Ukraine: We’ve repelled ‘nonstop’ DDoS attacks from Russia

A Ukraine agency said Saturday that government websites have been hit with continuous distributed denial-of-service (DDoS) attacks, which the agency attributed to “Russian hackers,” since Russia’s invasion on February 24.

However, “despite all the involved enemy’s resources, the sites of the central governmental bodies are available,” the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine said in a tweet.

Since the invasion, Ukraine’s government has been focusing much of its public communications around the Russia-provoked military conflict on the ground. The tweets, however, were an acknowledgment that Ukraine has continued to face attacks in the cyber realm, as well. It also appeared to be the first time that cyberattacks have been attributed to threat actors in Russia since the invasion began.

DDoS attacks against military and financial institutions in Ukraine that took place prior to the invasion, on February 15-16, were attributed to the Russian government by officials in the U.S. and U.K. DDoS typically attempt to force websites or networks offline by overwhelming servers with traffic.

‘Nonstop’ attacks

In its tweets on Saturday, the SSSCIP said that “Russian hackers keep on attacking Ukrainian information resources nonstop,” and have been doing so “since the beginning of [the] invasion.”

The agency specified that the attacks have been DDoS attacks “primarily” aimed at the websites of the Ukrainian parliament (Verkhovna Rada), president Volodymyr Zelenskyy, the cabinet of ministers, the defense ministry and the internal affairs ministry of Ukraine.

The “most powerful” DDoS attacks against Ukrainian government sites peaked at more than 100 Gbps, the SSSCIP said. While far above the average DDoS attack size, research from Radware shows that the largest DDoS attack recorded during the first three quarters of 2021 was 348Gbps — or 3.5 times the size of the most powerful DDoS attacks against Ukraine.

The DDoS attacks against Ukraine are “definitely not setting any records,” said Chris Partridge, a security professional who has been tracking cyberattacks during the Russia-Ukraine conflict.

“But I think it’s a good sign that Ukraine has been able to shrug some of these attacks off from Russia,” Partridge said in a message to VentureBeat.

In the recent attacks, “the only thing the occupants managed to do was to substitute the front pages at the sites of some local authorities,” the SSSCIP said in a tweet, before adding: “We will endure! On the battlefields and in the cyberspace!”

Meanwhile, hackers in Ukraine’s IT army and hacktivist groups such as Anonymous have continued hitting back with DDoS attacks against Russian targets.

At last check, numerous government, financial and media websites targeted by the Ukraine IT army were seeing 0% or 10% uptime within Russia, according to data posted by Partridge on GitHub.

Anonymous attack

On Sunday, Anonymous claimed on Twitter to have replaced the live feeds for several Russian TV channels and streaming services with video footage from the war in Ukraine, along with a message opposing the war.

Jeremiah Fowler, cofounder and senior security researcher at Security Discovery, told VentureBeat that his cybersecurity research firm did capture video of a Russian state TV channel feed that was hacked to display pro-Ukrainian information. “I would mark this claim [from Anonymous] as true, given that they most likely got to other channels too,” Fowler said in an email.

As part of recent research into the efforts by hacker groups such as Anonymous to launch cyberattacks against Russia, Fowler said he was able to find the database of an internet and cable provider in Russia that contained ports and pathways, and source locations of where shows are streaming from.

“It is highly possible that someone could hijack the feed and trick or spoof the channel to believe it is pulling programming from the legitimate source and instead show other video footage to viewers,” Fowler said.

The cyber effort to aid Ukraine is also getting assistance from U.S. Cyber Command, The New York Times reported Sunday. “Cybermission teams” from the agency are currently working from Eastern European bases “to interfere with Russia’s digital attacks and communications,” according to the Times.

Given that U.S. Cyber Command is a part of the Department of Defense, that raises that question of whether this makes the U.S. a “co-combatant,” the report noted. From The New York Times report:

By the American interpretation of the laws of cyberconflict, the United States can temporarily interrupt Russian capability without conducting an act of war; permanent disablement is more problematic. But as experts acknowledge, when a Russian system goes down, the Russian units don’t know whether it is temporary or permanent, or even whether the United States is responsible …

Government officials are understandably tight-lipped [about what Cyber Command is doing], saying the cyberoperations underway, which have been moved in recent days from an operations center in Kyiv to one outside the country, are some of the most classified elements of the conflict. But it is clear that the cybermission teams have tracked some familiar targets, including the activities of the G.R.U., Russia’s military intelligence operations, to try to neutralize their activity.

Guidance for U.S.

In the U.S., the federal Cybersecurity and Infrastructure Security Agency (CISA) has also been providing guidance around vulnerabilities that may be tied to threats coming out of Russia, potentially in retaliation for western sanctions over Ukraine. Last Thursday, CISA added 95 vulnerabilities to its Known Exploited Vulnerabilities Catalog.

It’s unusual for the agency to add “more than a handful” of vulnerabilities to their catalog at one time, said Mike Parkin, senior technical engineer at Vulcan Cyber. Coming amid the situation in Ukraine, “these additions are likely an effort to prevent cyberwarfare activities spilling into U.S. organizations covered by CISA directives,” Parkin said.

The 95 vulnerabilities added to the CISA catalog on Thursday all have a short deadline for remediation by federal agencies – within March, Viakoo CEO Bud Broomhead noted. And most are in widely used systems, including 38 for Cisco products, 27 for Microsoft products and 16 for Adobe products, Broomhead said.

Thus far, there is “no direct evidence that state, state-sponsored, or other threat actors friendly to Russia have attacked U.S. resources, there is no reason to assume they will not do so,” Parkin told VentureBeat. “[But] given that there are already extensive cyberwarfare activities between Russia and Ukraine and their supporters on both sides, it’s highly likely allies on both sides will become targets of the cyber-conflict.”

Many of Russia’s allies also consider the U.S. an adversary on some level, and have their own well-equipped and well-financed cyberwarfare capabilities, he said.

“With all of that, it is likely that CISA included threats that were not previously considered high-risk as threat actors look for additional attack vectors,” Parkin said.