Ukrainian official sites under massive cyberattack with a Russian trace

cyberattack ukraine hacker

Credit: maxpixel.net 

Ukraine

Overnight into 14 January, a massive cyberattack started on multiple government websites and services in Ukraine. The attack presents itself as a kind of historic Polish revenge on Ukraine. However, the attackers dropped some hints linking it to Russia and Russian speakers. Officials state that no personal data were leaked during the attack. Meanwhile, Ukrainian experts criticize the government’s cyber security policies.

The ongoing cyberattack in Ukraine affected the websites of ministries of foreign affairs, education, agriculture, ecology, regional development, sport, internal affairs, energy. as well as the sites of the State Treasure, the State Emergency Service, and the Digital Transformation Ministry’s web service Diia.

At the same time, the websites of the Ministry of Health, the Ministry of Internal Affairs, the Ministry of Social Policy, the Ministry of Infrastructure, and the Ministry of Finance operate normally. The sites of the Defense Ministry and the Security Service weren’t affected by the attack as well.

About 10:00, the Ministry of Digital Transformation of Ukraine published their statement on Telegram, assuring that personal data weren’t stolen, and stating that most of the affected websites were restored,

“Most of the attacked state web resources have already been restored. The content of the sites remained unchanged, and no personal data were leaked. Other sites will resume in the near future,” the statement reads.

Most of the affected websites checked by Euromaidan Press at the time were offline.

What we know about the hack

The website of the Ministry of Education and Science and other official sites were defaced (defaced pages on Web Archive: the MFA, Education Ministry, Agrarian Ministry), displaying an image with an anti-Ukrainian threat clumsily written in three languages – Ukrainian, Russian, and Polish. Hackers rewrote the code of the original pages, embedding the image in the document itself using the so-called data URI scheme rather than linking the image from an external location. The content of some pages was fully rewritten, while the MFA homepage included the malicious javascript code to replace the original contents of the homepage with the same deface image.

Hacker’s publication on the MFA site containing the malicious code, 04:09 is the time of the hack. Screenshot from Web Archive‘s copy of the page saved at 03:21 UTC Jan 14, 2022. ~

Hacker’s publication on the MFA site containing the malicious code, 04:09 is the time of the hack. Screenshot from Web Archive‘s copy of the page saved at 03:21 UTC Jan 14, 2022.

The malicious code published by hackers on Ukraine’s MFA website to replace the content of the homepage with the deface image and set the dark background. ~

The malicious code published by hackers on Ukraine’s MFA website to replace the content of the homepage with the deface image and set the dark background.

The threat in the deface image reads,

Ukrainian! All personal data of y’all were uploaded to the public net. All the data on the computer are being destroyed, it is impossible to restore them. All the information about you has become public, be afraid and wait for the worst (or worse in the machine-translated Ukrainian version – Ed.). It is for you for your past, present, and future. For Volhynia, for OUN UPA, for Galicia, for Polissia and for historic lands (or territories in the Polish version, – Ed.).”

Anti-Ukrainian deface image published on the hacked site of Ukraine’s Ministry of Education and Science in the early hours of 14 January 2022. The presence of the Polish version of the text and mentioning Polish-Ukrainian historical matters in the text itself added to make believable the version that the site was hacked by the Polish. ~

Anti-Ukrainian deface image published on the hacked site of Ukraine’s Ministry of Education and Science in the early hours of 14 January 2022. The presence of the Polish version of the text and mentioning Polish-Ukrainian historical matters in the text itself added to make believable the version that the site was hacked by the Polish.

To make sure that the picture makes an even more obvious Polish connection, the hackers added the so-called Exif data to the image, showing the alleged location where the photo was taken. The provided coordinates show a random car parking lot in Warsaw:

Parts of the deface image’s Exif data showing geocoordinates. Screenshot: exifdata.com ~

Parts of the deface image’s Exif data showing geocoordinates. Screenshot: exifdata.com

Ukraine cyberattack

Location in the Polish capital, GPS coordinates of which were added to the deface image. Screenshot: Google Maps

Phone cameras usually add GPS coordinates of the spot where an image was taken, while graphic editors don’t add geolocation data to images as computers normally don’t have GPS modules to get coordinates. The deface image was definitely created in a graphic editor, which proves an intentional addition of the GPS data post-factum. The hackers could have used the Exif data of a photo actually taken at the location, yet even in such a case, the Exif data were modified as those lack basic camera data such as aperture, exposure, etc.

As of 12:00 Kyiv Time of January 14, most of the affected government websites were shut down, while the homepage of the Diia service showed the message that the Service was temporarily unavailable:

Ukraine cyberattack

Error message on the Diia service’s homepage reading, “The service is temporarily unavailable. Due to the need for scheduled technical work, access to your cabinet is temporarily limited. We apologize for the inconvenience. Please try again later.” 14 January 2022.

Hackers allegedly used Russian service Yandex Translate for translations

The deface image left by the hackers on the Education Ministry’s website gives some hints regarding the hackers.

A simple comparison of the machine translations of hackers’ Russian-language text produced by Google Translate and the Russian service Yandex Translate shows the nearly identical translation into Ukrainian in both, except for one conjunction in the last sentence.

However, Google’s Polish machine translation from Russian is way different from the Polish version shown in the deface image, while the hackers’ Polish text is nearly identical to the translation by Yandex, except for one noun in the last sentence.

The same goes for the machine translation from Polish into Russian and Ukrainian on Yandex, where the original Russian version is identical to Yandex’s translation, and the Ukrainian one differs by one word in the last sentence. Meanwhile, Google produces much different Russian and Ukrainian versions when translated from the hackers’ Polish text.

Russian hackers

Translation of the threat from Russian to Ukrainian on Yandex Translate. The screenshot was made on 14 Jan 2022. The translation is identical to the Ukrainian text in the deface image except for the conjunction та with stylistically wrong і used in the image. This translation is identical to Google’s.

The Ukrainian version smoothly translates into the image’s Russian text on both Google and Yandex translates, yet Google’s Polish translation from Ukrainian differs a lot, while Yandex’s is identical to that in the deface image except for the word tereny, which also is the only difference in Yandex’s Russian-Polish translation from the original Polish version of the threat.

Yandex translation russian hackers

Translation of the threat from Russian to Polish on Yandex Translate. The screenshot was made on 14 Jan 2022. The translation is identical with the Polish text in the deface image except for the word ziemie (tereny used in the original image).

Ukraine cyberattack

Translation of the threat from Russian to Polish on Google Translate. The screenshot was made on 14 Jan 2022. The translation significantly differs from the Polish text in the deface image.

This shows that no matter in what language the original text of the threat was — any of the three could be —  the attackers of Ukrainian official sites probably used the Russian service Yandex Translate to produce the texts in two other languages. Additionally, the last sentence and its translations could have been added later.

Threat text’s author isn’t a native Ukrainian or Polish speaker

The threat message left on official sites by the hackers implies its “Polish footprint,” yet the text’s author is doubtfully a Polish or Ukrainian speaker.

As we mentioned earlier, the use of the conjunction “і” in the last sentence of the Ukrainian text isn’t stylistically correct according to euphony rules as it goes after a word that ends with a vowel, an error which is pretty hard to make for a native speaker.

European Pravda points that instead of the vocative case, the first word is used in the nominative in both Polish and Ukrainian versions, which is possible in Ukrainian, but not in Polish.

Reporting on the cyberattack in Ukraine, the Polish site Wprost doesn’t seem to have liked the translation quality of what seems to be Yandex’s machine translation into Polish, they wrote,

“Content in Polish is written in a way that suggests that a not very good translator was used.”

European Pravda talked to Polish natives who explained that some phrases in the Polish text look artificial and built up in a way that Polish speakers would never formulate them. For example, “…zostały przesłane do wspólnej sieci” should be “zostały opublikowane w sieci” and so on.

Reaction

Most of the Ukrainian officials either withheld their comments so far or just reported the face of the cyber attack on the official sites, while experts and social media users were more eloquent in their comments.

The Ministry of Education and Science recommended in their Facebook post using their social media pages, while cyberpolice was investigating the case,  and the work to resolve the site issues were still underway.

The Foreign Ministry also encouraged to use its Facebook and Twitter pages, while Ministry’s spokesperson Oleg Nikolenko reported on his Twitter that sites of MFA and other agencies were down due to a “massive cyber attack,”

EU Foreign Minister Josep Borrell has condemned cyberattacks against Ukrainian government websites and said the EU’s Political and Security Committee and cyber units would meet to discuss how to respond and help Kyiv.

NATO Secretary-General Jens Stoltenberg has also condemned the attack, according to the RFE/RL editor:

The social media users discovered the attack on Ukrainian official websites around 1 AM. One of the early comments on the fact of the attack by opposition journalist Maria Madzihon reads,

“Hackers have hacked the government site of the Education Ministry mon.gov.ua. And this government is still offering us their “electronic voting” as in Russia, God forbid!”

“In fact, something like this was to be expected,” wrote the Ukrainian hacktivist known as Sean Townsend of the Ukrainian Cyber Alliance, who had earlier criticized the lax approach of the officials to cyber security. He also pointed that the Kremlin’s news agency RIA Novosti published their news piece on the attack at night only two hours after the beginning of the attack.

Head of Defense Reform Center Oleksandr Danyliuk attributed this attack to Russians, saying that it is part of a Russian hybrid operation aimed at:

  • demonstrating Ukraine’s vulnerability;
  • undermining the West’s position at the talks with Russia;
  • worsening Ukrainian-Polish relations;
  • possible discrediting government officials responsible for cybersecurity and their further replacement with Russian agents of influence.

The Ukrainian Embassy to Japan backed the opinion that Russia was behind the cyberattack, according to BBC Ukraine,

“It seems to originate in Poland. In fact, there is no doubt that this is another provocation by Russia,” the Embassy wrote on their Facebook page, according to BBC Ukraine. However, Euromaidan Press couldn’t find the original post, which could have been deleted sometime afternoon.

The Center for Strategic Communications (StratCom) of Ukraine has published its statement saying that the purpose of such attacks is “to destabilize the internal situation in the country, as well as to sow chaos and despair in society.”

Cyberattacks on government agencies are a regular occurrence in Ukraine, though the Center points that there wasn’t such a massive attack for a long time now.

“We assume that the current one is connected with Russia’s recent defeat in the negotiations (with the US and with NATO, – Ed.) on Ukraine’s future cooperation with NATO. The other day Moscow resumed military exercises near Ukraine’s borders. And hacking actions against Ukrainian government agencies may also be part of this psychological attack on Ukrainians,” the statement reads.

StratCom also says that the timeline of spreading the news reports on the cyberattack in Ukraine points to the Russian trace as well:

“The information first appeared on social media, then the first publications in the media were on ‘drain tanks’ (fake news media used to initial disseminating of desired narratives, – Ed.). And then it was actively spread by Russian news outlets… And only in the morning, the news story was picked up by the Ukrainian media,” the StratCom statement reads.

Infographic by Ukraine Crisis Media Center’s Hybrid Warfare Analytical Group. ~

Infographic by Ukraine Crisis Media Center’s Hybrid Warfare Analytical Group.

A cyberattack in Ukraine was not unexpected

The Security Service of Ukraine previously reported that in December 2021 alone it had prevented 59 cyber attacks on information systems of public authorities. And in the first half of last year, the agency reportedly “neutralized more than 1000 cyber attacks and incidents” on web resources of the government and critical infrastructure.

The New York Times reported in late December 2021 that the United States and Britain had quietly sent cyberwarfare experts to Ukraine,

“Not an invasion with the 175,000 troops he (Russian President Putin, – Ed.) is massing on the border, but cyberattacks that take down the electric grid, the banking system, and other critical components of Ukraine’s economy and government,” the NYT article reads.

Update 20:55:

The sales of electronic insurance policies have been suspended indefinitely in Ukraine, according to Autogeek.com.ua, referring to social media users, claiming that the suspension occurred due to a malfunction of the services of the Motor Transport Insurance Bureau. Namely, the compulsory car insurance database reportedly went offline “due to an external attack.” Moreover, according to some information, Autogeek.com.ua speculates, the MTIB bases could have been destroyed by hackers. It wasn’t immediately clear whether the reported attack actually has been taking place or is just speculation spread by social media users. If the attack was real, it is still unclear whether it’s part of the massive cyberattack on Ukrainian government sites.

 Update 21:18:

The Computer Emergency Response Team of Ukraine (CERTU) by Ukraine’s State Service of Special Communications and Information Protection (Derzhspetszvyazok) has published its take on the cyberattack on Ukraine’s official sites.

“The content of the sites was not changed and the leakage of personal data, according to preliminary information, did not occur,” the agency says.

CERTU reported that many websites of government agencies were temporarily suspended to prevent the spreading of the attack and localize the issue, meaning that many of the official websites inaccessible on 14 January weren’t affected by the attack.

The agency says that one of the possibilities for the attack was exploiting a known vulnerability in the October CMS installed on the official websites. In recommendations for site administrators, the agency recommends upgrading to a newer version of the CMS, which implies that a number of official websites haven’t been updated to the latest version of the site content management software by now.

Update 16:00, Jan 15:

  • In total, more than 70 government websites were under attack overnight into 14 January 22, with 10 of the attacked sites suffering from unauthorized interference, according to a statement by Derzhspetszvyazok.

Derzhspetszvyazok says that there is a high probability that the attack was the so-called supply chain attack, i.e. initially the attackers hacked the infrastructure of a commercial company that had administrative access to the web resources affected by the subsequent attack.

According to Ekonomichna Pravda, this company was Kyiv-based Kitsoft, which was involved in the development of nearly 40 government sites, using the October CMS. As of 15 January afternoon, Kitsoft’s website was offline.

The authentication bypass vulnerability in the CMS was known since May 2021, patched in August 2021. The administrators of the affected websites didn’t install critical updates by the time of the attack.

https://twitter.com/haynesdeborah/status/1482257253835096064

Update 20:50, Jan 15:

Reuters says that Serhiy Demedyuk, deputy secretary of Ukraine’s National Security and Defense Council, told them that Ukraine blamed the 14 January attack on a group known as UNC1151, linked to the intelligence of Russia’s ally, Belarus. According to the official, the group used malware similar to that was earlier used by a group tied to Russian intelligence.

 

Further reading:

Ukraine needs independent journalism. And we need you. Join our community on Patreon and help us better connect Ukraine to the world. We’ll use your contribution to attract new authors, upgrade our website, and optimize its SEO. For as little as the cost of one cup of coffee a month, you can help build bridges between Ukraine and the rest of the world, plus become a co-creator and vote for topics we should cover next. Become a patron or see other ways to support. Become a Patron!

Tags: ,