Cyber Incident Victim: KP in Ukraine
Date:
Feb 2021
Location:
Ukraine
Summary
DDoS attacks targeting Ukrainian government websites, particularly in defense and security sectors, originated from Russian networks, with compromised servers infected by malware to covertly enlist them into a botnet used for further attacks. The incident disrupted access to critical online resources, potentially exacerbated by internet providers blacklisting affected sites post-attack. These events coincided with law enforcement actions against ransomware operators, though no direct attribution was confirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between February 18 and February 23, 2021, Ukrainian government websites experienced sustained distributed denial-of-service (DDoS) attacks targeting entities within the defense and security sectors. The National Coordination Center for Cybersecurity (NCCC), operating under Ukraine’s National Security and Defense Council (NSDC), attributed these attacks to threat actors utilizing Russian network infrastructure. Investigators identified a novel malware strain deployed against vulnerable government web servers, which covertly assimilated infected devices into a botnet controlled by the attackers. This botnet infrastructure was subsequently leveraged to launch additional DDoS attacks against other Ukrainian online resources, creating a self-propagating cycle of disruption. The NSDC emphasized that compromised servers were weaponized to target fellow government assets, amplifying the scale of disruptions. Internet service providers’ automated security systems compounded the impact by blacklisting attacked websites even after DDoS activity ceased, rendering them persistently inaccessible to legitimate users. Technical analysis confirmed the attacks originated from IP addresses geographically located within Russia, though Ukrainian authorities refrained from formally attributing the campaign to the Russian government.
The incident occurred against the backdrop of Ukrainian law enforcement’s coordinated action against the Egregor ransomware operation. On an unspecified date preceding the DDoS attacks, Ukrainian authorities collaborated with US and French police to arrest individuals allegedly linked to Egregor. The Security Service of Ukraine (SBU) publicly announced these arrests in an official press release. Within 24 hours of this announcement, the SBU’s website became inaccessible due to DDoS bombardment. Multiple independent security researchers posited a retaliatory motive connecting the website takedowns to the Egregor arrests, though no conclusive evidence substantiated this theory. The NCCC’s investigation focused on technical remediation, including identifying and cleansing infected servers to dismantle the botnet. No details regarding restoration timelines for affected services or specific defensive countermeasures were disclosed. The attacks demonstrated operational sophistication through the deployment of malware designed specifically to repurpose government infrastructure into attack platforms, while the prolonged provider-side blacklisting created secondary availability issues beyond the immediate DDoS periods.