Hackers have defaced multiple websites belonging to the Ukrainian government after talks between Ukrainian, US, and Russian officials hit a dead end on Thursday.
The attack took place on the night between January 13 and January 14 and impacted the websites of the Ukrainian Ministry of Foreign Affairs, Ministry of Education and Science, Ministry of Defense, the State Emergency Service, the website for the Cabinet of Ministers, and others.
All websites were wiped, and their content was replaced with the same statement published in Russian, Ukrainian, and Polish (image at the top of this article, a rough translation below, archived copy here).
Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.
Ukrainian officials have confirmed the attack in messages posted on official sites, Facebook, and Twitter, and all affected websites were taken down. Some are still down, under maintenance messages, while some have been restored.
While initial reports from independent sources and Ukraine’s CERT team claimed the attack took place after the attackers exploited a vulnerability in the October CMS, in an update from the Ukrainian Security Service (SSU), the agency said the attack was actually carried out after the hackers gained access to the infrastructure of a private company that had the rights to manage some of the affected websites.
The SSU said the hackers tried to deface 70 sites but only managed to modify 10, and that initial evidence suggest the incident was carried out by “hacker groups associated with the Russian secret services.”
According to security researcher Gary Warner, the defacements appear to have been aimed at creating dissent between different ethnic groups, and especially between native Ukrainians and the Polish minority.
“[T]he final sentence is intended to remind people in the region of the ethnic cleansing of Polish people in Volhynia and Galicia,” Warner said.
Ukrainian officials have not yet formally attributed the attack to any threat actor or nation-state.
Article updated with Warner’s analysis of the defacement message, and the conclusions of the SSU initial investigation.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.