Ukrainian bank and government websites under attack. Recent info

The websites of Ukrainian state services and dozens of banks have been hardly attacked. AIN.Capital shares recent information.

  • The first was the state-owned Oshchadbank: Yesterday morning, there was information that its ATMs, website, and app don’t work. The bank reps initially made some vague statements about the causes of the malfunction. However, in the evening, they declared a powerful DDoS attack.
  • The second was the Privatbank: There were some issues with its website and the Privat24 app. This time, the cyberattack was named as the cause earlier.
  • Then three state websites took their turn — Armed Forces, Ministry of Defense, and Ministry of Internal Affairs of Ukraine.

Ukraine’s State Service of Special Communication and Information Protection confirmed information that state-owned enterprises and banks were under attack.

But it was only the beginning.

  • After that, there was a release that other banks were also attacked by unknown individuals. The co-founder of Fintech Band and monobank, Oleg Gorokhovskiy, wrote that the targets were also A-Bank, Alpha Bank Ukraine, and monobank. All attacks have been repelled.
  • Sometime later, the minister of digital transformation, Mykhailo Fedorov, informed that Diia was attacked too. This attack has been repelled.
  • According to AIN.Capital, the second half of the day, on February 15, the unknown tried to prevent the proper functioning of other websites of government agencies. However, this was not confirmed officially. At the time of publication of this article, the websites of the President’s Office, Verkhovna Rada, Cabinet of Ministers, and other ministries worked properly.
  • Russian intelligence services that participate in the escalation of the conflict are named as potential criminals. There is no direct evidence, but the Ministry of the Digital Transformation confirmed the first attack was from the Russian Federation.
  • All that happened together with other provocations: On February 15, users got messages that Privatbank’s ATMs would not work (indeed, they all worked), and several state agencies wouldn’t be able to fulfill their obligations, for example, pay pensions. All that information was fake.

It was not the first attack on governmental websites. For example, some of them didn’t work after a cyberattack in mid of January.

Attack’s details

The cybersecurity specialist, Senior Consultant at Armorum Solutions, Kir Vaznitcky, explained to AIN.Capital the timing and logic of the attack:

“Primary targets were Privatbank, Oshchadbank, and the Ministry of Defense and Armed Forces of Ukraine. Privatbank tried to save more critical services (transactions and POS terminals) by offering less critical ones, e.g., Privat24 application. Oshchadbank managed to pass it through sometime later. But unfortunately, the web servers of the Ministry of Defense and Armed Forces of Ukraine didn’t. They had no chance due to much lower technology levels.

After state entities, the focus went on Datagroup service provider, which operates DNS serves of the domain (see below — editor). And this part of the attack was quickly repulsed by the provider’s specialists through launching more anycast servers. However, specific portals (Ministry of Defense, State Emergency Service) remained shut down to decrease the load.”

Hostmaster, the administrator of the .ua domain, provided the AIN.Capital editor with extra details about the sites:

  • The attack went against the websites. During the attack, there was a higher load of DNS servers supporting the function of the and domains.
  • It was pretty powerful — up to 150 Gbit/s at peak moments. For example, according to Akamai, one of the recent most challenging DDoS attacks in Spring 2021 affected a gambling company in Europe at 800 Gbit/s.
  • In addition, this state-owned website attack was powered by a domino effect:

“We faced many attacks and are still fighting,” Dmytro Kokhmaniuk, the administration of the .ua domain, told the AIN.Capital editor last night. “65 Gbit/s was only one of many branches. Unfortunately, several providers began to disable our hardware which caused a chain reaction that increased the load of other units.”

  • According to Hostmaster, the attack on state portals began at 20:21 on February 15 and lasted over five hours. It came from both abroad and Ukrainian IP addresses, but there is no accurate data about the attack geography at the moment.
  • During the night between the 15th and 16th of February, their specialist did launch reserve servers and could save the system operation.

The goal and potential executors

After the night of February 15, Ukrainian cybersecurity experts discussed the goal and possible executors of the attack. Some believe that the February 15 attack is related to the January 14, 2022 attack. Regarding the executors, the Ministry of Digital Transformation mentioned the Russian Federation. Furthermore, the Strategic Communication Center at the Ministry of Culture of Ukraine dropped hints about the Russian footprints in its release.

“The routs were from Russia and China. About 600,000 bad traffic packages per second. Our specialists cut this traffic quickly, but soon there was another wave from Czechia and Uzbekistan,” wrote the minister of digital transformation, Mykhailo Fedorov.

Vlad Styran, CEO at Berezha Security Group, posted an analysis where he explained the mechanism of such attacks and some defense tactics. He said the attack on February 15 isn’t related to the one in January. He believes that the Strategic Communication Center might be right about the beneficiaries of this attack that could serve as just a cover of a severer attack in the future:

“The chance that those two attacks are related is low. Anyone can do DDoS because it is the most stupid and cheapest type of Internet attack. At the same time, it appeared to be a good act of sabotage. It could be also an act of zeroing, as the military guys say. By doing so, they might evaluate the level of oppression that would be enough to shut it down completely. I feel that the real attack remains unrevealed. Otherwise, this one was a childish prank and nothing more.”