Hackers brought down several Ukrainian government websites Friday, posting a message on the site of the Foreign Ministry saying, “Be afraid and expect the worst.” It was the latest in a long line of cyberattacks targeting the country amid its conflict with Russia.
The attack Friday was ominous for its timing, coming a day after the apparent breakdown of diplomatic talks between Russia and the West intended to forestall a threatened Russian invasion of Ukraine. The message appeared in Ukrainian, Russian and Polish on the Foreign Ministry website.
“As a result of a massive cyberattack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down,” the ministry said in a statement.
Diplomats and analysts have been anticipating a cyberattack on Ukraine, but proving such actions is notoriously difficult. Ukraine did not directly blame Russia for the attack but pointedly noted that there was a long record of Russian online assaults against Ukraine.
The move to post the message on the Foreign Ministry site in three languages seemed to be an effort to obfuscate the origins of the hackers and their motives, and shift blame and suspicion elsewhere.
“Ukrainians! All your personal data was uploaded to the internet,” the message read. “All data on the computer is being destroyed. All information about you became public. Be afraid and expect the worst.”
It also raised a number of historical grievances between Poland and Ukraine.
The attack came within hours of the conclusion of talks this week between Russia and the United States and NATO in Europe that were intended to find a diplomatic resolution after Russia massed tens of thousands of troops near the border with Ukraine. Moscow has demanded sweeping security concessions, including a promise not to accept Ukraine into the NATO alliance.
On Thursday, Russian officials said the talks had not yielded results, and one senior diplomat said they were approaching “a dead end.”
Russia’s deputy foreign minister, Sergei Ryabkov, said after the last round of talks Thursday that, “the United States and its allies are actually saying ‘no’ to key elements of these texts,” referring to two draft treaties on security issues that Russia had proposed to NATO and the United States. “This is what we call a dead end or a different approach.”
Ukrainian government websites began crashing a few hours later, according to the Ukrainian Foreign Ministry, which said the cyberattack occurred overnight from Thursday to Friday.
By morning, the hack had crippled much of the government’s public-facing digital infrastructure, including the most widely used site for handling government services online, Diia. The smartphone app version of the program was still operating, the Ukrainska Pravda newspaper reported. Diia also has a role in Ukraine’s coronavirus response and in encouraging vaccination.
The attack crippled the sites of the Cabinet of Ministers, and the ministries of energy, sports, agriculture, veterans affairs and ecology, along with many other government websites. The websites of the president and the defense ministry remained online.
Often, untangling the digital threads of such cyberoperations can takes days or weeks, which is one of the appeals of their use in modern conflicts. Sophisticated cybertools have turned up in standoffs between Israel and Iran, and the United States blamed Russia for using hacking to influence the 2016 U.S. election to benefit Donald Trump.
Ukraine has long been viewed as a testing ground for Russian online operations, a sort of free-fire zone for cyberweaponry in a country already entangled in a real world shooting war with Russian-backed separatists in two eastern provinces. The U.S. government has traced some of the most drastic cyberattacks of the past decade to Russian actions in Ukraine.
Tactics seen first in Ukraine have later popped up elsewhere. A Russian military spyware strain called X-Agent or Sofacy used to hack Ukraine’s Central Election Commission during a 2014 presidential election, for example, was later found in the server of the Democratic National Committee in the United States after the electoral hacking attacks in 2016.
Other types of malware like BlackEnergy, Industroyer and KillDisk, intended to sabotage computers used to control industrial processes, shut down electrical substations in Ukraine in 2015 and 2016, causing blackouts, including in the capital, Kyiv.
The next year, a cyberattack targeting Ukrainian businesses and government agencies that spread, perhaps inadvertently, around the world in what Wired magazine later called “the most devastating cyberattack in history.” The malware, known as NotPetya, had targeted a type of Ukrainian tax preparation software but apparently spun out of control, according to experts.
The attack initially seemed narrowly focused on the conflict between Ukraine and Russia. It coincided with the assassination of a Ukrainian military intelligence officer in a car bombing in Kyiv and the start of a European Union policy granting Ukrainians visa-free travel, an example of the type of integration with the West that Russia has opposed.
But NotPetya spread around the world, with devastating results, illustrating the risks of collateral damage from military cyberattacks for people and businesses whose lives are increasingly conducted online, even if they live far from conflict zones. Russian companies, too, suffered when the malware started to circulate in Russia.
A U.S. grand jury in Pittsburgh in 2020 indicted six Russian military intelligence officers for the electrical grid shutdowns and the NotPetya attack, in a court filing showing the costs of releasing military grade malware onto the open internet.
The indictment cited three U.S. companies — a FedEx subsidiary; Heritage Valley Health System, a Pennsylvania-based hospital group; and an unidentified pharmaceutical company — that together suffered nearly $1 billion in damages from computers scrambled by the Russian cyberweapon initially directed at Ukraine. The total global cost is thought to be far higher.
Maria Varenikova contributed reporting.