Alleged Attack Targeted Vulnerable Government Web Servers
Ukraine has accused Russia of turning Ukrainian government servers into a botnet for massive distributed denial-of-service attacks that then caused the servers to be blocked.
The National Security and Defense Council of Ukraine on Monday said that the attacks were carried out on the websites of the Security Service of Ukraine, the National Security and Defense Council of Ukraine and resources of other state institutions and strategic enterprises. It reports that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks.
The attack campaign, which started on Feb. 18, targeted vulnerable government web servers, which were infected with a virus that covertly made them part of a botnet used for distributed denial-of-service attacks on other resources.
“At the same time, security systems of Internet providers identified compromised web servers as a source of attacks and began to block their work by automatically blacklisting them. Thus, even after the end of the DDoS phase, the attacked websites remain inaccessible to users,” the council states.
Chris Hauk, consumer privacy champion at Pixel Privacy, states that he hasn’t previously seen attacks using this tactic. “I must admit a bit of grudging admiration of the new way the Ukrainian networks were attacked. By infecting government web servers with a virus that makes them a part of a botnet used for DDoS attacks on other networks, the attack caused the Ukrainian servers to be blocked and blacklisted from the internet, making them inaccessible to users.”
Ukraine did not reveal details of any damage done, or say which Russian group it believes is behind the assault. Reuters, however, reports that Ukraine has previously accused Moscow of orchestrating large cyberattacks as part of a “hybrid war” against Ukraine, which Russia denies.
Sam Curry, chief security officer at Cybereason, says that the latest cyberespionage developments reportedly involving Russian operatives targeting Ukrainian defense and security sites are not surprising.
“Russia has been in Ukraine’s crosshairs for many years. Most people believe Russia was responsible for the massive global NotPetya cyberattack in June 2017 that hit many Ukrainian companies first before sending shock waves throughout the rest of the world. In this latest development, the Ukrainian government either has the evidence on Russia and they aren’t disclosing it, or they are in the beginning phases of an investigation and early signs point to Russia. Time will tell and the Ukrainian government has every right to protect its assets and interests in the region,” Curry says.
Ongoing tensions between Russia and Ukraine are now spilling over into cyberwarfare, says Natalie Page, cyberthreat intelligence analyst at Talion.
“At this early stage, while the network which carried out the attack has not been confirmed, it is not surprising that this attack has been attributed to Russia, given this long-established feud, combined with the details that attempts were made by the attackers to access Ukraine’s government severs,” Page notes.
Firms in Ukraine struggled to bring all systems back online following the devastating outbreak of NotPetya malware in 2017, which initially targeted Ukraine. Authorities in Ukraine blamed Russia (see: Police in Ukraine Blame Russia for NotPetya).
The Security Service of Ukraine, or SBU, had said that some code used in the NotPetya malware was previously used by the group that launched a December 2016 attack against Ukraine’s financial sector, transport sector and power-generating facilities, using attack tools named TeleBots or BlackEnergy.
The SBU then attributed the use of these attack tools to Russia’s Special Communications Service – the country’s equivalent to the U.S. National Security Agency.
“Unfortunately, Russia dispatching cyberattacks against Ukraine is not a new development. This activity has been ongoing for the past decade. State-sponsored actors launch large-scale malware campaigns intended to gain unauthorized access to networks, or lay dormant to attack at a later date,” says Anthony J. Ferrante, global head of cybersecurity at FTI Consulting.
In addition to stealing credentials, preventing access to legitimate information is also a goal of these malicious actors, achieved via misinformation operations and distributed denial-of-service attacks, Ferrante notes.
DDoS on the Rise
In January 2021, a report by application and network performance firm Netscout found threat actors exploiting vulnerable Microsoft Remote Desktop Protocol servers to amplify various distributed denial-of-service attacks.
Netscout researchers identified about 33,000 vulnerable Microsoft RDP servers that could be abused by threat actors to boost their DDoS attacks. RDP is a proprietary Microsoft communications protocol that system administrators and employees use to remotely connect to corporate systems and services (see: DDoS Attackers Exploit Vulnerable Microsoft RDP Servers and
Evolution of Application & DDoS Defenses.)
In addition to an FBI alert issued last year, the U.S. Cybersecurity and Infrastructure Security Agency has warned that DDoS attacks have become more frequent, targeting government agencies and financial firms (see: CISA Warns of Increased DDoS Attacks).
DDoS attackers have been adding an extortion element to these attacks, partly fueled by the rise in the value of bitcoin (see: DDoS Attackers Revive Old Campaigns to Extort Ransom).