YURAS KARMANOV, FRANK BAYAK, ERIC TUCKER and DASHA LITVINOVA
KYIV, Ukraine (AP) — Hackers temporarily took down dozens of Ukrainian government websites on Friday, causing little damage but escalating tensions as Russia amass troops to the border with Ukraine. Separately, in a rare gesture to the US at a time of icy relations, Russia said it had arrested members of a major extortion ring targeting US organizations.
The seemingly unrelated events came at a time of hectic activity when the US publicly accused Moscow of plotting a further invasion of Ukraine and providing a pretext for doing so. They stressed that cybersecurity remains a key concern — that escalating hostility is fraught not only with real violence, but also with devastating digital attacks that could affect Ukraine or even the United States.
The White House said Friday that President Joe Biden had been briefed about the downtime of about 70 national and regional government websites, but did not indicate who could be held responsible.
But even without any blame being placed, suspicions have been thrown at Russia, with its history of showering Ukraine with devastating cyberattacks. Ukraine’s security service, the SBU, said preliminary results of the investigation point to the involvement of “hacker groups linked to Russian intelligence agencies.” It states that most websites have been reopened and that the content has not been changed or personal data has been leaked. The SBU said that the criminals “hacked into the infrastructure of a commercial company that had access with administrator rights to the sites affected by the attack.”
The White House said it is still evaluating the impact of distortion, but has called it “limited” for now. Meanwhile, a senior administration official said the White House welcomed the news of arrests in Russia of alleged extortionist gang members. According to Moscow, this operation was carried out at the request of the US authorities.
The official, who briefed reporters on condition of anonymity, said one of those arrested was linked to the Colonial Pipeline hack, which led to gas shortages in parts of the US last year. According to the official, the White House believes that the arrests are not related to tensions between Russia and Ukraine.
Russia’s past cyber operations against Ukraine include the hacking of its voting system ahead of the 2014 national elections and its power grid in 2015 and 2016. caused more than $10 billion in damage worldwide. Earlier, Moscow denied involvement in cyber attacks on Ukraine.
Ukrainian cybersecurity experts, to whom the US State Department has awarded more than $40 million, have been strengthening the protection of critical infrastructure ever since. NATO Secretary General Jens Stoltenberg said on Friday that the alliance will continue to provide Ukraine with “strong political and practical support” in the face of cyberattacks.
Experts say Russian President Vladimir Putin could use cyberattacks to destabilize Ukraine and other former Soviet republics that want to join NATO without the need for troops. Tensions between Ukraine and Russia are high, with Moscow amassing some 100,000 troops near its vast border with Ukraine.
“If you’re trying to use it as a stage and a deterrent to stop people from moving forward with NATO interests or other things in mind, cyberspace is perfect,” Tim Conway, a cybersecurity instructor at the SANS Institute, told AP last week.
The main question surrounding website defacements is whether they are the work of Russian freelancers or part of a larger state-backed operation, said Oleg Derevyanko, a leading private sector expert and founder of cybersecurity firm ISSP.
The message, published by the hackers in Russian, Ukrainian and Polish, said that the personal data of Ukrainians had been posted online and destroyed. He urged Ukrainians to “be afraid and expect the worst.” In response, the Polish government noted that Russia has a long history of disinformation campaigns and that the Polish language in the message contained errors and was clearly not from a native speaker.
Researchers at the Eurasia Group, a global risk think tank, said the distortions in Ukraine “do not necessarily indicate an imminent escalation of hostilities by Russia” — they rank low in its ranking of cyber options. They said Friday’s attack amounted to “trolling, sending a signal that Ukraine can expect even worse.”
The damage follows a year in which cybersecurity became a major concern due to the Russian government’s cyber-espionage campaign targeting US government agencies and ransomware attacks initiated by Russia-based criminal gangs.
On Friday, Russia’s Federal Security Service, or FSB, announced the arrest of members of the REvil extortion gang. The group was behind last year’s Fourth of July supply chain attack targeting software company Kaseya that damaged more than 1,000 businesses and public organizations around the world.
The FSB said it had liquidated the gang, but REvil effectively disbanded in July. Cybersecurity experts say its members have mostly moved on to other ransomware syndicates. On Friday, they questioned whether the arrests would have a significant impact on ransomware gangs, which have only moderately weakened following high-profile attacks on critical US infrastructure last year, including the Colonial Pipeline.
The FSB said it searched the homes of 14 members of the group and seized more than 426 million rubles ($ 5.6 million), including in cryptocurrency, as well as computers, crypto wallets and 20 luxury cars “bought with money obtained from crime “. All detainees were charged with “illegal circulation of means of payment,” a criminal offense punishable by up to six years in prison. The suspects have not been named.
According to the FSB, the operation was carried out at the request of the US authorities, who identified the leader of the group. This is the first significant public action by Russian authorities since Biden warned Putin last summer that he needed to crack down on extortion gangs.
Experts say it’s still too early to tell whether these arrests signal a massive Kremlin crackdown on extortionate criminals, or whether they could just be scattered attempts to appease the White House.
“The continuation of the sentencing one way or another will send the strongest signal IF there really has been a change in how Russia will tolerate cybercriminals in the future,” Bill Siegel, CEO of ransomware response company Coveware, said in an email. letter.
Yelisey Boguslavsky, director of research at Advanced Intelligence, said those arrested are likely low-level affiliates and not people who ran ransomware as a service, which was disbanded in July. REvil also apparently robbed several branches, which is why it has enemies in the underground, he said.
REvil’s attacks have disabled tens of thousands of computers around the world and fetched at least $200 million in ransom, Attorney General Merrick Garland said in November as he announced charges against two gang-linked hackers.
Such attacks have attracted significant attention from law enforcement officials around the world. Hours before the US announced the arrests, European law enforcement officials released the results of a months-long operation in 17 countries that resulted in the arrest of seven hackers linked to REvil and another ransomware family.
The AP reported last year that U.S. officials had meanwhile shared a small number of names of suspected ransomware operators with Russian officials.
Brett Callow, a ransomware analyst at cybersecurity firm Emsisoft, said that whatever Russia’s motives, the arrests “are sure to shock the cybercriminal community. Former affiliates and business partners of the gang will invariably be concerned about the consequences.”
Bajak reported from Boston, Litvinova reported from Moscow, and Tucker reported from Washington. Catherine Gaschka of Brest, France, and Alan Suderman of Richmond, Virginia contributed to this report.