As diplomatic efforts to stave off armed conflict in Ukraine continue this week, a series of distributed denial of service (DDoS) attacks on targets in Ukraine that took place on 15 February 2022 are now being firmly attributed to malicious actors backed by the Russian government.
The attacks rendered the website of Ukraine’s Ministry of Defence inaccessible for a time, and also hit at least two banks and a web hosting firm at the same time.
Although Ukrainian authorities initially declined to firmly attribute the cyber attacks to any one actor, it later reversed course, saying there was only one country that was interested in conducting such attacks on Ukraine – Russia – and has been backed by both the US and the UK in this.
The Foreign, Commonwealth and Development Office (FCDO) – itself the subject of a recent cyber attack – said late on Friday 18 February that the National Cyber Security Centre (NCSC) was now able to assess from technical information that the Russian Main Intelligence Directorate (GRU) was “almost certainly” involved.
“The UK government judges that the Russian Main Intelligence Directorate (GRU) were involved in this week’s distributed denial of service attacks against the financial sector in Ukraine,” said an FCDO spokesperson.
“The attack showed a continued disregard for Ukrainian sovereignty. This activity is yet another example of Russia’s aggressive acts against Ukraine. This disruptive behaviour is unacceptable – Russia must stop this activity and respect Ukrainian sovereignty. We are steadfast in our support for Ukraine in the face of Russian aggression.”
At about the same time, Anne Neuberger, the US deputy national security advisor for cyber and emerging technology, said: “Russia likes to move in the shadows and counts on a long process of attribution so it can continue its malicious behaviour against Ukraine in cyber space, including pre-positioning for its potential invasion. In light of that, we’re moving quickly to attribute the DDoS attacks.
“We believe that the Russian government is responsible for wide-scale cyber attacks on Ukrainian banks this week. We have technical information that links…the Russian Main Intelligence Directorate, or GRU, as known GRU infrastructure was seen transmitting high volumes of communications to Ukraine-based IP addresses and domains.”
Neuberger said the speed of this attribution was somewhat unusual, but added that the US had taken the decision to call out Russia more quickly than it usually might because of a need to hold nation-states accountable when conducting “disruptive or destabilising” cyber attacks.
Neuberger said that the US had been increasing cyber support to Ukraine since November, and was working behind the scenes to help the country respond to and recover from attacks, and strengthen the resilience of Ukraine’s critical national infrastructure (CNI).
Standard attacks
Last week’s attacks on Ukraine may well have been commissioned by the Russian intelligence services, but analysis of network traffic conducted by Netscout has shown that in many regards the attacks were well within established norms in terms of their size and methods.
The attackers likely used standard DDoS-capable botnets to carry out the attacks, said Netscout, with nodes located in New Zealand, Portugal, Russia, the UK, the US, and even from within Ukraine itself. The botnet in question was likely a typical Mirai botnet, with an command and control (C2) node located in the Netherlands.