Cyberattacks against Ukrainian government websites and affiliated organizations added to the confusion of Russia’s military assault Thursday, including data-wiping malware activated a day earlier that cybersecurity researchers said infected hundreds of computers including in neighboring Latvia and Lithuania.
Researchers said the malware attack had apparently been in preparation for as much as three months.
A distributed-denial-of-service attack that began last week and temporarily knocked government websites offline Wednesday continued and there were sporadic internet outages across the country, said Doug Madory, director of internet analysis for the U.S. network management firm Kentik Inc.
Measures to blunt the DDoS attacks were having some success, however, as major government websites including those of the defense and interior ministries and the banking sites of Sberbank and Alfabank were reachable Thursday despite the onslaught. U.S. and allied governments quickly blamed the denial-of-service attacks on Russia’s GRU military intelligence agency after they began last week. Such attacks render websites unreachable by flooding them with junk data.
Major Russian websites also came under a denial-of-service attack on Thursday, Madory said, possibly in retaliation for the similar DDoS attacks on Ukrainian websites.
The sites of Russia’s military (mil.ru) and Kremlin (kremlin.ru), hosted by the Russia State Internet Network, were unreachable or slow to load as a result. Madory said an entire block of internet domains that host kremlin.ru sites was under attack.
Ukraine’s cybersecurity agency said cellular networks were saturated with voice calls, suggesting that people unable to complete them use text-messaging.
Madory said Ukraine’s internet was “under severe stress presently.”
The London-based Netblocks internet monitor said the eastern city of Kharkiv, near which Russians were reported attacking, appeared to be taking “the brunt of network and telecoms disruptions.”
Some cybersecurity experts said prior to the assault that it might be in the Kremlin’s intelligence — and information war — interests not to try to take down Ukraine’s internet during a military attack.
Ukraine’s cybersecurity service also published a list on its Telegram channel of known “active disinformation” channels to avoid.
It was not clear how many networks were affected by the previously unseen data-wiping, which targeted organizations in the financial, defense, aviation and information technology industries, Symantec Threat Intelligence said in a blog post Thursday.
ESET Research Labs said it detected it on “hundreds of machines in the country.” ESET research chief Jean-Ian Boutin would not name the targets but said they were “large organizations.”
The researchers said it was too early to say who was responsible, but Ukrainian officials blamed Russia for a si milar attack last month that damaged servers in at least two government networks.
Officials have long expected cyberattacks to both precede and accompany any Russian military incursion. The combination of DDoS attacks, which bombard websites with junk traffic to render them unreachable, and malware infections hewed to Russia’s playbook of wedding cyber operations with real-world aggression.
Symantec said the “wiper” discovered Wednesday had some similarities to malware deployed in the January attack, which was disguised as ransomware and activated during a diversionary headline-grabbing website defacement. Microsoft dubbed it WhisperGate.
Symantec detected the new wiper at three organizations — Ukrainian government contractors with offices in Latvia and Lithuania and a financial institution in Ukraine, said Vikram Thakur, its technical director. Both countries are NATO members.
“The attackers have gone after these targets without much caring for where they may be physically located,” he said.
All three had “close affiliation with the government of Ukraine,” said Thakur, saying Symantec believed the attacks were “highly targeted.” He said roughly 50 computers at the financial outfit were affected, some with data wiped.
NATO has classified crippling cyberattacks on its members as potentially capable of triggering an armed response but has been vague on the threshold and the “wiper” attack was likely far below it.
Asked about the wiper attack on Wednesday, senior Ukrainian cyber defense official Victor Zhora had no comment.
“Russia likely has been planning this for months, so it is hard to say how many organizations or agencies have been backdoored in preparation for these attacks,” said Chester Wisniewski, principal research scientist at the cybersecurity firm Sophos. He guessed the Kremlin intended with the malware to “send the message that they have compromised a significant amount of Ukrainian infrastructure and these are just little morsels to show how ubiquitous their penetration is.”
Cyberattacks have been a key tool of Russian aggression in Ukraine since before 2014, when the Kremlin annexed Crimea and hackers tried to thwart elections. They were also used against Estonia in 2007 and Georgia in 2008. Their intent can be to sow panic, confuse and distract.
Distributed-denial-of-service attacks are among the least impactful because they don’t entail network intrusion. Such attacks barrage websites with junk traffic so they become unreachable.
The West blames Russia’s GRU for some of the most damaging cyberattacks on record, including a pair in 2015 and 2016 that briefly knocked out parts of Ukraine’s power grid and the NotPetya “wiper” virus of 2017, which caused more than $10 billion of damage globally by infecting companies that do business in Ukraine with malware seeded through a tax preparation software update.
The wiper malware detected in Ukraine this year has so far been manually activated, as opposed to a worm like NotPetya, which can spread out of control across borders.