Russia suspected of Ukraine cyber attack

News by Tony Morbin

Government mobile phone hacks, viruses, leaks and website defacement are all reportedly underway in Ukraine following the takeover of Crimea.

Ukraine is reported to be under cyber-attack following the physical take-over of the Autonomous Republic of Crimea last month by some 30,000 unidentified well-equipped 'troops' in unmarked uniforms.

In addition to boots on the ground, a range of cyber warfare tactics are being deployed against the interim Ukraine government which ousted former pro-Russian president Victor Yanukovych.

Dozens of Ukrainian computer networks, including those run by the Kiev government, are reported by the FT newspaper have been infected by the aggressive "Snake" or "Ouroboros," virus which was reported on by SC last week. 

Uroburos is a rootkit and it is designed to hide functions and processes in a system allowing its controller to act on a system without being detected. BAE Systems has recorded 22 infections of Ukrainian computer systems by "Snake" since the start of 2013, with 14 since the start of 2014 when former President Yanukovych faced serial protests. G Data is reported as saying that it suspects Uroburos' creators are the same people who attacked US systems Agent.BTZ malware whose programming language is similar, plus Uroburos checks to see if Agent.BTZ is already on a system, in which case it remains inactive. In addition, the software appears to have been created in the Moscow time zone and includes some Russian language.

Russia is the obvious suspect for both troops and cyber-attacks but as Dr Thomas Rid, Reader in War Studies, Kings College London commented to “You may suspect, but there is no clear evidence in the code to allow attribution. It is really hard to pinpoint attribution without an inside leak, whether it was Russia, and if it was, who in Russia gave the order, whether it was the state, the FSB (Russian security service) – and if so, a local official, or whoever up to Putin. Attribution is a problem.”

Less concerned about formal attribution, a group of hackers calling themselves the Russian Cyber Command have responded by leaking around 1,000 documents from Russian defence trade intermediary Rosoboronexport (, as well as lower level defacing of websites. The Russian Cyber Command says it has decided to initiate a true domestic cyber-war on Russian Military Enterprises “and eventually we shall deliver critical infrastructure companies on which Russian Putin's Empire stands".

A statement posted on says that the hackers accessed the 500MB of files uploaded to BayFiles by sending malware to Rosoboronexport's CEO from India's embassy in Moscow, into which they had hacked.

Separately, Valentyn Nalivaichenko, the head of SBU, Ukraine's' security service told a news conference last week: "I confirm that an IP-telephonic attack is underway on mobile phones of members of Ukrainian parliament for the second day in row."

Some reports suggest that spying equipment could have been illegally installed in the wake of a 28 February attack when several communications centres in Crimea, maintained by Ukraine's telecom provider Ukrtelecom JSC, were taken over by unidentified attackers who wrecked cables and knocked out almost all landline, mobile and internet services in the region. However other commentators, who do not wish to be named, told “It's not necessary to get physical access to carry out this kind of interception.”

Both those who want Crimea to remain part of Ukraine and those wanting it to integrate with Russia are hacking into and defacing each other's websites, including the Russian state-funded news channel RT, each calling the other Nazis.

On Russian social network Vkontakte, 13 community groups set up in support of the new interim government in Kiev have had access to Russian IP addresses blocked and the Federal Service for the Supervision of Communications Roskomnadzor, said it would continue to block Ukrainian community groups and any other IP addresses that might be displaying "extremist content".

Dr Rid suggested to that, “There's nothing new here. In fact everything is entirely to be expected.  We might see escalation in cyber-warfare if there were an increased use of physical force.”  Rid added that there was nothing of the sophistication of a Stuxnet being used, nor would this be expected as the adversary would not have had the time to create something like that.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews