U.S. Posts Traces of Ukraine Hacks As Part of Cyber Alliance Against Russia

The U.S. military has publicly posted evidence that Ukraine was being targeted by malicious online entities, a decision made in line with a digital alliance between the two countries to counter Russian cyberattacks against its Eastern European neighbor.

In a message published Wednesday, U.S. Cyber Command (CYBERCOM) shared a list of 20 "indicators of compromise" (IOC) provided to the United States by the Ukrainian Security Service after Kyiv's cyber authorities "discovered several types of malware in their country."

CYBERCOM stated that IOCs "are evidence of possible intrusions on a host system or network, and act as digital forensics for network defenders of a potential breach."

"IOCs implementation enables users to search and identify malware within that host system or network," CYBERCOM's statement added. "Malware has a specific behavior that can be identified with the implementation of IOCs. Additionally, the file hash is a quick way to look for the malware, because if the file is the same as the malware, it will have the same hash."

Reached for comment by Newsweek, a CYBERCOM spokesperson described how the latest action demonstrated the nature of the U.S.-Ukraine partnership.

"These Indicators of Compromise were shared with us by our Ukrainian partners to enable industry to take action and assess their own networks," the spokesperson said. "We are actively communicating with our Ukrainian partners to share cybersecurity threat information."

"We share information and intelligence to enable our U.S. government partners, such as DHS and FBI, and industry as well as our international allies and partners to defend critical infrastructure and our democratic values and institutions," the spokesperson added.

CYBERCOM has not identified a specific culprit behind the attacks, but President Joe Biden's administration has repeatedly accused Russia of conducting cyber attacks before and throughout the conflict launched by President Vladimir Putin on February 24.

Days before the war began, Newsweek published an FBI report designed "to inform the private sector about the threat of Russian state-sponsored advanced persistent threat (APT) cyber activities, while tensions with Russia are heightened."

US, military, cyber, security, exercise, Ramstein, Germany
Participants analyze metadata to identify any suspicious activity on the network during exercise Tacet Venari at Ramstein Air Base, Germany, May 12. Airman 1st Class Jared Lovett/86th Airlift Wing/Public Affairs/U.S. Air Force

Shortly after Wednesday's release, U.S. cybersecurity firm Mandiant released a blog post detailing two threat actors said to be involved in operations tied to the IOCs revealed in CYBERCOM's post in order "to provide insight and context on a sampling of malicious activity targeting Ukrainian entities during the ongoing war."

One actor, identified as UNC1151, was described as "a group that Mandiant assesses are sponsored by Belarus and have frequently used the access and information gained by their intrusions to support information operations tracked as 'Ghostwriter.'"

The other, called UNC2589, was "believed to act in support of Russian government interest and has been conducting extensive espionage collection in Ukraine." Mandiant implicated UNC2589 in a series of hacks known as "PAYWIPE (WHISPERGATE)" that targeted Ukrainian institutions on January 14, and the firm said this actor "has primarily targeted Ukraine, but has also been active against NATO member states in North America and Europe."

Moscow has repeatedly denied any connection to malicious cyberactivity, and has countered with allegations that Washington and its allies were responsible for an uptick in cyberattacks against Russia.

Last month, CYBERCOM Director General Paul Nakasone stated that the U.S. was engaged in "a series of operations across the full spectrum," including those both "offensive" and "defensive" in nature, as well as "information operations," in support of Ukraine as it continued to clash with Russian forces.

Just over a week after these remarks, Russia's top cyber diplomat, special presidential representative for cooperation in the field of information security Andrey Krutskikh, reacted in response to questions from Newsweek, saying, "rest assured, Russia will not leave any aggressive actions unanswered."

Krutskikh, who also serves as director of the Russian Foreign Ministry's Department of International Information Security, stated that the "how" and "where" remained to be seen, but that "all our steps will be measured and targeted in accordance with our legislation and international law."

He also accused the U.S. and its partners of violating international law through their actions and provided evidence of cyberattacks against Russia, mostly involving distributed denial-of-service, or DDoS, attacks using foreign servers based in the likes of the U.S. and Germany.

Krutskikh said that, as of May, "over 65,000 'armchair hackers' from the USA, Turkey, Georgia, and EU countries regularly took part in coordinated DDoS attacks on our country's critical information infrastructure, including Rutube video hosting." And "in total, 22 hacker groups are involved in illegal operations against Russia," Krutskikh alleged.

With tensions already high between the two rivals, he warned that Washington is deliberately lowering the threshold for the combat use of ICT [information and communication technology]" and that such behavior risked a real-life clash.

"The militarization of the information space by the West and attempts to turn it into an arena of interstate confrontation have greatly increased the threat of a direct military clash with unpredictable consequences," Krutskikh said. "Once again, I want to repeat to those who do not immediately get it: the uncontrolled distribution of 'virtual weapons' and the encouragement of their use will not lead to good."

Others in Moscow have reiterated the allegations of enemy activity in cyberspace more recently.

Earlier this month, National Coordination Center for Computer Incidents Deputy Director Nikolay Murashov told a forum that "a cyber campaign, unprecedented in its scale, is currently being conducted against Russia in the information space over its special military operation in Ukraine." He said authorities charged with monitoring cybersecurity incidents have "been registering more than 200 hacking attacks on a daily basis."

In September 2020, Russian President Vladimir Putin outlined a treaty proposal to regulate cybersecurity efforts between Moscow and Washington and, though the initiative was discussed during his summit with Biden the following year, no agreement was ever reached. Cooperation between the two countries has only further collapsed since the war in Ukraine.

This is a developing news story. More information will be added as it becomes available.