Ukraine – history of cyber attacks – part 1

The current situation in Ukraine is not only an unprecedented event, disturbing the relative peace that has prevailed in Europe since World War II, and the tragedy of our neighbors. It is also a training ground for the use of cyber attacks as an active tool of warfare.

This may be a novelty for many, but experts know that Russia has been treating Ukraine as a training ground for its hackers for years. To supplement your knowledge, we present the historical outline of cyber attacks on Ukraine – from the oldest to the newest related to the current situation.

May 22-26, 2014 – Attacks on public institutions related to the presidential elections in Ukraine – CyberBerkut

A wave of cyber attacks attributed to the Russian CyberBerkut group, aimed at disrupting or manipulating the Ukrainian presidential elections in 2014. The attacks are described as “one of the most dangerous cyberattacks ever used to sabotage national elections.”

The campaign consisted of three separate attacks:

1. Infiltration of central electoral networks and deletion of files to prevent the operation of the counting system. CyberBerkut later released the emails and files as evidence. (May 22, 2014)
2. On election day, 40 minutes before the announcement of the election results, Ukrainian cybersecurity experts removed malware from the computers of the Central Election Commission. The malware was designed to fake the results and present as the winner a far-right candidate with a score of 37% and Poroshenko with a score of 29%. While the attack was unsuccessful, Channel 1 Russia showed these results. (May 25, 2014)
3. DDoS attacks on the data links to the vote counting system blocked the election results and delayed the final result. The attack was attributed to CyberBerkut. (May 26, 2014)

Consequences:

• Delays in the final list of elections.

• An attempt to discredit the electoral system in the eyes of the public.

• Attempt to disseminate false information.

December 23, 2015 – attacks on the energy sector – APT Sandworm

The cyberattack has compromised the systems of three energy distribution companies in the Ivano-Frankivsk region in western Ukraine. The attack was the first known successful cyber attack on the power grid.

Prior to the failure, cybercriminals launched a telephone denial of service attack against customer service centers.

Consequences:

• Power cuts for approximately 230,000 consumers for 1-6 hours.

• The customer service center phone lines are down while preventing customers from calling to report the failure. 16 substations were affected, so they did not respond to any remote operator commands.

• An attempt to weaken confidence in Ukrainian energy companies and the government.

December 17, 2016 – another attack on the energy sector – Electrum group

Almost a year after the first attack on the power grid, the cyberattack hit a substation in Kiev and left part of the capital and its vicinity without electricity for over an hour. Researchers describe the malware used in this attack as only the second known case of malicious code designed to disrupt physical systems, and that the malware can automate massive power outages and contains interchangeable plug-in components that could allow it to adapt to different electricity suppliers and be run simultaneously for multiple purposes.

The attack was related to the attack on the power grid in 2015 and attacks on Ukrainian state railways, ministries, etc.

Consequences:

• The blackout lasted just over an hour.

• The power cut caused about a fifth of Kiev’s energy consumption to be lost at this time of night.

• Potential impact could include power distribution shutdown, cascading failures and more serious equipment damage.

July 27, 2017 – NotPetya, attack on the public, financial and energy sectors

Attack with NotPetya data deletion malware on the eve of Ukraine’s Constitution Day against public and private sector entities in Ukraine (80% of affected systems), including financial, energy and government institutions. The attack was highly destructive as it shut down computers by wiping hard drives and spread independently to companies that used the popular tax filing software (M.E.Doc). The malware was not designed to be decrypted. This meant that victims had no way of recovering the data after it had been encrypted. The attack spread all over the world and infected e.g. the Chernobyl radiation monitoring system; and US healthcare organizations. The attack was described as “the most devastating cyber attack ever”.

The EU imposed sanctions (asset freeze and travel ban) through its diplomatic toolkit, while the US imposed sanctions through the Treasury Department’s Foreign Asset Control Office (OFAC).

Consequences:

• The radiation monitoring system at the Chernobyl nuclear power plant in Ukraine has been shut down.

• Economic loss for Ukrainian entities due to irreversible data encryption.

• Infiltration of IT networks, including the systems of the National Bank of Ukraine, the Kyiv-Boryspil international airport and the capital’s metro.

• It affected 65 countries and approximately 49,000 systems worldwide.

• Estimated global economic losses in excess of $ 10 billion.

July 11, 2018 – The attack by “VPN Filter” on the chlorine distillation system

Attempted cyber attack on the network equipment of the Auly Chlorine Distillation Station, which supplies liquid chlorine to water and wastewater treatment plants in 23 provinces of Ukraine, as well as Moldova and Belarus. Within minutes, the company’s technological process control systems and emergency sign detection systems were attacked by VPNFilter malware. If not neutralized, malware can steal credentials, monitor hardware, and completely prevent the infected device from working.

As you can see – the fight in the network has been going on for some time. On the other hand, its implementation in physical conditions is a black scenario, against which we were hoping that it would never come true…

In the next article, we will describe the 2022 attack – directly related to the invasion.