The flood of data started slamming Hostmaster Ltd. at 8:21 p.m. Tuesday, a torrent of junk traffic jamming servers that direct traffic to Ukrainian government websites.
Those DNS servers, which act like a phone book for web browsers, usually process less than 10 megabits a second. On Tuesday night, the traffic exceeded 150 gigabits a second – some 15,000 times more than normal. Within five minutes, major servers winked out.
Wednesday had been identified by U.S. intelligence as the likely timing for a Russian invasion of Ukraine, an attack that did not take place.
But the overnight attack on government websites, which lasted until just before dawn, formed part of a series of cyberoffensives this week that demonstrated the attackers’ ability to cut off access to official sources of information and disrupt banking in the country, all while spreading immense amounts of misinformation.
“We did get an invasion – just not the way we thought we would,” said Dmitry Kohmanyuk, the co-founder of Hostmaster, which operates the gov.ua domain name used by Ukrainian government websites.
To him and others, what took place this week had the look of an initial foray, meant to probe vulnerabilities and assess the effectiveness of different tools.
“We think it may be a first try,” said Mr. Kohmanyuk, who has worked with Ukraine’s .ua internet domain since it launched in 1992. “And then maybe they come back with more.” Knocking out government websites during an attack would limit the ability of authorities to distribute critical information.
The work to identify the attackers has not yet been completed, and the Kremlin routinely denies involvement in cyberattacks. But with more than 150,000 Russian troops positioned around Ukraine, and warnings from the U.S. that they remain poised to invade, security experts suspect Moscow’s hand.
“They are testing the ground,” said Maria Avdeeva, a scholar of disinformation and the research director of European Expert Association, a think tank that focuses on security in Ukraine. What is taking place right now has the feel of what she calls an “information war, where cyberattacks are combined with disinformation messages being spread.”
On Thursday, U.S. Secretary of State Antony Blinken said in an address to the United Nations that Russia is taking “steps down the path to war.” The likely progression of that, he said, includes missiles and bombs, then cyberattacks that “will shut down key Ukrainian institutions” before tanks and soldiers advance.
Russian Foreign Affairs Ministry spokeswoman Maria Zakharova accused the U.S. of circulating “twisted fake data,” while Kremlin spokesman Dmitry Peskov called claims about a coming invasion “empty and unfounded.”
Ukraine has long been a “cyber playground” for Russia to test tools and tactics and has seen a steady barrage of attacks over the past decade, said Andrii Baranovych, the founder of the Ukrainian Cyber Alliance, a community of cyberactivists. In 2015 and 2016, hackers briefly interrupted the operation of two power plants in Ukraine. In mid-January, a cyberattack took down several dozen Ukrainian government websites, including Diia, a portal for many government services. The attackers briefly defaced the Ministry of Foreign Affairs website with a message that warned, “Be afraid and expect the worst.”
“We have seen attack after attack after attack,” Mr. Baranovych said. “It was spying, it was subversion, it was psychological operations.”
The Diia attack was dismissed by local officials as inconsequential if inconvenient, but data has subsequently surfaced in hacking forums that suggests the attackers obtained terabytes of information such as peoples’ addresses and passport numbers, as well as medical records from police and emergency services personnel, Mr. Baranovych said.
This week, a new series of attacks against Ukrainian banks and government websites marked the largest distributed denial-of-service assault Ukraine has ever seen, authorities said, while demonstrating a co-ordination of tactics against the financial sector.
Before sunrise Tuesday, people across the country received text messages warning that, “due to technical issues,” bank machines would not work at Privatbank. Then, throughout the day, denial-of-service attacks took down the websites for Privatbank and Oschadbank, another major financial institution. Mobile banking apps did not work, and some ATM service was interrupted.
That attack ended at about 7:30 p.m. Within an hour, the DNS attack on gov.ua began.
The following morning, a series of foreign-owned banks in Ukraine received bomb threats. The Globe and Mail reviewed one such message, sent by e-mail from a ProtonMail address at 9:46 a.m. Wednesday.
“I would like to inform you that bombs have been placed at branches of your bank in Kyiv, Kharkiv, Dnipro, Chernihiv, Rivne and Odessa, which could explode at any moment,” the e-mail said. “I hope you will be able to evacuate your customers and staff so that no one will be hurt.”
The banks closed the branches as a precaution, but searches by security services found nothing. Most branches reopened before the end of the day.
The co-ordinated action appeared calibrated “to produce panic – for people to go to ATMs and start to withdraw cash and destabilize the banking system with huge withdrawals,” Mr. Baranovych said.
Such panic did not materialize. “Ukrainian society in general has built some resilience to disinformation,” said Mykola Balaban, deputy head of the Centre for Strategic Communications and Information Security, which is part of the Ministry of Culture and Information Policy.
But the flow of bogus information has rapidly escalated, reaching levels that are among the highest since 2014, the year Russia invaded and annexed Crimea, Mr. Balaban said.
He sees it as a component of hybrid warfare. “When there is some kinetic escalation,” such as the troops amassed around Ukraine, “there will also be escalation in cyberspace.”
Cyabra, a firm that tracks misleading information on social media, found an 11-per-cent rise in negative content on Twitter on Feb. 14. On more than 5,000 profiles followed by Cyabra on Twitter and Facebook, more than half of Ukraine-related information came from what the company called “inauthentic profiles such as bots or sock puppet accounts.”
The information they have promoted is not only an attempt to promote discord and social destabilization in Ukraine, it could also have deadly consequences.
On Thursday, after shells struck a kindergarten in Eastern Ukraine, Russian accounts on Telegram responded in just over an hour by calling it an attack by Ukrainian forces. That is “completely untrue,” said Ms. Avdeeva, the disinformation researcher.
“They are pushing information that might create a pretext for a possible full-fledged operation,” she said.
“From what I see of the information and disinformation being spread, Russia is very clearly preparing for some kind of offensive attack.”
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.