Modern field guide to security and privacy

Massive cyberattacks slam official sites in Russia, Ukraine

After Sunday's disputed Crimea vote, Russian government sites were hit with a powerful wave of denial-of-service attacks, apparently in response to cyberattacks on official Ukrainian sites.

|
Source: Dell SecureWorks
Geographic breakdown of known DirtJumper DDoS command and control servers, which are used to conduct cyberattacks to shut down targeted websites and in financial fraud. On Friday, the Dell SecureWorks Counter Threat Unit saw one of a family of Eastern European DirtJumper botnets target numerous pro-Ukrainian government websites, including news media outlets.

The back-and-forth volley of cyberattacks that began last week between Ukraine and Russia hit its highest pitch yet Monday, with Russian websites slammed by an onslaught designed to flood websites until they become unusable.

The open cyber flareup began last Thursday when attacks clearly originating in Russia targeted an unidentified computer network in Ukraine. The next day, a powerful attack temporarily knocked out websites for the Kremlin, the Russian central bank, and Russia’s Foreign Ministry, though Russian authorities said the attack had nothing to do with the Ukraine crisis.

On Sunday, Ukranian government websites were hit by a wave of 42 cyberattacks during Crimea’s vote to secede from Ukraine and join Russia. The type of attacks being observed are all distributed denial of service (DDoS) attacks, which clog websites with bogus data, and they echo the DDoS attacks Russia used in 2008 when it invaded the former Soviet state of Georgia.

But Monday, a day after the vote, brought easily the largest and most powerful attacks, including 132 separate DDoS blasts slamming Russian sites. They included one that was 148 times more powerful than anything Russia did in Georgia in 2008, and four times larger than the attack launched from Russia last Thursday, according to Arbor Networks of Burlington, Mass., which tracks such attacks.

The largest attack against Russian websites Monday registered 124 gigabytes per second of spurious data targeting a single network for about 18 minutes – plenty long enough to overwhelm and take down its target, experts said. The largest attack against Georgia in 2008 hit only 843 megabytes per second.

By contrast, Monday saw just four reported DDoS attacks targeting Ukraine with the peak size 9.8 gigabytes per second.

“There are multiple types of attacks being thrown against some of the targeted sites,” writes Jason Jones, an analyst at Arbor Networks, in an e-mail interview. “From the botnet tracking perspective, it has definitely a back and forth between Russia and Ukraine sites being targeted....”

Targets of the attacks were not identified by Arbor Networks, according to company policy, and many of the attackers could not be identified because the attacks were diffused across so many attacking computers worldwide. But at least some attacks against Ukraine could be tied to two large criminal botnets – millions of computers worldwide that are infected and controlled by malware from cyber criminal gangs. Botnets are often rented out to conduct DDoS attacks.

On Friday, Dell SecureWorks Counter Threat Unit (CTU) research team observed a family of Eastern European criminal botnets, dubbed DirtJumper, include on their target lists for DDoS attacks “numerous pro-Ukranian government websites, including Ukranian news media outlets,” writes Elizabeth Clarke, a spokesman for the company in an e-mail. DirtJumper was also active in early December, when CTU saw two DirtJumper botnets being used to DDoS Ukranian government sites.

It’s hard to see any national allegiance linked to the DirtJumper botnet attacks, especially since, in theory, anyone with the cash can rent them. DirtJumper command and control servers exist in Ukraine and Russia and other nations, but with the majority in Russia, Dell SecureWorks reports. Historically they have been used, and continue to be used, by criminal groups to DDoS financial institutions as the criminals make fraudulent wire transfers, Ms. Clarke notes. The goal is to distract the financial institutions' security team.

Botnets controlled by Russian cyber criminals were used in DDoS attacks on Estonia in 2007 and Georgia a year later, several analysts have since reported. But most of the Monday attacks against Russia could not be definitively tied to a particular country, Arbor Networks experts said. In one case, however, Russian media on Sunday fingered the United States.

“US hackers target Crimean referendum website,” the Kremlin-run Voice of Russia reported Sunday, according to National Public Radio. The Russian news service cited vote organizers who claimed the attacks were linked to computers at the University of Illinois at Urbana Champaign, NPR reported.

Meanwhile, a NATO spokesman tweeted that the organization's homepage and other websites were hit by a "significant DDoS attack" Saturday and Sunday. But the NATO main web server was reportedly restored Monday; and others, a few hours later. A hacker group called CyberBerkut claimed responsibility for the attack it said, in a statement, was intended to protest NATO involvement in the Ukrainian crisis.

The heavy cyber fusillades follow what had been a calm period with relatively few overt attacks before last week. One exception was the detection of Russian cyberespionage malware called “Snake” in Ukrainian government systems.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Massive cyberattacks slam official sites in Russia, Ukraine
Read this article in
https://www.csmonitor.com/World/Passcode/2014/0318/Massive-cyberattacks-slam-official-sites-in-Russia-Ukraine
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe