Belarusian Intelligence Behind Ukrainian Government Website Cyber Attacks


ISBuzz Staff | »

Ukrainian government websites were hit by cyber attacks over the weekend. According to this Reuters article, the Ukraine suspects UNC1151 (a group linked to Belarus intelligence) to be tied to this activity.

Peter Draper

| January 17, 2022

Peter Draper, Technical Director, EMEA, Gurucul

In terms of attribution, the current and historic tensions between Ukraine and Russia suggest that this was Russian State sponsored attack. However, it seems less hardcore than previous Russian state sponsored attacks which have been seen in the wild. There are many hacker groups within Russia and this attack seems more likely to have come from one of the lesser groups and potentially more patriotic focused than trying to do real damage. This attack may be evidence of a campaign that ran over a few years, where the groundwork for the attack was laid during the annexation of Crimea. Now hackers could be exploiting the vulnerabilities they had access to because it was convenient for them to do so.


| January 17, 2022

Garret F. Grajek, CEO, YouAttest

If there is any proof needed that cyberwarfare is now as much part of warfare as bullets and tanks – this is it. +In fact, the ability to undermine a nation’s economy, political systems, and infrastructure – are all now available via a remote keyboard and make the other mechanisms arcane and less attractive. But there is nothing clean and harmless about cyberwarfare – shutting down a countries ability to feed, hospitalize and care for its own people is as much as act of war as bombing or attacking through other means.

The U.S. CISA organization (Cybersecurity and Infrastructure Security Agency) has just put out a set of alerts focused directly on the activities of Russia and its aggressive cross-border sponsored hacking. It’s important to note – CISA is part of the U.S. Dept of Homeland Security.


| January 17, 2022

Jamie Akhtar, CEO and Co-founder, CyberSmart

Although this looks like a nation-state attack, it perfectly illustrates how supply chains and networks make everybody vulnerable. In this case, it only needed a breach in one arm of the Ukrainian government to take whole swathes of it down.

It’s a timely reminder to all of us to be mindful of our interconnectedness, whether that’s in our personal online lives or at work. And it’s also a reminder that the best way to prevent cyberattacks of this nature is through cooperation between businesses, partners or state departments.


| January 17, 2022

Javvad Malik, Security Awareness Advocate, KnowBe4

These attacks show signs of being a coordinated state-backed operation.

It highlights the importance for all organisations and countries to take cyber security seriously and invest in the appropriate controls to help prevent, detect, and respond to any attacks. Many times, state-backed actors will also use standard attack methods such as social engineering, taking advantage of unpatched software, or weak credentials.

Detection controls could have also helped spot data being inappropriately accessed and exfiltrated.

In today’s day and age, protecting data isn’t just about protecting data, but it’s about protecting people.


| January 17, 2022

Dr. George Papamargaritis, MSS Director, Obrela Security Industries

Currently, it is unclear who is responsible for the attacks, but caution has to be taken when attributing cyber-attacks to a specific country or group operation. A hasty attempt at identification could lead to false attributions of responsibility. Cyber attacks are highly decentralised and in most cases, the actors utilise multiple levels of cross-country access to hide their origin, identity and intent.

This is especially true in cyber attacks that affect the integrity and confidentiality of systems and data, attacks that are often carried out by highly sophisticated adversary groups. These adversaries follow a chain of command which crosses country restrictions and may involve multi-national groups with varying levels of knowledge related to the mission objectives.

Revealing the originating actors is achieved through cross-country investigation and co-operation, which is crucial as a chain of custody. As such, any actions made in response to a low-confidence attribution of responsibility should be carefully considered, even if the intent is to demonstrate readiness.


Saryu Nayyar

| January 17, 2022

Saryu Nayyar, CEO, Gurucul

Nation state threat actors continue to take an active involvement in destabilizing infrastructure, governments, and businesses whether for profit or pure political objectives. Security can no longer continue to be an insurance policy. It must become a critical part of the infrastructure at every step. World governments must start funding and investing in cyber security training, educational programs, and awareness. In addition, without continuous evaluation and investment in next generation security technologies that optimize security operations, threat actor groups will continue to be able to disrupt governments and economies.


| January 17, 2022

Saumitra Das, CTO and Co-founder, Blue Hexagon

It is interesting that this is happening on the heels of the ReEvil arrests as well as right when the talks have ended in a stalemate. It shows how cyber warfare is becoming a major tool for nation states compared to augment conventional means. The arrest by the authorities related to the ReEvil group is a major win for law enforcement, but make no mistake, another group will attempt to fill the shoes and attempt to recycle the extensive network setup by the ReEvil group.


| January 17, 2022

John Hultquist, Director of Intelligence Analysis, FireEye

We’re not surprised to see Ukraine link their recent mass defacement incident to UNC1151/Ghostwriter, an information operations actor we have been tracking since 2019. They are regularly active in Eastern Europe targeting NATO states and carrying out activity consistent with the interests of Belarus and Russia. Like Ukraine, we have attributed the group to Belarus based on available evidence, but others have indicated they have ties to Russia. We believe these ties are likely and they are consistent with the group’s behavior.

Ghostwriter regularly targets CMS systems as part of their operations. Typically, they target these systems to plant fabricated media stories and other content on the websites of real media outlets and other organizations. They have also previously conducted operations designed to sow division between Ukraine and Poland. This is notable because the defacements were designed to look as if they came from Polish nationalists.

It’s also unsurprising that the defacements weren’t the only aspect of this aggressive campaign. We are very concerned that destructive attacks will be leveraged against a variety of targets in this crisis. To that end we have released a comprehensive guide to help organizations prepare and harden their networks against destructive attack.


Ukrainian Government Website Cyber Attacks

Ukrainian Government Website Cyber Attacks
External Link: Belarusian Intelligence Behind Ukrainian Government Website Cyber Attacks

Share this page:

Related Posts