What we do and don’t know about the cyberattack on Ukraine

While links with Russian hacking groups, or Russia itself, are far from certain, some experts point at similar tactics used in the past.

A laptop screen displays a warning message on the official website of the Ukrainian Foreign Ministry.
Reuters

A laptop screen displays a warning message on the official website of the Ukrainian Foreign Ministry.

Just after talks between Russia and the US on the Ukraine crisis reached a dead end last week, the country was hit by a cyberattack crashing several government websites.

The attackers left a message on the Ukrainian foreign ministry website that read: “Ukrainians! … All information about you has become public. Be afraid and expect worse. It’s your past, present and future.” The message featured a crossed-out map and flag of Ukraine, and made some reference to the Ukrainian insurgent army, or UPA, which fought against the Soviet Union during the second world war.

On Sunday, the Ukrainian government blamed Russia for the attack, saying the attack is the latest manifestation of Russia’s ongoing “hybrid war” against Ukraine that began in 2014, when Russia invaded and annexed the Crimean peninsula. Ukraine provided no evidence of this, while Russia denied the claims.

“We are nearly accustomed to the fact that Ukrainians are blaming everything on Russia, even their bad weather," Kremlin spokesman Dmitry Peskov said.

The attack comes as tensions have ratcheted up between the Western bloc and Russia, after the second deployed about 100,000 troops near Ukraine. Moscow has denied it is planning an invasion, but has asked that NATO deny membership to Ukraine and other ex-Soviet countries, citing threats to its security.

It also comes on the heels of a crisis in neighbouring Belarus, where thousands of mostly Middle Eastern migrants and refugees gathered at the border with Poland after flying into Belarus with short-term visas.

While links with Russian hacking groups, or Russia itself, are far from certain, some experts point at similar tactics used in the past.

Among others, John Hultquist, an analyst at US cybersecurity firm Mandiant, pointed out that last week’s defacement of government websites show similarities to “fake ransomware” attacks used by Russian hackers behind several large-scale operations in Ukraine and elsewhere in the past. This means that instead of asking victims for a ransom payment to get their data back, their data will be wiped out instead.

In a blog post on Saturday, Microsoft said it had detected a “destructive malware operation targeting multiple organizations in Ukraine and surrounding region”, which first appeared on January 13 – around the same time government agencies in Ukraine found their websites had been defaced. 

The organisations affected, Microsoft said, include key government agencies and an IT firm that manages websites for public and private sector clients – including the government agencies whose websites were recently defaced.

“At this time, we have not identified notable overlap between the unique characteristics of the group behind these attacks and groups we’ve traditionally tracked but we continue to analyse the activity,” Microsoft said.

US national security adviser, Jake Sullivan, said the government was also examining the code reported by Microsoft, but confirmed the attack had not yet been attributed.

“It's possible that Russia could conduct a series of cyberattacks,” Sullivan told CBS news. “That's part of their playbook. They've done it in the past in other contexts.”

Ukraine, a laboratory for cyberwarfare

It wouldn't be the first time Ukraine is targeted by cyberattacks later attributed to Russian hackers

In December 2016, a massive cyberattack left about 80,000 people without power for six hours in Western Ukraine in the dead of winter, when temperatures can fall below freezing. The attack was later attributed to Sandworm, a Russian hacker group that, according to some cyber security experts, was also involved in hacking Democratic candidate Hillary Clinton’s election campaign in 2016, helping propel Donald Trump to power.

In 2020, six Sandworm operatives who were all members of the GRU Russian military intelligence organisation, were indicted in the US for the Ukraine hack and for targeting the 2017 French elections and 2018 Winter Olympic Games in South Korea. They were also found responsible for the release of the NotPetya worm in 2017, which spread globally from Ukraine becoming one of the largest cyberattacks in history, causing $10 billion in damage.

At the end of 2016, hackers targeted Ukraine 6,500 times. Then-President Petro Poroshenko accused Russian security services of waging a cyberwar against his country.

Christian Kaunert, a professor of policing and security at the University of South Wales, said one anomaly of the latest attack is that there was no attempt to disguise the Russian identity of the attackers.

 “In the past, hackers would have tried to hide a little bit more, potentially, that they're linked to the Russian entity,” Kaunert told TRT World. “So the likelihood is that the purpose of this particular attack was a different one. The purpose wasn't necessarily to damage governmental websites. The purpose here was rather, it seems to me, to give a warning.”

Route 6