Ukrainian Distributed Denial of Service (DDoS) Attack

In Mid-February 2022, institutions central to Ukraine’s military and economy were hit with a wave of Distributed Denial-of-Service (DDoS) attacks. The targets were core entities to Ukraine, including the Armed Forces of Ukraine, the Ministry of Defense, Oschadbank (the State Savings Bank), and Privatbank, the country’s largest commercial bank, servicing nearly 20 million customers. Oschadbank and Privatbank are considered “systemically important” to Ukraine’s financial market stability.

What Happened?

By overloading targeted servers, this kind of DDoS attack ensured that end-users couldn’t access their websites, bank accounts, or anything related to those websites for a period of time. As Ukraine’s Center for Strategic Communications noted in a Facebook post, some Privatbank customers found themselves “completely unable to access” the company’s app, while others’ accounts “do not reflect balance and recent transactions.”

Some customers received SMS messages claiming that ATMs were out of order, according to Ukraine’s Cyberpolice, which tweeted the claim. Those reports however were debunked, according to NPR.

By making these entities unreachable, the attackers disrupted the availability of these websites and services, but not the integrity or confidentiality of any data. Therefore, the transactions, balances, and private information associated with bank accounts and military databases appear not to have been accessed or changed, according to news reports.

Russian-Based Hacking Campaign

While limited in impact, this attack came hours after the Security Service of Ukraine (SSU) reported a “massive wave of hybrid warfare” attacks where 120 cyberattacks were committed against government authorities, and a botnet of more than 18,000 social media accounts deployed to “systemically sow panic, spread disinformation, and distort the real state of affairs” in the country.

Mike McLellan, director of intelligence at SecureWorks when asked about this being a Russian-backed attack stated,

“It would be no surprise if it transpires that they are the result of cyberattacks conducted by Russia, or by threat actors with a pro-Russian agenda. Russia has a history of cyberattacks designed to distract the Ukrainian government and critical infrastructure operators and undermine the trust among the Ukrainian population.”

In the past two months, Russian Advanced Persistent Threats (APTs) have been tied to an attack on 70 Ukrainian government websites, using destructive malware in the wiper family. This malware destroys the Master Boot Record of a computer making it inoperable. This malware was used to target the Ukrainian government, non-profit, and IT organizations, and increased attacks and espionage against military targets.

It’s worth mentioning that the 2014 Russian invasion of Crimea coincided with an outbreak of the Turla virus, targeted espionage, and DDOS attacks against government agencies, politicians, and businesses. These attacks were reportedly 20 times more powerful than Russian attacks on Georgia prior to that 2008 invasion.

Could This Happen to the United States?

In the past, attacks against Ukrainian targets have crippled companies that simply do business or passively interact with Ukrainian organizations. In 2017, NotPetya malware breached a Kiev-based accounting software vendor causing billions of dollars of damage to multinational corporations like Maersk, Merck, and FedEx.

U.S. Government officials have been warning of the potential for similar attacks directed at the United States government and its critical industries. A January bulletin from the Department of Homeland Security (DHS) concluded that “Russia would consider initiating a cyberattack against the Homeland if it perceived a U.S. or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security.” The DHS and FBI also recently warned of an uptick in Russian scanning of domestic law-enforcement networks and other American targets.

How Can You Prevent a DDoS Attack?

SMBs typically shouldn’t have to worry about the threat of a DDoS attack, but if you’re in certain industries (politics, social causes, defense industry, etc.) it may be a good idea to look into DDOS protections. There are three traditional ways to handle DDOS attacks.

First, increase your bandwidth and servers to handle the extra load. During many companies SuperBowl ads, their website gets overwhelmed with legitimate connection requests and crashes. This is what happened to Coinbase during their QR Code add in the 2022 Superbowl. Having enough bandwidth and server capacity can help prevent an accidental DDOS attack by legitimate queries.

Secondly, depending on your situation and company size, mid-enterprise companies will often leverage a Content Delivery Network (CDN), to protect themselves from DDOS attacks, with a side benefit that their website is loaded much more quickly because it’s being served up closer to the requesting computer than a traditional single website in a single data center that could be 6000 miles away. CDNs bring that traffic to local servers and websites replicated throughout the world. CDN Networks are very expensive and typically unaffordable for all but the largest companies. CDN services are designed to accommodate huge amounts of traffic and serve similar content locally to the requests.

Thirdly, the largest companies of the world can purchase Internet-based traffic scrubbing solutions from companies like Cloudflare and Netscout. In this solution, all traffic destined for your website is redirected via DNS A-record changes to a cloud provider who identifies the malicious traffic and “scrubs” it, removing it before forwarding all remaining legitimate traffic to your website. These solutions are extraordinarily expensive.

Finally, some DDOS solution providers combine CDNs with Scrubbing technology to filter out malicious traffic destined for your web services closest to the attack computers. This combines the benefits of both cloud scrubbing and CDN speed and massively distributed network devices to provide DDOS protection. The Cloudflare video below goes into detail on their Magic Transit service.

In the grand scheme of things, CyberHoot has witnessed a single DDOS attack against a government website and never once against a Small to Medium-sized business. They aren’t that common in the SMB space. We recommend you understand what a DDOS attack is, but stop short of protecting yourself with expensive solutions until you need one.

Additional Cybersecurity Recommendations

Additionally, these recommendations below will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, deploy DNS protection, antivirus, and anti-malware on all your endpoints.
5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

All of these recommendations are built into CyberHoot the product or CyberHoot’s vCISO Services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.