Ukraine has been under cyber attack for days. However, the aggression against the country’s digital infrastructures intensified when the Ukrainian parliament began discussing a state of emergency to counter the Russian military threat. DDoS attacks, attacks that prevent access to affected websites, have targeted the sites of the ministries of Defense, Foreign Affairs and the Interior making them unreachable for many hours to date. PrivatBank, the largest commercial bank in Ukraine, and Oschadbank, the State Savings Bank of Ukraine, were also targeted. The attacks followed DDoS and defacement of more than 70 Ukrainian government websites in January.
Cloudflare, a company that protects websites from just this type of attack with its technology, said through a spokesperson that “This week we saw more DDoS activity than last week, but less than a month ago. There have been attacks on individual websites in Ukraine that have been disruptive. “
Eset researchers in Bratislava and other cybersecurity companies such as Symantec, however, have downplayed the attacks that took place last night, believing that those previously suffered were even more extensive, and that the real danger now comes from a wiper-type malware that would have infected hundreds of computers throughout the geographical area around Ukraine, including Latvia and Lithuania. Malware would be able to erase the entire memory of infected computers with all the data contained, damaging their firmware and thus rendering them useless. Referred to as “KillDisk”, the wiper destroys the Master Boot Record of the physical disks connected to the machines, which requires reinstallation from scratch.
According to Jean-Ian Boutin, head of ESET research, many different organizations would have been targeted in a targeted manner this wiper: mainly government contractors and at least one Ukrainian financial institution. In the previous weeks, according to the Ukrainian press, there were also several attempts to intrude on the e-mails of the President of the Ukrainian Parliament and his family, while in the criminal underground of ransomware groups the green light was given to attack with extortion software. Ukrainian economic realities.
Hybrid warfare
All international observers expected this type of hybrid aggression knowing Russia’s ability to use cyber weaponry to achieve its political and military goals, and in the end British and American intelligence confirmed it. Anne Neuberger, US Deputy National Security Advisor, told the press that she had technical information showing that “the Gru infrastructure has been seen transmitting high volumes of communications to IP addresses. and domains based in Ukraine “.
In a detailed analysis of DDoS incidents, the Ukrainian computer emergency response team said the attacks involved both Mirai and Meris botnets. Mirai is the botnet of infected zombie computers that blocked all Internet communication on the east coast of the United States in 2016, making the sites of Amazon, Twitter and New York Times unreachable. The blocking of government sites has been confirmed by Netblocks, an organization that tracks Internet outages around the world.
According to analysts, these attacks are designed to increase attention and pressure by creating chaos among the population and the same malware unleashed could also reach the infrastructures of Western Europe. For Enrico Frumento of Cefriel “The fear now is that, as has already happened in the past, there are dormant malware pre-installed in the main European critical infrastructures, written ad-hoc and silent and therefore not detected, but ready to be activated on command”. Just today, the Italian topic of response to cyber incidents published the first Indicators of Compromise of the Data Wiper found yesterday and created extraordinary measures aimed at protecting digital infrastructures.
But already in recent days, the US cyber defense agency Cisa had issued a series of joint alarms with the NSA and the FBI, warning the US navy, army and air force contractors to raise their guard levels. The set of indications for the protection of military and industrial secrets, for the protection of critical infrastructures and advice for the management of disinformation have taken the name of operation Shields Up.
Disinformation as a weapon
But now there are two aspects to consider: the first is that the time stamp of the wiper is in December and this supports the hypothesis of a planning of its use, the second is that the targets are also foreign to Ukraine but in countries Born as Lithuania and Latvia. What will happen?
It is known that Russia has long invested in cyber warfare and guerrilla activities that systematically organize espionage and industrial sabotage to the point of trying to interfere with elections and parliaments around the world. According to experts, Ukraine could be a broad-spectrum testing ground for these groups and to test NATO’s cyber response capabilities.
Finally, the role that fake news can play in this type of hybrid war should not be underestimated. In fact, a disinformation campaign was identified via SMS capable of reaching even the Ukrainian soldiers themselves. The Atlantic Council’s Digital Forensic Research Lab has also reported a series of false narratives distributed over the past few weeks on social media and touted by pro-Kremlin newspapers and televisions. They all have the same purpose, to minimize the effects of the conflict on the civilian population and to present Putin as a wise head of government.
To protect itself from disinformation, the European Union has long since defined guidelines and launched a series of projects, while Sweden has created the Psychological Defense Agency against disinformation while the Trusted Introducer’s network of European CSIRTs is mobilizing. following the Russian attack in Ukraine to suspend Russia and Belarus, and share all the information related to the latest DDoS, Malware, Ransomware, Wiper attacks related to the events in progress.