Ukrainian soldiers stand guard as people attempt to leave Kiev train station on February 24, 2022.
AP Photo/Emilio Morenatti
BOSTON (AP) — Cyberattacks on Ukrainian government websites and affiliated organizations added to the confusion of Russia’s military assault on Thursday, including data-erasing malware activated a day earlier that, according to cybersecurity researchers, have infected hundreds of computers, including in neighboring Latvia and Lithuania.
Researchers said the malware attack had apparently been in the works for three months.
A distributed denial-of-service attack that began last week and temporarily took government websites offline on Wednesday continued and there were sporadic internet outages across the country, said Doug Madory, director of Internet analysis for the American network management company Kentik Inc.
Measures to mitigate DDoS attacks met with some success, however, as key government websites, including those of the defense and interior ministries and the banking sites of Sberbank and Alfabank, were reachable on Thursday despite the assault. The US and allied governments quickly blamed the denial of service attacks on the Russian military intelligence agency GRU after they began last week. Such attacks make websites inaccessible by flooding them with unwanted data.
Major Russian websites also came under a denial of service attack on Thursday, Madory said, possibly in retaliation for similar DDoS attacks on Ukrainian websites.
As a result, Russian military (mil.ru) and Kremlin (kremlin.ru) sites, hosted by the Russian state Internet, were inaccessible or slow to load. Madory said that an entire block of Internet domains hosting kremlin.ru sites were under attack.
Ukraine’s cybersecurity agency said cellular networks were saturated with voice calls, suggesting those unable to complete them are using text messaging.
Madory said Ukraine’s internet is “currently under severe strain”.
London-based internet monitor Netblocks said the eastern city of Kharkiv, near which the Russians allegedly attacked, appeared to be “bearing the brunt of network and telecommunications disruptions”.
Some cybersecurity experts said before the attack that it might be in the Kremlin’s intelligence interests – and information warfare – not to attempt to suppress the Internet in Ukraine during a military attack.
Ukraine’s Cybersecurity Service also posted a list of known “active disinformation” channels to avoid on its Telegram channel.
It’s unclear how many networks were affected by the unprecedented data wipe, which targeted organizations in the finance, defense, aviation and information technology sectors, Symantec Threat Intelligence said in a blog post on Thursday.
ESET Research Laboratories said it detected it on “hundreds of machines around the country”. ESET research director Jean-Ian Boutin did not name the targets, but said they were “large organisations”.
Researchers said it was too early to say who was responsible, but Ukrainian officials blamed Russia for a similar attack last month that damaged the servers of at least two government networks.
Officials have long expected cyberattacks to precede and accompany any Russian military incursion. The combination of DDoS attacks, which bombard websites with unwanted traffic to make them inaccessible, and malware infections matches Russia’s marriage cyber operations playbook with aggression around the world. real.
Symantec said the “cleaner” discovered on Wednesday bore some similarities to the malware deployed in the January attack, which was disguised as ransomware and activated in a headline-grabbing website defacement. Microsoft dubbed it WhisperGate.
Symantec detected the new wiper in three organizations — Ukrainian government contractors with offices in Latvia and Lithuania and a financial institution in Ukraine, said Vikram Thakur, its technical director. Both countries are members of NATO.
“The attackers pursued these targets with little regard for their physical location,” he said.
All three had “a close affiliation with the Ukrainian government,” Thakur said, saying Symantec believed the attacks were “highly targeted.” He said around 50 computers at the financial firm were affected, some with erased data.
NATO classified crippling cyberattacks against its members as potentially capable of triggering an armed response, but was vague on the threshold and the “windshield wiper” attack was likely well below.
Asked about the wiper attack on Wednesday, senior Ukrainian cyber defense official Victor Zhora did not comment.
“Russia has probably been planning this for months, so it’s hard to say how many organizations or agencies have been hijacked in preparation for these attacks,” said Chester Wisniewski, senior researcher at cybersecurity firm Sophos. He guessed that the Kremlin intended with the malware “to send the message that they have compromised a significant amount of Ukrainian infrastructure and these are just small bits to show how pervasive their penetration is.” .
Cyberattacks have been a key tool of Russian aggression in Ukraine since before 2014, when the Kremlin annexed Crimea and hackers tried to thwart elections. They were also used against Estonia in 2007 and Georgia in 2008. Their intention may be to sow panic, confusion and distraction.
Distributed denial of service attacks are among the least impactful because they do not involve network intrusion. Such attacks block websites with unwanted traffic so that they become inaccessible.
The West blames Russia’s GRU for some of the most damaging cyberattacks on record, including a pair in 2015 and 2016 that briefly destroyed parts of Ukraine’s power grid and the 2017 NotPetya “wiper” virus, which caused more than 10 billions of dollars in damage worldwide by infecting companies doing business in Ukraine with malware distributed via an update to tax preparation software.
The Wiper malware detected in Ukraine this year has so far been activated manually, unlike a worm like NotPetya, which can spread uncontrollably across borders.