it’s important to be wary as the geo-political tensions continue — given that the chaos that would arise from a full-blown Russian incursion would provide plenty of cover for cyberattackers of all stripes.
As Crowdstrike’s Meyers said, “while there is no evidence of any targeting of western entities at this time, there is certainly potential for collateral impact as a result of disruptive or destructive attacks targeting Ukraine – this could impact companies that have a presence in Ukraine, those that do business with Ukrainian companies, or have a supply chain component in Ukraine such as code development/offshoring.”
Would the U.S. be ready in such a scenario? Last week, DHS officials told American cities that they were extra-vulnerable to wipers that could result in polluting a water supply or crashing a power grid. And it’s worth noting that, according to data from Cyber Seek, 600,000 cybersecurity roles across the nation are currently vacant, meaning that many organizations are understaffed for incident response.
“Are these attacks part of nation-state aggression? Or criminal opportunists exploiting a tense situation? Or just entirely coincidental? While answering with any certainty may be tough, what isn’t difficult is drawing clear line of sight to the significance of cyber-resilience as it relates to critical services and infrastructure,” Vectra’s Wade noted. “Today, everyone operating something of value has a target on their back and we’d all do well to prepare for the inevitability of the consequences of that fact.”