The Wayback Machine - https://web.archive.org/web/20220115031352/https://www.nytimes.com/2022/01/14/world/europe/hackers-ukraine-government-sites.html

Hackers Bring Down Government Sites in Ukraine

“Be afraid,” warned a message on the defaced Foreign Ministry website, a day after talks between the West and Moscow aimed at preventing a Russian invasion hit an impasse.

The Ukrainian Ministry of Foreign Affairs building in Kyiv. Hackers left a message on the ministry’s website in three languages.
Credit...Valentyn Ogirenko/Reuters

KYIV, Ukraine — Hackers brought down dozens of Ukrainian government websites on Friday and posted a message on one saying, “Be afraid and expect the worst,” a day after a breakdown in diplomatic talks between Russia and the West intended to forestall a threatened Russian invasion of the country.

Diplomats and analysts have been anticipating a cyberattack on Ukraine, but proving the source of such actions is notoriously difficult. Ukraine’s Foreign Ministry did not directly blame Russia for the attack, but pointedly noted that there was a long record of Russian online assaults against Ukraine.

A Ukrainian government agency, the Center for Strategic Communications and Information Security, which was established to counter Russian disinformation, later issued a statement more directly blaming Russia for the hack.

“We have not seen such a significant attack on government organizations in some time,” it said. “We suggest the current attack is tied to the recent failure of Russian negotiations on Ukraine’s future in NATO,” it added, referring to Moscow’s talks with the West.

The message was posted in three languages — Ukrainian, Russian and Polish — in what seemed like an effort to obfuscate the origins of the hackers and their motives, and shift blame and suspicion elsewhere.

“Ukrainians! All your personal data was uploaded to the internet,” the message read. “All data on the computer is being destroyed. All information about you became public. Be afraid and expect the worst.” It also raised a number of historical grievances between Poland and Ukraine.

The attack came within hours of the conclusion of talks between Russia and the United States and NATO that were intended to find a diplomatic resolution after Russia massed tens of thousands of troops near the border with Ukraine.

On Friday, the Biden administration also accused Moscow of sending saboteurs into eastern Ukraine to stage an incident that could provide Russia with a pretext for invasion. The White House did not release details of the evidence it said it had collected.

Moscow has demanded sweeping security concessions, including a promise not to accept Ukraine into the NATO alliance. But the cyberattack Friday led to immediate pledges of support and closer cooperation with Ukraine from NATO and the European Union, exactly the opposite of what Russian diplomats had said they were seeking.

On Thursday, Russian officials said the talks had not yielded results, and one senior diplomat said they were approaching “a dead end.”

Russia’s deputy foreign minister, Sergei A. Ryabkov, said after the last round of talks on Thursday that, “the United States and its allies are actually saying ‘no’ to key elements of these texts,” referring to two draft treaties on security issues that Russia had proposed to NATO and the United States. “This is what we call a dead end or a different approach,” Mr. Ryabkov said.

Ukrainian government websites began crashing a few hours later, according to the Ukrainian Foreign Ministry, which said the cyberattack occurred overnight from Thursday to Friday.

By morning, the hack had crippled much of the government’s public-facing digital infrastructure, including the most widely used site for handling government services online, Diia. The smartphone app version of the program was still operating, the Ukrainska Pravda newspaper reported. Diia also has a role in Ukraine’s coronavirus response and in encouraging vaccination.

Image
Credit...Sergey Pivovarov/Reuters

The attack crippled the sites of the Cabinet of Ministers, and the ministries of energy, sports, agriculture, veterans’ affairs, and ecology, along with many other government websites. The websites of the president and the defense ministry remained online. Ukrainian officials said the attack targeted 70 government websites.

A statement from the Center for Strategic Communications and Information Security, the Ukrainian agency, noted a resumption in recent days of Russian military exercises near the border with Ukraine and said, “the hacking activity targeting state bodies could be a part of this psychological attack on Ukrainians.”

Jens Stoltenberg, the secretary general of NATO, who just days earlier had been in negotiations in Brussels with a Russian delegation asking for a halt in cooperation with Ukraine, responded to the cyberattack by saying that NATO would increase its coordination with Kyiv on cyberdefenses.

“I strongly condemn the cyberattacks on the Ukrainian Government,” Mr. Stoltenberg said in a statement, adding, “NATO & Ukraine will step up cyber cooperation & we will continue our strong political & practical support.” A NATO spokesman clarified that the alliance would in the coming days sign an agreement providing Ukraine access to a NATO information sharing system to fight malware.

The European Union’s top diplomat, Josep Borrell, told a gathering of European foreign ministers on Friday that the bloc would mobilize cyber-response teams and assist Ukraine with cyberdefenses.

Often, untangling the digital threads of such cyberoperations can takes days or weeks, which is one of the appeals of their use in modern conflicts. Sophisticated cybertools have turned up in standoffs between Israel and Iran, and the United States blamed Russia for using hacking to influence the 2016 election in the United States to benefit Donald J. Trump.

Ukraine has long been viewed as a testing ground for Russian online operations, a sort of free-fire zone for cyberweaponry in a country already entangled in a real world shooting war with Russian-backed separatists in two eastern provinces. The U.S. government has traced some of the most drastic cyberattacks of the past decade to Russian actions in Ukraine.

Tactics seen first in Ukraine have later popped up elsewhere. A Russian military spyware strain called X-Agent, or Sofacy, that Ukrainian cyber experts say was used to hack Ukraine’s Central Election Commission during a 2014 presidential election, for example, was later found in the server of the Democratic National Committee in the United States after the electoral hacking attacks in 2016.

Other types of malware like BlackEnergy, Industroyer and KillDisk, intended to sabotage computers used to control industrial processes, shut down electrical substations in Ukraine in 2015 and 2016, causing blackouts, including in the capital, Kyiv.

The next year, a cyberattack targeting Ukrainian businesses and government agencies that spread, perhaps inadvertently, around the world in what Wired magazine later called “the most devastating cyberattack in history.” The malware, known as NotPetya, had targeted a type of Ukrainian tax preparation software but apparently spun out of control, according to experts.

The attack initially seemed narrowly focused on the conflict between Ukraine and Russia. It coincided with the assassination of a Ukrainian military intelligence officer in a car bombing in Kyiv and the start of an E.U. policy granting Ukrainians visa-free travel, an example of the type of integration with the West that Russia has opposed.

But NotPetya spread around the world, with devastating results, illustrating the risks of collateral damage from military cyberattacks for people and businesses whose lives are increasingly conducted online, even if they live far from conflict zones. Russian companies, too, suffered when the malware started to circulate in Russia.

A U.S. grand jury in Pittsburgh in 2020 indicted six Russian military intelligence officers for the electrical grid shutdowns and the NotPetya attack, in a court filing showing the costs of releasing military grade malware onto the open internet.

The indictment cited three American companies — a FedEx subsidiary; Heritage Valley Health System, a Pennsylvania-based hospital group; and an unidentified pharmaceutical company — that together suffered nearly $1 billion in damages from computers scrambled by the Russian cyberweapon initially directed at Ukraine. The total global cost is thought to be far higher

Maria Varenikova contributed reporting.