Federico Berger* says while a physical invasion of Ukraine has yet to materialise, attacks on the nation’s cyberspace are well under way.
With Ukraine-Russia tensions in the background, during the night of 13 and 14 January, a total of 70 websites related to the Kiev Government showed a creepy message written in Ukrainian, Russian, and Polish.
“Ukrainian! All your personal data has been uploaded onto the public internet […] Be afraid and expect the worse. This is for your past, your present and your future,” the message stated.
The defacement of the sites was part of the latest cyber-attack suffered by Ukraine, which saw the web portals of several institutions (including the Ministry of Foreign Affairs, the Cabinet of Ministers and the Security and Defence Council) being taken down for several hours.
Later on, the Security Service of Ukraine confirmed that apparently no personal data had been stolen.
Leaders in the Atlantic Alliance of NATO immediately reacted by condemning the offensive.
Secretary-General of NATO, Jens Stoltenberg added that technical experts were helping Ukrainian authorities to counter malicious activities.
He said an agreement between the Alliance and Kiev on enhanced cyber cooperation (which includes access to NATO’s malware information-sharing platform) was close to being signed.
European Union diplomat, Josep Borrell said the EU was committed to mobilise all possible resources to tackle the problem.
He said no proof was available to blame someone for the attack, but “we can imagine” who was behind it.
Nevertheless, the attribution of this malicious cyber activity has been quite tricky so far.
After a first round of investigations on 16 January, Ukraine’s Ministry of Digital Development affirmed that all evidence pointed to the Kremlin as responsible for the offensive, aimed at destabilising the country through means of hybrid warfare.
Spokesperson for Russian President, Vladimir Putin, Dmitry Peskov denied the accusations, stating that Moscow had “nothing to do” with the case.
More recent analyses carried out by Kiev authorities have attributed these malicious activities to the cyber-espionage group UNC1151, which is believed to be under the control of Belarus’ intelligence services.
To date, no official from Minsk has answered the allegations.
Furthermore, the malware employed to encrypt data on the server seemed to share many similarities with another one belonging to the Advanced Persistent Threat (APT) collective known as APT29 or Cozy Bear, a State-sponsored adversary with well-known affiliation to Moscow’s Foreign Intelligence Service.
From the perspective of NATO, it is noteworthy that UNC1151 has already been spotted conducting malicious activities within the cyber domain.
There is a high confidence that since 2020 the collective provided technical support to the anti-NATO information operation campaign Ghostwriter, with target countries located mainly in the former Soviet Union.
While investigations continue, troubles for Ukraine may not be over.
Since January, a leaked database alleged to contain personal data of two million Ukrainians is available online.
Presumably, the leak comes from the Diia, a service provided by the Ministry of Digital Development that manages passports and COVID-19 vaccination certificates.
Despite the origin of the database being still unclear, the data breach may further erode public trust in Kiev’s effectiveness in protecting citizens in the cyber arena.
*Federico Berger is a Social Media Intelligence Analyst for Italian cyber-security firm, TS-Way. He is also listed among Emerging Security Challenges Analysts at the NATO Defence College Foundation.
This article first appeared on the NATO Defence College Foundation website.
