This included data-wiping malware that was activated a day before and cybersecurity researchers claimed infected hundreds more computers, including those in Lithuania and Latvia.
Researchers claimed that the malware attack was in preparation for up to three months.
A distributed-denial-of-service attack that began last week and temporarily knocked government websites offline Wednesday continued and there were sporadic internet outages across the country, said Doug Madory, director of internet analysis for the U.S. network management firm Kentik Inc.
However, measures to stop DDoS attacks were working. Major government websites, including those of defense and interior ministries, and the banks sites of Sberbank, Alfabank, and Alfabank, were accessible Thursday, despite the attack. After the attacks began last week, U.S. and allies quickly blamed Russia for the denial of service attacks. These attacks make websites impossible to access by flooding them with junk information.
Madory stated that major Russian websites were also subject to a denial of service attack on Thursday. This may have been in retaliation to similar DDoS attacks against Ukrainian websites.
Russia State Internet Network hosted the sites of Russia’s military and Kremlin. They were slow to load or unreachable. Madory stated that an entire block of domains hosting kremlin.ru sites were under attack.
According to Ukraine’s cybersecurity agency, cell networks are saturated with voice calls. This suggests that text-messaging is more effective than voice calls.
Madory stated that the internet in Ukraine was currently under severe stress.
The Netblocks internet monitor, based in London, stated that Kharkiv, the easternmost city, was taking the brunt of disruptions to network and telecoms.
Some cybersecurity experts stated that the Kremlin might have intelligence and information war interests to not attempt to shut down Ukraine’s Internet during a military attack.
The Telegram channel of Ukraine’s cybersecurity agency also contains a list of channels that are known to be “active disinformation”.
It wasn’t clear how many networks were affected, as the data-wiping was previously unknown. This targeted organizations in the financial and aviation industries, Symantec threat Intelligence stated in a blog post on Thursday.
ESET Labs claimed it detected it on “hundreds” of machines in the country. However, ESET chief Jean-Ian Boutin said that the targets were large organizations.
Researchers said that it was too soon to determine who was responsible. However, officials from Ukraine blamed Russia for the si millar attack on servers in at least two government network.
Officials had expected that cyberattacks would be a part of any Russian military incursion. DDoS attacks that bombard websites with junk traffic in order to make them unavailable, combined with malware infections, echoes Russia’s strategy of marrying cyber-attacks with real-world aggression.
Symantec claimed Wednesday’s “wiper”, which it discovered, had similarities to the malware used in January’s attack. This ransomware was activated during a headline-grabbing website defacement. Microsoft called it WhisperGate.
Symantec identified the new wiper in three organizations: Ukrainian government contractors, with offices in Latvia, Lithuania, and a financial institution, in Ukraine. Vikram Thakur is its technical director. Both are NATO members.
He said, “The attackers have gone after the targets without much care for where they might be physically located.”
Thakur said that all three were in “close association with the government” of Ukraine. He also said Symantec believed the attacks had been “highly targeted”. He stated that approximately 50 computers were affected at the financial institution, with some data being wiped.
NATO has classified cyberattacks that could cause crippling damage to its members as possible triggers for an armed response, but it has not specified the threshold. The “wiper”, however, was unlikely to be above it.
Victor Zhora, a senior Ukrainian cyber defense official, refused to answer questions about Wednesday’s wiper attack.
“Russia has likely been planning this for months,” stated Chester Wisniewski (principal researcher scientist at cybersecurity firm Sophos). He believed the Kremlin wanted to send the message that they had compromised a substantial amount of Ukrainian infrastructure. These are only a few morsels to demonstrate how widespread their penetration is.
Since 2014, cyberattacks have been a key weapon of Russian aggression in Ukraine. This was before the Kremlin annexed Crimea. Hackers tried to disrupt elections. They were used in 2008 against Georgia and Estonia, respectively. They can also be used to create panic, confusion and distraction.
Distributed-denial-of-service attacks are among the least impactful because they don’t entail network intrusion. These attacks hammer websites with junk traffic, making them unreachable.
The West has blamed Russia’s GRU in some of the most destructive cyberattacks ever recorded. These include a pair of attacks in 2015 and 2016, which briefly shut down parts of Ukraine’s power grid, and the NotPetya virus of 2017, which infected companies doing business in Ukraine with malware that was distributed through a tax preparation software upgrade.
This year’s wiper malware was detected in Ukraine. It has been activated manually, unlike a NotPetya worm, which can spread beyond borders.
