The flood of data started slamming Hostmaster Ltd. at 8:21 p.m. Tuesday, a torrent of traffic-blocking junk servers directing traffic to Ukrainian government websites.
These DNS servers, which act like a phone book for web browsers, typically process less than 10 megabits per second. On Tuesday evening, traffic exceeded 150 gigabits per second, some 15,000 times more than normal. Within five minutes, the main servers went down.
Wednesday had been identified by US intelligence as the likely time for a Russian invasion of Ukraine, an attack that did not take place.
But the overnight attack on government websites, which lasted until dawn, was part of a series of cyberattacks this week that demonstrated the attackers’ ability to cut off access to data sources. official information and to disrupt banking operations in the country, while spreading immense amounts of disinformation.
Ukrainian bombardment reignites fears of full-scale Russian invasion
Canada condemns bombing of kindergarten in Ukraine as military considers adding troops to NATO
“We had an invasion – but not like we thought,” said Dmitry Kohmanyuk, co-founder of Hostmaster, which operates the gov.ua domain name used by Ukrainian government websites.
For him and others, what happened this week felt like a first foray, intended to probe vulnerabilities and assess the effectiveness of different tools.
“We think this may be a first try,” said Kohmanyuk, who has worked with Ukrainian internet domain .ua since its launch in 1992. “And maybe they’ll come back with more.” Taking down government websites during an attack would limit authorities’ ability to disseminate critical information.
The work of identifying the attackers is not yet complete and the Kremlin systematically denies any involvement in the cyberattacks. But with more than 150,000 Russian troops positioned around Ukraine and warnings from the United States that it remains ready to invade, security experts suspect Moscow’s hand.
“They are testing the waters,” said Maria Avdeeva, disinformation specialist and research director of the European Association of Experts, a think tank that focuses on security in Ukraine. What’s happening right now resembles what she calls “information warfare, where cyberattacks are combined with the dissemination of disinformation messages.”
On Thursday, US Secretary of State Antony Blinken said in a speech at the United Nations that Russia was taking “steps down the road to war”. The likely progression of this, he said, includes missiles and bombs, then cyberattacks that “will shut down key Ukrainian institutions” before tanks and soldiers advance.
Russian Foreign Ministry spokeswoman Maria Zakharova accused the US of spreading ‘false distorted data’, while Kremlin spokesman Dmitry Peskov slammed claims about an upcoming invasion of “empty and baseless”.
Ukraine has long been a “cyber playground” for Russia to test tools and tactics and has seen a constant barrage of attacks over the past decade, said Andrii Baranovych, the founder of the Ukrainian Cyber Alliance, a community of cyberactivists. In 2015 and 2016, hackers briefly interrupted the operation of two power plants in Ukraine. In mid-January, a cyberattack took down several dozen Ukrainian government websites, including Diia, a portal to many government services. The attackers briefly defaced the Foreign Ministry website with a warning message: “Be afraid and expect the worst.
“We saw attack after attack after attack,” Mr Baranovych said. “It was espionage, it was subversion, it was psychological operations.”
Diia’s attack was dismissed by local authorities as having no such inconvenient consequences, but data later surfaced in hacking forums suggesting the attackers obtained terabytes of information such as addresses and phone numbers. people’s passports, as well as medical records from police and emergency services personnel, Baranovitch said.
This week, a new round of attacks on Ukrainian banks and government websites marked the largest distributed denial of service attack Ukraine has ever seen, authorities said, while demonstrating coordinated tactics against the financial sector.
Before sunrise on Tuesday, people across the country received text messages warning that “due to technical problems” ATMs would not work at Privatbank. Then, throughout the day, denial of service attacks took down the websites of Privatbank and Oschadbank, another major financial institution. Mobile banking apps were not working and some ATM services were disrupted.
This attack ended around 7:30 p.m. Within an hour, the DNS attack on gov.ua began.
The next morning, a series of foreign banks in Ukraine received bomb threats. The Globe and Mail reviewed one such message, emailed from a ProtonMail address at 9:46 a.m. Wednesday.
“I would like to inform you that bombs have been planted in your bank branches in Kyiv, Kharkiv, Dnipro, Chernihiv, Rivne and Odessa, which could explode at any time,” the email reads. “Hopefully you can evacuate your customers and staff so no one gets hurt.”
Banks closed branches as a precaution, but searches by security services found nothing. Most branches reopened before the end of the day.
The coordinated action seemed calibrated “to produce panic — for people to go to ATMs and start withdrawing money and destabilize the banking system with huge withdrawals,” Baranovych said.
Such a panic did not materialize. “Ukrainian society in general has developed a certain resilience in the face of disinformation,” said Mykola Balaban, deputy director of the Center for Strategic Communications and Information Security, which is part of the Ministry of Culture and Politics. some information.
But the flow of fake news quickly escalated, reaching some of the highest levels since 2014, the year Russia invaded and annexed Crimea, Balaban said.
He sees it as a component of hybrid warfare. “When there is a kinetic escalation,” like the troops amassed around Ukraine, “there will also be an escalation in cyberspace.”
Cyabra, a company that tracks misleading information on social media, saw an 11% increase in negative content on Twitter on February 14. Of more than 5,000 profiles tracked by Cyabra on Twitter and Facebook, more than half of the Ukraine-related information came from what the company called “inauthentic profiles such as bots or puppet accounts.”
The information they promoted is not only an attempt to promote discord and social destabilization in Ukraine, it could also have deadly consequences.
After shells hit a kindergarten in eastern Ukraine on Thursday, Russian accounts on Telegram responded in just over an hour calling it an attack by Ukrainian forces. This is “completely untrue”, said Ms Avdeeva, the disinformation researcher.
“They are pushing information that could create a pretext for a possible full-fledged operation,” she said.
“From what I see from the information and disinformation being disseminated, Russia is very clearly preparing for some kind of offensive attack.”
Our Morning Update and Evening Update newsletters are compiled by Globe editors, giving you a concise summary of the day’s most important headlines. register today.