With Ukraine-Russia escalating tensions in the background, during the night between the 13th and 14th January, 2022, a total of 70 websites related to Kiev’s government showed a creepy message written in Ukrainian, Russian, and Polish: “Ukrainian! All your personal data has been uploaded onto the public internet […] Be afraid and expect the worse. This is for your past, your present and your future”.
The defacement of the sites was part of the latest cyberattack suffered by Ukraine, which saw the web portals of several institutions (including the Ministry of Foreign Affairs, the Cabinet of Ministers and the Security and Defence Council’s) being taken down for several hours. Later on, the Security Service of Ukraine (SBU) confirmed that apparently no personal data has been stolen.
The Euro-Atlantic top leaders immediately reacted by condemning the offensive. NATO SG Stoltenberg added that technical experts are helping Ukrainian authorities to counter malicious activities and that an agreement between the Alliance and Kiev on enhanced cyber cooperation (which includes access to NATO’s malware information sharing platform) was close to be signed.
For his part, EU top diplomat Josep Borrell was committed to mobilise all possible resources to tackle the problem, adding that no proof is available to blame someone for the attack, but “we can imagine” who is behind it. Nevertheless, unlike Borrell’s words, the attribution of this malicious cyber activity has been quite tricky so far.
After a first round of investigations, on January 16 Ukraine’s Digital Development ministry affirmed that all evidences point to the Kremlin as the main responsible for the offensive, aimed at destabilising the country through means of hybrid warfare. For its part, Putin’s spokesman Dmitry Peskov denied the accusations by stating that Moscow has “nothing to do” with the case.
More recent analyses carried out by Kiev’s authorities have attributed these malicious activities to the cyber-espionage group UNC1151, which is believed to be under the control of Belarus’ intelligence services. To date, no official from Minsk have answered to the allegations.
Furthermore, the malware employed to encrypt data on the server seems to share many similarities with another one belonging to the Advanced Persistent Threat (APT) collective known as APT29 or Cozy Bear, a state-sponsored adversary with well-known affiliation to Moscow’s Foreign Intelligence Service (SVR).
From the perspective of the Alliance, it is noteworthy that UNC1151 has been already spotted while conducting malicious activities within the cyber domain. As reported by Mandiant, there is a high confidence that since 2020 the collective provided technical support to the anti-NATO information operation campaign Ghostwriter, with target countries located mainly in the former Soviet Union.
But while investigations continue, troubles for Ukraine may not be over. Since the 22nd of January, a leaked database alleged to contain personal data of two million Ukrainians is available online. Presumably, the leak comes from the Diia, a service provided by the ministry of Digital Development that manages passports and COVID-19 vaccination certificates. Despite the origin of the database being still unclear, the data breach may further erode public trust in Kiev’s effectiveness in protecting citizens in the cyber arena.
Federico Berger
Social Media Intelligence (SOCMINT) Analyst for the Italian cybersecurity firm TS-Way. Since 2021, he is listed among the Emerging Security Challenges Analysts of the NATO Defense College Foundation. He is currently enrolled in the 360/Digital Sherlocks training program of the Atlantic Council’s Digital Forensics Research Lab (DFRLab).
