(Bloomberg) -- A hacking campaign against nearly two dozen government websites was designed to “spread chaos” as part of a larger hybrid warfare effort against Ukraine, a high-ranking government official in the country told Bloomberg News.
Hackers used a combination of technical tools in an attempt to disrupt Ukrainian government agencies, according to Mykhailo Fedorov, Ukraine’s minister of digital transformation. The Jan. 14 attack affected 22 websites, some of which were visibly defaced. Intruders also used malicious software capable of deleting data from affected domains.
The cyberattacks coincided with the buildup of tens of thousands of Russian troops at the Ukrainian border and international anxieties that Russia may launch a ground invasion. Ukraine’s Security Service, the SBU, previously said initial evidence suggested that hacking groups linked to Russian intelligence carried out the breach, a claim Moscow has denied.
The focus of the investigation is now on a possible supply chain breach, in which intruders may have accessed Ukrainian systems through a third party, Fedorov said. While scrutinizing compromised systems, he added, Ukrainian cyber investigators found suspicious activity from otherwise legitimate user accounts.
The hacking campaign, which remains under investigation, involved the use of a so-called wiper malware disguised as ransomware, a technique that Microsoft Corp. said in a blog post was “intended to be destructive” and render targeted machines inoperable. Ukrainian cybersecurity personnel also said on Wednesday they detected a strain of destructive malware, which was capable of adding malicious code to affected hard drives.
The investigation remains focused on whether hackers exploited vulnerabilities in a content management system, October CMS, and a widely used software library, Log4j, to launch the attacks, Fedorov said.
“It was a well-planned attack, and it had clear goals,” Fedorov said, adding that evidence indicates the campaign was intended to “spread chaos” and “damage and destabilize the operation of certain government agencies.”
There appeared to be a “short deadline for the implementation of the attack,” he said, indicating “many hackers” were involved.
As part of an effort to minimize fallout from the attack, the Ukrainian government shut down the website, diia.gov.ua, for a popular app that citizens can use to store everything from passports, driver’s licenses and vaccination certifications, he said. Technical specialists moved the website to new infrastructure over the course of several days “to make sure that there were no surprises,” as the private company that worked on the site was also attacked, he added.
Hacked websites were also updated to include a message in Ukrainian, Russian and Polish languages warning Ukrainian citizens that their personal data had been uploaded to the internet. The message was uploaded by hackers, and Ukraine’s government has since said no such personal data was compromised.
Malicious cyber activity of this kind “has a negative impact on people’s emotions,” Fedorov said, and was part of a broader effort to “manipulate people’s minds.” Attempted hacks have increased by roughly 10% each quarter, he said, adding that it is difficult to determine where the attacks are coming from because a virtual private network, which obscures the users’ location, is used most of the time.
Larissa Doroshenko, a researcher at Northeastern University who has studied Russian disinformation, said the recent tactics are in keeping with traditional Russian propaganda measures, which aim to undercut trust in government and media institutions.
“The primary goal is to create distraction and chaos,” she said.
Ukrainian security officials said six of the 22 affected websites were “severely damaged,” while 70 sites were taken offline at the direction of government authorities. Cybersecurity personnel in Ukraine are well prepared for such events due to strong law enforcement cooperation and improved communication with citizens, Fedorov said. Ukraine also has recent experience with major disruptions: Suspected Russian hackers have attacked electrical systems there on at least two occasions.
U.S. technology companies have also sought to unpack events surrounding the latest breach.
Talos, a cyber-focused unit of Cisco Systems Inc., said on Jan. 20 it had uncovered “indications of compromise” in one Ukrainian government agency dating back to summer 2021, with the launch of the wiper malware coming more recently. That suggests the hackers may have originally accessed Ukrainian networks without knowing exactly when or how they would later launch an attack.
“One of the tricky things about evaluating the activity is that this actor is very good at walking the line to achieve its political intent, which is true of anywhere they act, not just Ukraine,” said Matt Olney, director of threat intelligence and interdiction at Cisco Talos.
“The intent has been, and will continue to be for the foreseeable future, to undermine the normal day-to-day operations of the civic government so there is a lack of faith in the current administration to effectively govern the country,” Olney said.
©2022 Bloomberg L.P.