Government websites down after hacking attack

KYIV, Ukraine (AP) — Hackers temporarily shut down dozens of Ukrainian government websites on Friday, causing no major damage but adding to simmering tensions as Russia amassed troops on the Ukrainian border. Separately, in a rare gesture to the United States at a time of skittish relations, Russia said it had arrested members of a major ransomware gang that targeted US entities.

The events, though seemingly unrelated, came during a period of frenetic activity as the United States publicly accused Moscow of plotting another invasion of Ukraine and creating a pretext to do so. They underscored how cybersecurity remains a key concern – that escalating animosity risks not only real violence, but also damaging digital attacks that could affect Ukraine or even the United States.

The White House said Friday that President Joe Biden had been made aware of the disruptions, which targeted about 70 national and regional government agency websites, but it did not say who might be responsible.

But even without any attribution of responsibility, suspicion has been cast on Russia, with its history of peppering Ukraine with damaging cyberattacks. Ukraine’s security service, the SBU, said preliminary results of an investigation indicated the involvement of “hacker groups linked to Russian intelligence.” said the culprits “hacked into the infrastructure of a commercial company that had access, with administrator privileges, to the websites affected by the attack.”

The White House said it was still assessing the impact of the downgrades, but described it as “limited” so far. A senior administration official, meanwhile, said the White House welcomes news of the arrests in Russia of suspected members of ransomware gangs, an operation that Moscow says was carried out at the behest of the public. American authorities.

The official, who told reporters on condition of anonymity, said one of those arrested was linked to the Colonial Pipeline hack that led to days of gas shortages in parts of the United States last year. . The arrests are considered by the White House to be unrelated to the Russian-Ukrainian tension, according to the official.

Russia’s past cyber operations against Ukraine include hacking into its voting system ahead of the 2014 national elections and into its power grid in 2015 and 2016. In 2017, Russia unleashed one of the most damaging cyberattacks ever. registered with the NotPetya virus, which targeted Ukrainian businesses and caused more than $10 billion in damage worldwide. Moscow has previously denied any involvement in cyberattacks against Ukraine.

Ukrainian cybersecurity professionals, aided by more than $40 million in assistance from the US State Department, have since bolstered critical infrastructure defenses. NATO Secretary General Jens Stoltenberg said on Friday the alliance would continue to provide “strong political and practical support” to Ukraine in light of the cyberattacks.

Experts say Russian President Vladimir Putin could use cyberattacks to destabilize Ukraine and other ex-Soviet countries that want to join NATO without having to commit troops. Tensions between Ukraine and Russia are high, with Moscow mustering around 100,000 troops near its vast border with Ukraine.

“If you’re trying to use it as a stage and a deterrent to keep people from moving forward with consideration of NATO or other things, cyber is perfect,” Tim Conway said. , a cybersecurity instructor at the SANS Institute, told the AP last week.

The main question about the website downgrades is whether they are the work of Russian freelancers or part of a larger state-backed operation, said Oleh Derevianko, a private sector expert and founder of the cybersecurity company ISSP.

A message published by the hackers in Russian, Ukrainian and Polish claimed that Ukrainians’ personal data had been uploaded and destroyed. He told Ukrainians “to be afraid and expect the worst”. In response, the Polish government noted that Russia had a long history of disinformation campaigns and that the Polish in the message was riddled with errors and clearly did not come from a native speaker.

Researchers at global risk think tank Eurasia Group said Ukraine’s downgrades “do not necessarily indicate an imminent escalation of hostilities by Russia” – they rank low on its scale of cyber options. They said Friday’s attack amounted to “a trolling, sending a message that Ukraine may see worse to come”.

The downgrades followed a year in which cybersecurity became a major concern due to a Russian government cyber espionage campaign targeting US government agencies and ransomware attacks by Russia-based criminal gangs.

On Friday, the Russian Federal Security Service, or FSB, announced the detention of members of the REvil ransomware gang. The group was behind the July 4 weekend supply chain attack targeting software company Kaseya, which crippled more than 1,000 businesses and public organizations around the world.

The FSB claimed to have broken up the gang, but REvil effectively disbanded in July. Cybersecurity experts say its members have largely moved to other ransomware syndicates. They cast doubt on Friday that the arrests would significantly affect ransomware gangs, whose activities only moderately eased after high-profile attacks on critical US infrastructure last year, including the Colonial Pipeline.

The FSB said it raided the homes of 14 members of the group and seized more than 426 million rubles ($5.6 million), including in cryptocurrency, as well as computers, crypto wallets and 20 cars. elite “bought with money obtained by criminal means”. All those detained were charged with “illegal circulation of means of payment”, a criminal offense punishable by six years in prison. The suspects have not been named.

According to the FSB, the operation was carried out at the request of US authorities, who had identified the leader of the group. It is the first major public action by Russian authorities since Biden warned Putin last summer that he needed to crack down on ransomware gangs.

Experts said it was too early to tell whether the arrests signaled a major Kremlin crackdown on ransomware criminals — or whether it was perhaps a piecemeal effort to appease the White House.

“The sentencing follow-up will send the strongest signal one way or another as to whether there has really been a change in Russia’s tolerance of cybercriminals in the future,” Bill Siegel, CEO of ransomware response company Coveware, said in an email.

Yelisey Boguslavskiy, research director at Advanced Intelligence, said those arrested are likely low-level affiliates – not the people who operated the ransomware-as-a-service, which disbanded in July. REvil also apparently ripped off some affiliates in order to get enemies in hiding, he said.

REvil attacks have crippled tens of thousands of computers around the world and netted at least $200 million in ransom payments, Attorney General Merrick Garland said in November when announcing charges against two hackers affiliated with the gang.

Such attacks have drawn the attention of law enforcement officials around the world. Hours before the US announced its arrests, European law enforcement officials revealed the results of a months-long operation in 17 countries that resulted in the arrest of seven hackers linked to REvil and another ransomware family.

The AP reported last year that US officials had meanwhile shared a small number of names of suspected ransomware operators with Russian officials.

Brett Callow, a ransomware analyst at cybersecurity firm Emsisoft, said that regardless of Russia’s motives, the arrests “would certainly send shockwaves through the cybercriminal community. The gang’s former affiliates and business associates will be invariably concerned about the implications”.

___

Bajak reported from Boston, Litvinova reported from Moscow, and Tucker reported from Washington. Catherine Gaschka in Brest, France, and Alan Suderman in Richmond, Virginia, contributed to this report.

Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.