A series of Ukrainian government websites were temporarily unavailable Friday in what appeared to be a coordinated cyberattack against the backdrop of rising tensions between Russia and Ukraine.
As a result of the massive hacking attack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down,” Foreign Ministry spokesperson Oleg Nikolenko tweeted. “Our specialists are already working on restoring the work of IT systems. We apologize for any inconvenience.”
Nikolenko told The Associated Press that it was too early to say who was behind the attacks, “but there is a long record of Russian cyber assaults against Ukraine in the past.”
The websites for Ukraine’s Cabinet, seven ministries, treasury, National Emergency Service and the states services website were temporarily unavailable, the AP reported. A message was posted to the sites in Ukrainian, Russian and Polish warning that personal data had been leaked—a claim the Ukranian State Service of Communication denied—and to “Be afraid and expect the worst. This is for your past, present and future.”
The attacks come as Russia’s military buildup along the border with Ukraine continue, and talks between the U.S. and Russia to forestall an invasion in recent days have failed to settle the situation. White House National Security Adviser Jake Sullivan told reporters Thursday that U.S. intelligence has “developed information” that “Russia is laying the groundwork to have the option of fabricating a pretext for an invasion, including through sabotage activities and information operations.”
“We saw this playbook in 2014,” Sullivan said. “They are preparing this playbook again.”
President Joe Biden has been briefed on the situation, a spokesperson for the National Security Council tells CyberScoop. “We are in touch with the Ukrainians and have offered our support as Ukraine investigates the impact and nature and recovers from the incident,” the spokesperson said. “We don’t have an attribution at this time.”
Later in the day, Department of Defense Spokesperson John Kirby reiterated that it was too soon to attribute the activity. But “this is of a piece of the same kind of playbook we’ve seen from Russia in the past.”
Government website attacks and defacement are not new in Ukraine, dating back as far as 2008 and the Russian invasion of Georgia. The Russian government also has a well-documented history of targeting Ukrainian assets in cyberattacks ranging from basic to highly complex and consequential.
“This incident could be the work of government actors or government-sponsored actors or it could have been done by elements of civil society reacting independently,” John Hultquist, vice president of intelligence at cybersecurity firm Mandiant, said in a statement. “Historically, most defacements have been low-level hackers who sometimes leave patriotic messages on targets, but government-sponsored actors have carried out this type of activity as well.”
A coordinated attack on multiple websites might seem complex, but this could be the result of access to a single content management system, he added: “It’s important not to overestimate the capability necessary to carry out this attack.”
Toby Lewis, the head of threat analysis at Darktrace, made a similar point.
“Governmental websites are typically build on common software which explains the domino effect of website shutdowns that we are seeing,” he said. “We should be cautious around labelling this as a ‘sophisticated’ attack.”
A vulnerability in the content management system known as “October CMS” might have been exploited in the attack, the Computer Emergency Response Team (CERT) of Ukraine said in a notice published Friday.
Updated, 1/14/22: To include statement from the National Security Council, information from the Ukrainian CERT, and additional comment from DoD Spokesperson John Kirby.