Cyber Incident Victim: National Security and Defense Council of Ukraine
Date:
Feb 2021
Location:
Ukraine
Summary
The National Security and Defense Council of Ukraine attributed DDoS attacks targeting government defense and security sector websites to threat actors operating from Russian networks. The attacks involved a new malware compromising vulnerable servers to enlist them into a botnet used for further attacks, while internet providers' security measures risked prolonged website inaccessibility post-attack. The incident coincided with Ukrainian law enforcement's international operation against the Egregor ransomware group, though unconfirmed reports suggested retaliatory motives for the disruption of the Security Service's website.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 18, 2021, the National Security and Defense Council of Ukraine (NSDC) reported sustained distributed denial-of-service (DDoS) attacks targeting Ukrainian government websites, particularly within the defense and security sectors. The National Coordination Center for Cybersecurity (NCCC), operating under the NSDC, characterized these attacks as large-scale and identified the originating IP addresses as residing on Russian networks. While Ukrainian authorities did not explicitly attribute the attacks to the Russian government, they confirmed the malicious traffic emanated from Russian infrastructure. Investigations revealed attackers had compromised vulnerable Ukrainian government web servers by deploying previously unseen malware, which covertly integrated these systems into a botnet under attacker control. This botnet was subsequently weaponized to launch additional DDoS attacks against other Ukrainian online resources, creating a self-propagating cycle of disruption. The NSDC warned that internet service providers' security systems might erroneously blacklist targeted websites even after DDoS activity ceased, potentially prolonging accessibility issues beyond the immediate attack period.
The incident occurred amid heightened tensions following Ukrainian law enforcement's collaboration with U.S. and French authorities to arrest alleged members of the Egregor ransomware operation. Three days after the Security Service of Ukraine (SBU) publicly announced these arrests on February 19, the SBU's official website became inaccessible due to a DDoS attack. Multiple cybersecurity researchers posited a retaliatory motive linking the website takedowns to the Egregor enforcement actions, though no conclusive evidence substantiated this claim. The NSDC's technical analysis confirmed the dual-stage attack methodology, wherein compromised government servers were repurposed as attack platforms against other domestic targets. This approach amplified the operational impact while complicating attribution and mitigation efforts. No specific data breaches or permanent system damage were reported, though service disruptions affected critical government communications channels during the attack window.