KYIV — Ukraine reported a targeted hack of government websites Friday amid a deepening crisis with Russia and left experts puzzling over the ominous message left by the hackers: “Be afraid and expect the worst.”
Ukraine officials said it was too early to say who was behind the hack — which Ukraine described as “massive” — but noted Russia had been behind similar attacks before. Analysts said the defacements may be the work of nonstate agents or hacktivists, noting that vandalizing government websites was not a sweeping or sophisticated hacking operation.
But at least one Ukrainian agency, the Center for Strategic Communications and Information Security, openly blamed Russia, linking it to Russia’s efforts to block Ukraine’s aspirations to join NATO.
The timing of the attack also elevated worries in Ukraine. It came a day after the latest round of diplomatic efforts in Europe failed to deter Russia’s military buildup near Ukraine or persuade Moscow to de-escalate. Russia stood firm on its demands, including that NATO block Ukraine from possibly joining the military alliance and end military aid to Ukraine.
Russia has up to 100,000 troops massed on the Ukrainian border, prompting fears of an invasion. Russia insists it has no plans to launch a major military escalation against Ukraine, where the Kyiv government has battled Russian-backed separatists in the eastern region of Donbas since 2014. But US officials have raised alarms that Moscow could be laying the groundwork for military action.
In Washington, the Biden administration asserted Friday that Russia has sent operatives into eastern Ukraine in preparation for potential sabotage operations that would serve as a pretext for invasion, according to a US official who spoke on the condition of anonymity under ground rules established by the Biden administration.
Yet Russia also offered a hand Friday to the United States with the arrest of 14 alleged members of the REvil ransomware gang and announced that it had eliminated the group at the request of Washington.
The Russia-based REvil gang has carried out numerous attacks on major global companies, including the July attack on software provider Kaseya and the May attack on the world’s biggest meat-processing business, JBS. Former REvil associates also are believed to be responsible for the May cyberattack on Colonial Pipeline that led to gas shortages on the US East Coast.
The Ukraine hack also triggered concern in Washington and Europe with officials watchful of the role of cyber and information attacks in modern warfare. Any major cyberattack on Ukraine by the Russian state could also trigger tough new sanctions.
The National Security Council said in a statement that the United States and allies were “concerned about this cyberattack” and that President Biden had been briefed. The NSC said it was not yet known who was to blame, adding that the impact seemed limited, with government websites swiftly restored.
“We are in touch with the Ukrainians and have offered our support as Ukraine investigates the impact and nature and recovers from the incidents,” the statement said.
A statement from Ukraine’s cyber police said that “more than five” government sites were attacked and that authorities had launched an investigation to identify the perpetrators. Officials said it was too early to say who was behind the attacks.
In a later briefing, Viktor Zhora, deputy head of Ukraine’s state agency for special communications and information protection, said that “close to 70″ federal and local government websites were attacked and that a “substantial portion” were up and working again.
Commenting on who was responsible for the attack, Andriy Yermak, head of the presidential office of Ukraine, said “we have some thoughts about who made it” but did not elaborate. He said Ukraine had expected such attacks as part of an effort to destabilize the country internally.
Defacements themselves are not technically sophisticated. “This may appear to be a complex operation but could be the result of access to a single system creating a widespread effect,” said John Hulquist, director of intelligence for Mandiant, a cybersecurity firm. “It’s important not to overestimate the capability necessary to carry out this attack.”
Mass defacements of Ukrainian government sites are consistent with past incidents as tensions have grown in region. In conjunction with the Russian invasion of Georgia in 2008, “patriotic” hackers sympathetic to Russia blocked access to Georgian government websites and defaced a Ministry of Foreign Affairs site juxtaposing pictures of the Georgian president with pictures of Hitler. In 2019, hackers with Russia’s military spy agency, GRU, carried out mass defacements of Georgian government sites.
“As tensions grow we can expect more aggressive cyber activity in Ukraine and potentially elsewhere,” Hultquist said.
The defacement message included a reference to issues of dispute between Poland and Ukraine, a “dubious” suggestion that the author is a Polish nationalist, Hultquist said. Fake nationalist personas are used regularly by Russian actors seeking to shield aggressive activity “behind a deniable facade,” he said.