Ukraine DDoS: 'Cyberattack' or Not?

The country was hit by a distributed denial-of-service attack on Feb. 15, but some say that doesn't rise to the level of "cyberattack." Here's why they're wrong.

Silas Cutler, Principal Reverse Engineer, Stairwell

February 18, 2022

4 Min Read
Map of Europe with Ukraine highlighted in its flag's colors
Source: Panther Media GmbH via Alamy Stock Photo

The websites for several banks in Ukraine, the Ministry of Defense, and Armed Forces were hit with a distributed denial-of-service (DDoS) attack on Feb. 15. While no one can say with certainty at this point who is behind the attacks, it's widely speculated this is a digital prelude to a potential invasion of Ukraine by Russia, which the Biden administration has been warning of for months amid escalating tensions.

While the world waited for news about signs of war in Ukraine, a dispute about how to characterize the DDoS attack was being waged on Twitter. News sources such as The New York Times, CNN, and NBC News referred to the DDoS campaign as a "cyberattack" in headlines and stories.

That coverage prompted a back and forth in tweets, including from national security reporter Zach Dorfman, who noted the confusion that comes from when "cyberattack" is used to describe attacks with vastly different impacts: "This is a real language problem — that the same word is used to describe fritzing a website for a bit and, say, bricking and entire country’s power supply indefinitely." In response, cybersecurity reporter Kim Zetter tweeted: "A lot of people in infosec think 'cyberattack' shouldn't be used at all for DDoS campaigns against web sites. It's up to reporters to make the distinctions, but most don't."

For a long time, DDoS attacks have been considered significant only if it impacts critical infrastructure or surpasses previous records for traffic generated. And to many people, it's considered a problem that has been solved because of the exceptional ability for large content-delivery networks to mitigate these attacks. But DDoS attacks are becoming more frequent and effective as bad actors come up with new ways to get around cloud-based and on-premises defenses.

In this case, I think it's a mistake to focus only on the real-time impact. The use of "cyberattack" is merited because of the circumstances in which the DDoS campaign was waged.

The psychological effects of website outages cannot be overstated, especially in a country on the verge of invasion. While technical details of the recent DDoS attack have not been shared, targeting Ukraine's banking sector may be an effort to undermine confidence Ukrainian citizens have in their government and in the banking system — basic elements of their daily lives. To the average person, it won't matter whether the attack surpasses previous records; their concern will be, "Can I withdraw the money I need to go about my business?"

In this case, the ATMs were not affected by the attack, but for a country that had its electric grid taken offline twice by actors believed to be backed by Russia, the notion that they would lose access to vital resources is likely to be top of mind.

This is not the first time DDoS attacks have been elevated to cyber-aggression status. A series of DDoS and website defacement attacks on Estonian government and business sites in 2007 were commonly referred to as "cyberattacks" and "cyberwar." A year later, a Russian man was fined what would be the equivalent of just over $1,000 today for one of the attacks — not a significant penalty given the accusations.

While some may see the terminology debates as pedantic, at the root of it is whether the incident matters in the broader narrative of events happening in Ukraine. While we may be able to fully understand the technologies behind these incidents, the role cyber operations play as part of warfare is still a fledgling concept. Even what constitutes "cyberwar" is highly contested and remains something experts have yet to reach a consensus on.

Meanwhile, more information about the attack is trickling out. Chinese security company Qihoo 360 was the first to report the use of Mirai as part of these attacks. At Stairwell, we have been able to independently verify that report and have directly observed continued attacks on Feb. 16 against Ukrainian organizations. Mirai came to notoriety in 2016 following a series of attacks against security journalist Brian Krebs and managed DNS provider Dyn. Since then, it has become a commonly used DDoS attack tool because of the availability of its source code.

There are many questions about the DDoS attack. It also remains unclear whether these attacks are under the direction of Russia. Mirai's broad availability means this attack theoretically could have been conducted by anyone. And right now, it remains to be seen whether there will be an invasion of Ukraine. What we do know is that bad actors shut down important Ukraine defense, military, and bank websites amid a tense standoff between two major global players. For the people of Ukraine, that's an unpleasant situation regardless of how you describe it.

Editor's note: This column was updated on Feb. 18 to clarify the third paragraph. 

About the Author

Silas Cutler

Principal Reverse Engineer, Stairwell

Silas Cutler is principal reverse engineer at Stairwell. An experienced security researcher and threat analyst, Silas previously held security researcher positions at Google, CrowdStrike, Chronicle, and Secureworks. His focus has been on researching and deconstructing major supply chain and nation-state attacks. At Stairwell, he focuses on stopping cyber threats in their tracks before they cause harm.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights