WASHINGTON — Ukrainian websites were paralyzed by denial of service cyberattacks ahead of Russia’s overnight offensive, with analysts discovering data-corrupting malware coursing through the country’s computers shortly thereafter.
The sites for Ukraine’s defense, foreign affairs and interior ministries, among others, were knocked offline Feb. 23, according to the government, as Russian forces moved in. Explosions were reported around the country — including near the capital, Kyiv.
Distributed denial of service attacks flood a site with traffic, rendering them useless.
Ukrainian agencies and banks were previously hit with a denial of service cyberattack Feb. 15, while Russia continued massing troops and materiel along its border. Websites were crippled in January, as well.
While experts urged caution in attributing blame in the immediate aftermath of the attacks, the White House National Security Council claimed to have evidence linking them to a Russian intelligence agency.
“The U.S. has technical information linking Russian GRU to this week’s distributed denial of service attacks in Ukraine,” the council said in a Feb. 18 tweet. “Known GRU infrastructure has been noted transmitting high volumes of communications to Ukraine-based IP addresses and associated banking-related domains.”
And just hours after the DDoS attacks, cybersecurity firm ESET separately warned of a hostile data-wiping software “installed on hundreds of machines” in Ukraine. Dubbed Hermetic Wiper, the malware was able to corrupt data on users’ computers, according to ESET researchers. The company went on to note that metadata in the software suggests the attack may have been in preparation for almost two months.
Cyberattacks preceding an offensive in Ukraine have long been predicted, though exactly who is to blame for the latest onslaught was not immediately clear. A request for comment made Thursday morning to U.S. Cyber Command was not immediately answered.
Moscow has used cyber and disinformation campaigns to project its force in the past, including in Ukraine in 2015, according to the U.S. Cybersecurity and Infrastructure Security Agency.
Greg Austin, a senior fellow for cyber, space and future conflict at the Institute for Strategic Studies, on Thursday said Russia “has launched many cyberattacks on Ukraine.” But, he added, “even as the Ukraine crisis escalates further, Russia is unlikely to unleash the full power of its cyber sabotage operations.”
Ukraine has sought closer ties to NATO’s cyber center of excellence in Estonia, which could provide much-needed expertise and resources. But the country’s formal membership was denied last year.
The NATO Cooperative Cyber Defence Centre of Excellence is staffed and financed by the U.S., the U.K., Canada, South Korea, Germany, Japan and many others.
CISA on Feb. 18 said the cyber operations observed abroad demonstrate how quickly foreign governments and other actors can spring into action and potentially target U.S. infrastructure and other interests.
“We need to be prepared for the potential of foreign influence operations to negatively impact various aspects of our critical infrastructure with the ongoing Russia-Ukraine geopolitical tensions,” the agency’s director, Jen Easterly, said in a statement at the time.
Easterly in a Thursday morning tweet said there were “no specific threats to the US” at the moment.
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.