Just before Russian forces moved into Ukraine, the country’s Defense Ministry and two of its largest banks were taken offline by distributed denial of service (DDoS) attacks. This followed the defacement of numerous government websites throughout the country. Now that war is underway, can more cyber attacks be expected based on the way these incidents played out?
Ukraine government websites, banks harassed ahead of invasion
Russia has a long history of incursions into Ukraine’s cyberspace, though these cyber attacks are often hard to definitively attribute. This has been the modus operandi of the threat groups backed by the Russian intelligence services for a long time; motive and circumstantial evidence often points directly to them, but there is always at least some amount of plausible deniability.
In the ramp-up to the eventual invasion, Ukraine first saw a number of its provincial and local government websites defaced with threats of dire consequences to come. This was actually more restrained than Russia has tended to be since 2014; previous incidents suspected to be backed by its hacking teams saw power grids and bank services temporarily shut down, among other real world consequences.
The second wave of cyber attacks focused not just on government websites, but also on two of the country’s major banks: PrivatBank and Oscadbank. The second set of these attacks went farther, taking websites offline with DDoS attacks. A suspicious text message campaign falsely claiming that ATMs were malfunctioning also occured around the time that the banks were being targeted.
The government of Ukraine was quick to attribute the attacks to Russia; the earlier website defacements were traced back to Belarus intelligence by cybersecurity experts, a Russian ally known to do work for them. The DDoS came in from multiple countries, including Russia, but that is a common trait of these types of attacks. Whatever the case, it was the largest DDoS campaign in the history of Ukraine and Russia has certainly proven to be the most interested party.
Are more cyber attacks forthcoming?
The pattern of the cyber attacks does fit Russia’s general intentions and past actions, but seemed restrained compared to some of the things that have been done in the past. The banks and government websites were ultimately only inconvenienced for a few hours in both cases.
There is the possibility that other criminal threat actors took advantage of the geopolitical tensions to target banks in the country, deploying a DDoS campaign in an attempt to distract IT assets from some sort of attempt at an actual breach. There is no evidence of this at present, however. The only thing that lends any real credence to this theory is that Russia’s ultimate military strategy didn’t seem to have any connection to these attacks at all.
More attacks are possible in the coming days, however. Russia has made clear that its intention is to have Ukraine surrender, with a guarantee that it will remain neutral and not join NATO or host weapons. Cyber attacks may well put additional pressure on Ukraine’s government to that end.