On Tues., institutions important to Ukraine’s military & economy were hit with a wave of denial-of-service (DoS) attacks, which created headlines worldwide. The strike had limited impact, however the bigger implications for critical infrastructure beyond Ukraine are obvious.
The targets were ‘core entities’ to Ukraine: the Armed Forces of Ukraine, the Ministry of Defence, Oschadbank (State Savings Bank) & Privatbank, the country’s biggest commercial bank, with nearly 20m customers. Oschadbank & Privatbank are considered “systemically important” to Ukraine’s financial markets.
Adam Meyers, Senior VP of intelligence at CrowdStrike, stated that the attacks consisted of “a large volume of traffic, 3 orders of magnitude more than regularly observed traffic, with 99% of this traffic consisting of HTTPs requests.”
What Happened?
By overloading the targeted servers, this sort of DoS attack meant that end users could not access their websites, bank accounts etc. for some time. As Ukraine’s Centre for Strategic Communications noted in a Facebook post, some Privatbank customers found themselves “completely unable to access” the company’s app, while others’ accounts “do not reflect balance & recent transactions.”
Some customers received SMS messages claiming that ATMs were ‘out of order’, according to Ukraine’s Cyberpolice, which tweeted the claim. Those reports however were debunked, according to NPR.
Availability
Importantly, the attackers disrupted the availability of these websites & services, but not the integrity of any data. So, the transactions, balances & confidential information associated with bank accounts & military databases appear to be untouched, outlined reports.
According to Ukraine’s State Special Communications Service, a “working group of experts” convened yesterday to take “all necessary measures to localise & resist the cyber-attack.” All affected banking services had resumed by 7:30pm local time on Tues., & the websites for the Armed Forces & Ministry of Defence have since been restored.
“The DDoS attacks against the Ukrainian Defence Ministry & financial institutions appear to be harassment similar to the previous DDoS attacks seen in Jan,” Rick Holland, CISO at Digital Shadows explained. “They could be a precursor to a significant attack or a component of a broader campaign to intimidate & confuse Ukraine.”
Broader Campaign
While limited in impact, these events have come only hours after the Security Service of Ukraine’s (SSU) reported a “massive wave of hybrid warfare” – 120 cyber-attacks against govt. authorities, & a fake news botnet of more than 18,000 social-media accounts – all designed to “systemically sow panic, spread fake information & distort the real state of affairs” in the country.
The SSU attributed this wave of hostile activity to a single ‘unnamed’ but obvious “aggressor state.”
Also, Tues’s attacks have not been officially attributed. Still, their timing, as Russia mobilises more than 100,000 troops at Ukraine’s northeast border, is inspiring speculation.
Pro-Russian Agenda
“It would be no surprise,” wrote Mike McLellan, Director of Intelligence at SecureWorks, “if it transpires that they are the result of cyber-attacks conducted by Russia, or by threat actors with a pro-Russian agenda.”
He added, “Russia has a history of cyber-attacks “designed to distract the Ukrainian govt. & critical infrastructure operators & undermine the trust among the Ukrainian population.”
In the last 2 months, Russian- advanced persistent threats (APTs) have been linked to an attack on 70 Ukrainian govt. websites, a wiper targeting government, non-profit & IT organisations, & increased attacks & espionage against military targets.
Invasion of Crimea
It’s also worth noting that the 2014 Russian invasion of Crimea coincided with an outbreak of the Turla virus, & targeted espionage attacks against govt. agencies, politicians & businesses.
Others however noted that there could be many beneficiaries to the ‘fog of potential war.’
“What could be a more likely scenario than Russia carrying out the attacks is that other countries like China & Iran take advantage of the chaos & fog of war to further their interests & conduct their campaigns against the West,” Holland noted.
Pandora’s Box
“As the saying goes, ‘never let a good crisis go to waste.’ The risk of these types of false-flag operations could have unintended consequences, & you can’t close Pandora’s Box once it’s opened.”
Tim Wade, Technical Director & Deputy CTO at Vectra, cautioned against hasty attribution.
“There are no shortage of actors that could stand to benefit from chaos or disruption – ranging from criminal actors to nation states & that, unlike Hollywood movies, real motivations can be tricky to unwind,” he outlined.
Will Ukraine’s Problems Move West?
Besides the direct threat to Ukrainians, increasing cyber-disruption in the region could spill over to affect American & European countries & businesses.
Prior attacks against Ukrainian targets have crippled companies that simply do business or passively interact with Ukrainian organisations. Famously, the 2017 NotPetya malware that breached a Kiev-based accounting software vendor ended up causing billions of dollars of damage to multinational corporations like Maersk, Merck & FedEx.
Similar Attacks
Govt. officials have been warning of the potential for similar attacks directed at the United States government and its critical industries.
A Jan. bulletin from the US Department of Homeland Security (DHS) concluded that “Russia would consider initiating a cyber-attack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security.”
US Domestic Law-Enforcement
The US DHS & FBI this week also warned of an increase in Russian scanning of US domestic law-enforcement networks & other American targets.
Security researchers noted that it is important to be wary as the geo-political tensions continue — given that the chaos that would arise from a full-blown Russian incursion would provide plenty of cover for cyber-attackers of all types.
Crowdstrike’s Meyers states, “while there is no evidence of any targeting of western entities at this time, there is certainly potential for collateral impact as a result of disruptive or destructive attacks targeting Ukraine – this could impact companies that have a presence in Ukraine, those that do business with Ukrainian companies, or have a supply chain component in Ukraine such as code development/offshoring.”
Vulnerable
Will the US be ready? Last week, US DHS officials told American cities that they were very vulnerable to wipers that could result in polluting a water supply or crashing a power grid.
Note that, according to data from Cyber Seek, 600,000 cyber-security roles across the nation are currently vacant, meaning that many organisations are understaffed for incident response.
Nation-State Aggression
“Are these attacks part of nation-state aggression? Or criminal opportunists exploiting a tense situation? Or just entirely coincidental? While answering with any certainty is difficult, what is not difficult is drawing clear line of sight to the significance of cyber-resilience as it relates to critical services & infrastructure,” Vectra’s Wade noted.
“Today, everyone operating something of value has a target on their back & we’d all do well to prepare for the inevitability of the consequences of that fact.”