Hackers Destroyed Data at Key Ukraine Agency Before Invasion

(Bloomberg) — In the buildup to Russia’s invasion, hackers detonated powerful data-destroying software on the network of Ukraine’s Ministry of Internal Affairs, and they siphoned off large amounts of data from the country’s telecommunications network, according to three people involved in investigations into the incidents.

The attacks dealt a blow to a key Ukrainian law enforcement agency — responsible for overseeing the national police  —  while giving the hackers potentially valuable insights into the communications and movements of people inside the country before Russian troops began their assault, the people said. They requested anonymity because they weren’t authorized to discuss the confidential investigations publicly.

The details, which haven’t been previously reported, illustrate the growing role of cyber operations in modern military conflicts and the range of threats facing Ukrainian President Volodymyr Zelenskiy as Russian forces fight to seize control of the country. The people involved in the investigations didn’t say who was behind the cyberattacks. 

Representatives of the Ukrainian government didn’t respond to requests for comment.

On Wednesday, the day before the invasion, multiple governmental websites in Ukraine experienced disruptions that appeared to be the result of distributed denial-of-service, or DDoS, attacks. Security researchers said they included the Ministry of Defense, Ministry of Foreign Affairs and the Ministry of Internal Affairs. 

Researchers at the cybersecurity firm ESET LLC had said that more than three Ukrainian organizations were compromised Wednesday with destructive malware that infected a few hundred computers at those organizations.

“This was not a widespread attack. They pinpointed specific organizations and then went in and deployed the malware,” said Jean-Ian Boutin, ESET’s head of threat research, who declined to name the specific organizations affected. “The fact that this happened a few hours before the full-scale invasion, it leads us to believe these organizations were targeted for a reason.”

The three people involved in the investigations identified the Ministry of Internal Affairs as one of the organizations compromised by the data-destroying malware. The extent of the damage is unclear. One of the people said key officials had evacuated, and as a result, security specialists have been unable to conduct a full forensics investigation of its network. 

Another person said the hackers removed large amounts of data from the agency’s network before detonating the malware, indicating that they were likely gathering intelligence about the agency’s operations before attempting to disrupt them. 

The three people also said that the deployment of the destructive malware coincided with yet another attack, in which hackers began removing large amounts of data from Ukrainian telecommunications systems in the weeks leading up to the invasion, apparently activating malicious code — or implants — that had been embedded into those systems during earlier intrusions.

The name of the telecommunications company or companies impacted by the attack weren’t immediately available.

Some details of the cyberattacks against Ukraine have trickled out since January. 

On Jan. 15, for instance, Microsoft Corp. disclosed that it had discovered a new type of destructive malware on “dozens of impacted systems” spanning “multiple government, nonprofit and information technology organizations, all based in Ukraine.” It didn’t identify any victims. 

Coming at a time when Russia was massing troops on Ukraine’s borders, and U.S. and European intelligence services were warning that Putin was preparing an invasion, the discovery raised fears that Ukraine’s defenses could be substantially diminished by a coordinated detonation of data-wiping code.

On Feb. 15 and 16, government and financial websites in Ukraine came under a disruptive DDoS attack that Mykhailo Fedorov, minister of digital transformation, said was the worst of its kind the country had ever seen. “This attack was unprecedented, it was prepared well in advance, and its key goal was destabilization, sowing panic and creating chaos in our country,” Fedorov said.

U.S. and U.K. officials attributed those attacks to Russia’s GRU military intelligence service, the same organization accused the 2017 NotPetya attacks, which involved similar “wiper” malware. Those attacks began in Ukraine but spread across the globe, causing an estimated $10 billion in damages.

Russia has repeatedly denied being behind cyberattacks.

 

More stories like this are available on bloomberg.com

©2022 Bloomberg L.P.

Close Bitnami banner
Bitnami