Boston (AP) – Ukraine’s parliament, as well as other government and financial websites, were targeted by another round of distributed-denial-of-service assaults on Wednesday, according to cybersecurity analysts, who also claimed that anonymous attackers infected hundreds of devices with damaging malware.
Officials have long predicted that cyber attacks will precede and accompany any Russian military entry, and analysts say the episodes follow a nearly two-decade-old Russian playbook of combining cyber operations with real-world action.
ESET Research Labs said Wednesday that it discovered a new data-wiping piece of malware in Ukraine on “hundreds of PCs around the nation.” However, it remained unclear how many networks were affected.
“With regard to whether the virus was effective in its wiping capacity, we assume that this was the case and impacted devices were wiped,” ESET research leader Jean-Ian Boutin told The Associated Press in response to inquiries.
Boutin refused to disclose the targets “to protect the victims,” but he did state that “these were significant companies that were hit,” and that while ESET cannot tell who was responsible, “the assault looks to be tied to the ongoing issue in Ukraine.”
According to Vikram Thakur, technical director at Symantec Threat Intelligence, the wiper malware infected three organisations: Ukrainian government contractors in Latvia and Lithuania, as well as a Ukrainian financial institution.
According to Thakur, all three had “deep ties to the Ukrainian leadership,” indicating that the assaults were not random. He stated that the spyware had affected around 50 machines at the banking institution, with some having their data deleted.
“No remarks,” stated Victor Zhora, a top Ukrainian cyber defence officer, when questioned about the ESET discovery.
According to Boutin, the malware’s timing shows it was generated in late December. He stated that it has only been spotted in Ukraine.
“Russia has most certainly been preparing this for months, so it is difficult to estimate how many companies or agencies have been backdoored in preparation for these assaults,” said Chester Wisniewski, senior research scientist at cybersecurity firm Sophos. He believes the Kremlin wanted the virus to “convey the message that they have penetrated a big portion of Ukrainian infrastructure, and these are just small nibbles to illustrate how pervasive their infiltration is.”
The wiper was discovered during a mid-January attack blamed on Russia in which the defacement of around 70 government websites was used to disguise breaches into government networks in which at least two servers were destroyed by wiper malware posing as ransomware.
Thakur said it was too early to tell whether the malware assault found Wednesday was as severe as the one that crippled systems in January.
Since before 2014, when the Kremlin took Crimea and hackers attempted to disrupt elections, cyberattacks have been a crucial tactic of Russian aggression in Ukraine. They were also used in 2007 against Estonia and 2008 against Georgia.
Because they do not involve network infiltration, distributed-denial-of-service assaults are among the least damaging. Such assaults flood websites with garbage traffic, rendering them unavailable.
The military and foreign ministries, the Council of Ministers, and Privatbank, the country’s largest commercial bank, were among the DDoS targets on Wednesday. Many of the same sites were taken offline on Feb. 13-14 in DDoS assaults blamed on Russia’s GRU military intelligence agency by the US and UK governments.
As a result of emergency responders’ efforts, Wednesday’s DDoS attacks proved to be less damaging than the previous onslaught, with targeted sites quickly becoming accessible again. Responders shifted to a new DDoS protection service provider, according to Zhora’s office, Ukraine’s information protection organisation.
Doug Madory, director of internet intelligence at network management firm Kentik Inc., captured two assault waves that lasted more than an hour each.
DDoS assaults in Ukraine have been irregular and on the rise in the last month, according to a spokesperson for California-based Cloudflare, which supplies services to some of the targeted sites, but “quite moderate compared to massive DDoS attacks we’ve handled in the past.”
The West blames Russia’s GRU for some of the most damaging cyberattacks on record, including a pair in 2015 and 2016 that briefly knocked out parts of Ukraine’s power grid and the NotPetya “wiper” virus of 2017, which caused more than $10 billion in global damage by infecting companies doing business in Ukraine with malware seeded through a tax preparation software update.
In contrast to a worm like NotPetya, which may spread uncontrollably across borders, the wiper malware identified in Ukraine this year has been manually triggered.