KYIV – More than 70 Ukrainian government websites were penetrated with a “well-coordinated” cyberattack overnight on January 13-14, Ukrainian cybersecurity officials said.
Ten of those attacks targeted government websites that “underwent unauthorized penetration,” Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) said.
Ukraine’s Security Service (SBU) and SSSCIP, which protects government information technology assets and provides secure communication, said the massive hacker intrusion was “a supply chain attack” that was malware disguised as ransomware. The goal of the attack was to destroy the data of infected computers.
SSSCIP Deputy Chairman Viktor Zhora told The Ukrainian Weekly that only a “state actor” could be behind such a large and “well-coordinated attack.”
He added that an investigation is ongoing and refrained from attributing the cyberattack to a specific country.
Some of “the patterns and techniques” that Russia used in the past during “similar” attacks on Ukraine’s cyber infrastructure are the same and are “related to their [Russia’s] constant aggression, including in cyberspace,” Mr. Zhora said.
Moscow has denied any involvement in the incident.
“We have nothing to do with it. Russia has nothing to do with these cyberattacks,” Kremlin spokesman, Dmitry Peskov, told CNN. “Ukrainians are blaming everything on Russia, even their bad weather in their country,” he said in English.
So far, at least a dozen computers at two unnamed government agencies were “wiped” clean by the malware, which is known as WhisperGate.
Defacement of several websites was another feature of the cyberattacks. The Foreign Affairs Ministry’s main page was affected, while the websites for some of its embassies, including in Germany and the U.S., were temporarily not responding on January 14.
A tri-lingual message appeared on the Foreign Affairs Ministry’s website (www.mfa.gov.ua). That message, written in Ukrainian, Russian and Polish, warned Ukrainians to “be afraid and expect the worst.”
However, Mr. Zhora said so far “we have no proof of data leakage during the attacks.”
He added that there was “no doubt this was state sponsored. … Its goal was to bring as much damage as could be possible without a financial component [ransomware]with the attack.”
The attacks took place “simultaneously” overnight when computer networks and systems are usually “at their most vulnerable,” Mr. Zhora said, adding that one of their goals “is to damage Ukrainian infrastructure.”
Computing giant Microsoft released additional information on the attack on January 15 to identify the new malware as “WhisperGate,” which “wipes data.”
The attacks targeted “government, non-profit and information technology entities in Ukraine,” and they came amid Russia’s current threat to escalate its war against Ukraine.
Microsoft said it also suspected a “state actor” in the systemic hack: “As with any observed nation-state actor activity, Microsoft … notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations.”
An unnamed information technology firm that “manages [Ukrainian government] websites for public and private sector clients, including government agencies” was also affected by the malware, according to Microsoft.
Mr. Zhora explained how a “supply chain attack” works. The attack uses an interconnected network between a “client” and a “service provider” to penetrate a target computer.
Hackers use “the provider’s infrastructure to penetrate the client’s network. … If the hack has administrative credentials, they can use it and log into client systems.”
ESET, a Slovak-based internet security company that offers anti-virus products, separately said that the hackers used a “crypting service from [the]darkweb” to make the malware undetected.
Some of that crypting was made “four days prior to the attack in Ukraine,” ESET added via a Twitter thread.
“It is likely that attackers were trying to avoid existing detections at the last moment before the attack. That’s why they used third party criminal services,” the company said.
The SBU, which also conducts cybersecurity at the national security level, reported “neutralizing” over 2,000 attacks last year on “Ukrainian government resources” that are strategically important to “critical infrastructure.”
The last cyberattack on Ukraine of this scale took place in 2017 and is known as “NotPetya,” which the U.S. and Ukraine attributed to Russia.
In part, that attack struck Ukraine’s electricity grid, shutting off power mostly in the western part of the country and as well as briefly in Kyiv Oblast.
In October 2020, the U.S. Justice Department charged six Russians – current and former members of Russia’s GRU military intelligence – with conducting the cyberattacks.
Mr. Zhora of SSSCIP said NotPetya was also a supply chain attack and it ended up “infecting computers of businesses worldwide, causing nearly $1 billion in damage,” Radio Free Europe/Radio Liberty reported.