The DDoS and Defacement Attacks of “Anonymous Ukraine” and “CCD COE”: interactions between “patriotic” hackers, media and political leadership in cyberspace
12 November 2013
Author: Piret Pernik
Attribution of cyberattacks is difficult and may take considerable time and resources. Many cyber security experts believe that to make sense of politically-motivated cyber incidents, the political and geopolitical context must be considered. The recent cyber incidents that took place in the Baltic countries and Ukraine during the NATO military exercise Steadfast Jazz (held in Poland and the Baltic States on November 2-9) provide a good opportunity to examine relationships between hacktivists, government-controlled media, as well as the possibility of links between “patriotic hacktivists” with elements within governments. The recent cyber incidents are remarkable also for their sequencing: when some Estonian and Latvian government websites came under distributed denial of service (DDoS) attacks, there was also an attempt to connect the Tallinn-based NATO’s Cooperative Cyber Defence Centre of Excellence (CCD COE) with faked emails and defacement of webpages in Ukraine. What is more, both types of cyber incidents were used by Russian government- controlled and owned media outlets to misinform Russian speaking community in Russia and at its “near-abroad” about NATO.
First, on November 1, the websites of the Ministry of Defence and Estonian Defence Forces were hit with DDoS, for which responsibility was claimed by Anonymous Ukraine. Some days later, on November 4, at least three Ukrainian government webpages (the medical department of the Security Service of Ukraine; the Prosecutor General’s Office; and the State Fund for Fundamental Research, a sub-agency of Ministry of Education and Science), as well as the site of the non-governmental organization Agency for Legislative Initiatives were subject to another attack: this time, defacement. A message that apparently came the CCD COE was posted to these pages, claiming that the defacement was part of Steadfast Jazz. A day later, on November 5, the Latvian Ministry of Defence announced that its site and that of the Latvian Defence Forces had also experienced cyberattacks resulting in similar defacement with the same message. On November 7, the site of Estonian railway company Elron was defaced with messages claiming that passenger train traffic had been halted as a result of Steadfast Jazz. The defaced site was down for very short time and it did not have any impact on train circulation. Earlier on the same day the website of the CCD COE came under DDoS attack for which responsibility was owned up by Anonymous Ukraine.
On the same day when Ukrainian websites were attacked, the Estonian and Latvian government and private sector received scam emails apparently sent by CCD COE. Neither the falsified emails nor the defacement messages left to Ukrainian and Latvian webpages used the current logo of the Centre; moreover, according to an independent cyber expert, the message was actually sent from an IP address associated with a Caucasus Online LLC ASDL subscriber in Georgia, which appeared to be a botnet node. What is more, Eduard Kovacs, a journalist for the news portal Softpedia, detected that the falsified emails that appeared to be sent from CCD COE were sent from the same IP address that was behind the attacks against Ukrainian government websites.
On the same evening, November 4, the Russian news portal Regnum.ru – which according to the Estonian Internal Security Service is controlled by Russian security services – published a news article claiming that CCD COE had “accidentally” attacked Ukrainian and Latvian websites. It was argued that while the military part of Steadfast Jazz took place in physical theatre of operations on the territory of Poland, CCD COE was conducting cyber operations. As part of this training, the Russian site explained, the Centre was supposed to test cyber capabilities in an artificial training laboratory on localized copies of real websites, but had accidentally attacked the real websites of NATO members and partners (sic!). The article did not cite the source of the information. Two days later, Voice of Russia, the international broadcasting service of the Russian government, published an even more elaborate article with the same charges against CCD COE – allegedly it had conducted cyber operations as part of Steadfast Jazz, but by mistake ended up attacking NATO’s allies and partners instead. The conclusion was that NATO is incapable defending its own members and partners, and on top of that, the Alliance would use its own members and partners as “test sites”. By contrast, the English service of the Voice of Russia and the English version of Regnum.ru did not mention the incidents at all.
It is possible that the hackers behind the “CCD COE” defacement attacks and false emails acted in collaboration with media outlets controlled and owned Russian government. Even if there was no explicit collaboration between hacktivists and media outlets, Regnum and Voice of Russia exploited the incidents to promote their disinformation campaign against NATO trying to convince the Russian speaking community in Russia and at its “near-abroad” that NATO’s collective defence is ineffective and undermines NATO’s allies and partners security.
The association of hacktivists behind the “Anonymous Ukraine” with hackers who conducted attacks in the name of “CCD COE” is not clear cut. Anonymous Ukraine justified its disruption of the CCD COE site as “payback” in response to alleged CCD COE hacking of Ukrainian websites. It is possible that the two groups acted in response to each other. But it is equally possible that attacks by “Anonymous Ukraine” were designed by the hackers behind “CCD COE” label. In that case “Anonymous Ukraine” was acting not against its publicly declared objective to oppose all foreign impact on Ukraine (as declared in “Operation Independence” video on YouTube) including Russia, but especially against the western influence trying to create distrust between Ukraine and NATO – an objective that could be accomplished by demonstrating NATO’s “readiness to target” Ukrainian government sites as part of its military exercise.
The cyber incidences received hardly any media coverage or public interest either in Estonia and Latvia, or abroad. According to the Estonian CERT, the reason for this broad lack of concern is that these types of attacks are being conducted every day to many sites in the country, and there is nothing extraordinary about them.
The uniqueness is that the incidents were not arbitrary or random, and instead delivered a clear message. While technically rather primitive, these incidents merit attention because of their targets, messages and the way they were represented by some Russian media outlets. The shared objectives of the attacks and possible coordination between non-state “patriotic” hacktivist groups and state-controlled entities serve well to illustrate the centrality of the cyber dimension in the present-day international environment, and the complexity of relationships between different actors in cyberspace. Both state and non-state actors alike will take advantage of widely available and inexpensive hacking tools usable by anyone with basic IT-skills to disseminate their message and attain leverage in key targeted groups. In some countries, media will be used for shaping public opinion – at home and in its “near abroad” – in a manner favorable to governments’ interests.
posted by: RKK/ICDS