KYIV, UKRAINE — Ukraine reported a targeted hack of government websites Friday amid a deepening crisis with Russia and left experts puzzling over the ominous message left by the hackers: “Be afraid and expect the worst.”
Ukraine officials said it was too early to say who was behind the hack — which Ukraine described as “massive” — but noted Russia had been behind similar attacks before. Analysts said the defacements may be the work of non-state agents, or hacktivists, noting that vandalizing government websites was not a sweeping or sophisticated hacking operation.
But at least one Ukrainian agency, the Center for Strategic Communications and Information Security, openly blamed Russia, linking it to Russia’s efforts to block Ukraine’s aspirations to join NATO.
In a statement, Ukraine’s cyber police said that 10 of the roughly 70 sites that were attacked experienced an “intrusion” but that the sites’ contents were “not altered and no personal data was leaked.” Officials also said that there was a “high probability” it was a “supply-chain attack” in which hackers first entered through the system of a commercial company.
The timing of the attack also elevated worries in Ukraine. It came a day after the latest round of diplomatic efforts in Europe failed to deter Russia’s military buildup near Ukraine or persuade Moscow to de-escalate. Russia stood firm on its demands, including that NATO block Ukraine from possibly joining the military alliance and end military aid to Ukraine.
Russia has up to 100,000 troops massed on the Ukrainian border, prompting fears of an invasion. Russia insists it has no plans to launch a major military escalation against Ukraine, where the Kyiv government has battled Russian-backed separatists in the eastern region of Donbas since 2014. But U.S. officials have raised alarms that Moscow could be laying the groundwork for military action.
In Washington, the Biden administration asserted Friday that Russia has sent operatives into eastern Ukraine in preparation for potential sabotage operations that would serve as a pretext for invasion, according to a U.S. official who spoke on the condition of anonymity under ground rules established by the Biden administration.
Yet Russia also offered a hand Friday to the United States with the arrest of 14 alleged members of the REvil ransomware gang and announced that it had eliminated the group at the request of Washington.
The Russia-based REvil gang has carried out numerous attacks on major global companies, including the July attack on software provider Kaseya and the May attack on the world’s biggest meat-processing business, JBS. Former REvil associates also are believed to be responsible for the May cyberattack on Colonial Pipeline that led to gas shortages on the U.S. East Coast.
The Ukraine hack also triggered concern in Washington and Europe with officials watchful of the role of cyber and information attacks in modern warfare. Any major cyberattack on Ukraine by the Russian state could also trigger tough new sanctions.
The National Security Council said in a statement that the United States and allies were “concerned about this cyberattack” and that President Biden had been briefed. The NSC said it was not yet known who was to blame, adding that the impact seemed limited, with government websites swiftly restored.
“We are in touch with the Ukrainians and have offered our support as Ukraine investigates the impact and nature and recovers from the incidents,” the statement said.
A statement from Ukraine’s cyber police said that “more than five” government sites were attacked and that authorities had launched an investigation to identify the perpetrators. Officials said it was too early to say who was behind the attacks.
In a later briefing, Viktor Zhora, deputy head of Ukraine’s state agency for special communications and information protection, said that “close to 70” federal and local government websites were attacked and that a “substantial portion” were up and working again.
Commenting on who was responsible for the attack, Andriy Yermak, head of the presidential office of Ukraine, said “we have some thoughts about who made it” but did not elaborate. He said Ukraine had expected such attacks as part of an effort to destabilize the country internally.
Defacements themselves are not technically sophisticated. “This may appear to be a complex operation, but could be the result of access to a single system creating a widespread effect,” said John Hultquist, director of intelligence for Mandiant, a cybersecurity firm. “It’s important not to overestimate the capability necessary to carry out this attack.”
Mass defacements of Ukrainian government sites are consistent with past incidents as tensions have grown in region. In conjunction with the Russian invasion of Georgia in 2008, “patriotic” hackers sympathetic to Russia blocked access to Georgian government websites and defaced a Ministry of Foreign Affairs site, juxtaposing pictures of the Georgian president with pictures of Adolf Hitler. In 2019, hackers with Russia’s military spy agency, GRU, carried out mass defacements of Georgian government sites.
“As tensions grow we can expect more aggressive cyber activity in Ukraine and potentially elsewhere,” Hultquist said.
The defacement message included a reference to issues of dispute between Poland and Ukraine, a “dubious” suggestion that the author was a Polish nationalist, Hultquist said. Fake nationalist personas are used regularly by Russian actors seeking to shield aggressive activity “behind a deniable facade,” he said.
In comments at an Atlantic Council event, he said Ukrainian President Volodymyr Zelensky proposed to Biden setting up a trilateral meeting with the leaders of the United States, Russia and Ukraine.
The “life and death” of Ukraine is in the balance, Yermak said.
Just hours before the attacks, Dmitri Alperovitch, an expert on cybersecurity and co-founder of CrowdStrike, a leading firm in the field, said in a Washington Post Live discussion that Ukraine had already been subjected to increased computer probing, which he said could be a prelude to an invasion.
“We are also seeing increased cyber intrusions that appear to be intelligence collection for potential execution of a kinetic operation by the Russians,” he said. “A lot of people, myself included, expect very likely an invasion of Ukraine to occur in the next month or so.”
Earlier this month, Ukraine’s state security services said that they had blocked in December close to 60 hacks of “information systems of state institutions.” Those included malware and “web app attacks.”
On Friday morning, Ukraine’s Foreign Ministry and Ministry of Education and Science posted on social media that their sites were down, and local media reported that the country’s main government website and the websites of the Emergency Situations Ministry and the Ministry of Veterans Affairs were also affected.
Visitors to some Ukrainian government sites were greeted with a message — written in Ukrainian, Russian and Polish — telling them that their personal data had been “uploaded to the public network” and “destroyed.”
“All information about you has become public, be afraid and expect the worst,” the message said. “This is for your past, present and future.”
Officials maintained that the hackers did not obtain people’s personal information. “Ukrainians’ data is safe,” Mykhailo Fedorov, minister for digital transformation, posted on social media.
The attack came immediately after a flurry of diplomatic efforts in Europe failed to resolve the mounting crisis over Russian demands for sweeping new security arrangements by the United States and NATO. Among other demands, Russia wants them to block not only Ukraine but also other Eastern European and former Soviet countries from ever joining the alliance.
Russian Foreign Minister Sergei Lavrov added Friday that he expects U.S. and NATO forces to use the tensions as a pretext to build up their forces in the region. He also said that Russia was ready for any new sanctions, which Western countries have threatened to impose if Russia invades Ukraine.
Ukraine was the main target of the devastating NotPetya cyberattack in June 2017 that hit the country’s banks, ministries, its subway and other organizations. The United States, Britain and others blamed the attack on the Russian military, although Moscow denied any role.
The NotPetya virus spread around the world, affecting major global companies, including the pharmaceutical company Merck and shipping companies Maersk and FedEx, bringing some transport operations to a halt.
In 2015 and 2016, blackouts hit portions of Ukraine’s electrical power grid. Investigators later determined that hackers caused the power cuts. In 2015, some 225,000 people were affected.
Dixon reported from Belgrade, Serbia. Ellen Nakashima and Missy Ryan in Washington contributed this report.