Belarus hackers behind the Ukraine cyberattack, Russia arrests ransomware hacker at US request

Belarus hackers behind the Ukraine cyberattack, Russia arrests ransomware hacker at US request
The Ukrainian authorities said that Belarusian hackers were behind a massive cyberattack on government websites last week. The announcement came as Russia's FSB broke up the REvil ransomware criminal gang, arresting many of its members at the request of the US. / wiki
By Ben Aris in Berlin January 16, 2022

A Belarusian hacker group called UNC1151 was probably behind a massive cyberattack that took several Ukrainian government websites down on January 14, officials in Kyiv told Reuters.  

On the same day, the Russian authorities arrested members of the REvil hacking gang at the request of the US government that have been responsible for extorting millions of dollars from US businesses using ransomware software that locks corporate computers.  

Ukraine attack

Ukrainian government sites were hit with a massive cyberattack during the night of January 13 and morning of January 14 that saw half a dozen key government sites crash.  

Among the sites affected were the Ministry of Foreign Affairs, Ministry of Veterans Affairs, State Emergency Service, Cabinet of Ministers, Ministry of Energy and the Ministry of Education and Science, as well as Diia, Ukraine’s e-governance website and app which allows Ukrainians to access their digital documents such as passports and driving licenses.

The attack carried a message in Ukrainian, Russian and Polish that warned Ukrainians: “be afraid and expect the worst.”  

The government reassured the population that the content of the sites was not altered and no personal data was leaked, according to the State Service for Special Communications and Information Protection of Ukraine.  

The attack immediately prompted harsh warnings from the international community and the general assumption that Russian hackers were behind the attack.  

Evidence proving Russian responsibility for cyberattack on Ukraine could warrant sanctions, warned the US Ambassador to NATO Julianne Smith. Cyberattacks on government agencies would be classified as renewed aggression against Ukraine, she said.  

Nato Secretary-General Jens Stoltenberg also released a statement saying: “Nato has worked closely with Ukraine for years to help boost its cyber defences. Nato cyber experts in Brussels have been exchanging information with their Ukrainian counterparts on the current malicious cyber activities. Allied experts in country are also supporting the Ukrainian authorities on the ground. In the coming days, Nato and Ukraine will sign an agreement on enhanced cyber co-operation, including Ukrainian access to Nato’s malware information sharing platform. Nato’s strong political and practical support for Ukraine will continue.”

Poland said the cyberattack statement is repeated attempt to destabilise Ukrainian-Polish relations. According to Poland's Foreign Ministry’s spokesman Lukasz Jasina, the statement that was published on the Ukrainian government websites in Polish is yet another attempt to undermine the relations between Kyiv and Warsaw.

However, on further investigation it appears the attack originated in Belarus and had access to the administration codes from a private company that built most of the sites.  

Kyiv said over the weekend it believed it was Belarusian intelligence that had carried out the cyberattack, according to the deputy secretary of the national security and defence council of Ukraine, reports the editor of the Telegram channel Nexta Tadeusz Giczan in a tweet.  

“Reminds me of another story in which everyone initially suspected Russian hackers but the perpetrators turned out to be Belarusian military intelligence. If Ukrainians are right, it’s probably the same group,” Giczan said.  

Serhiy Demedyuk, Ukraine’s deputy secretary of the national security and defence council, told Reuters that Ukraine blamed a group known as UNC1151 and that it was cover for more destructive actions behind the scenes.  

"We believe preliminarily that the group UNC1151 may be involved in this attack," he said.

His comments were the first detailed account of the suspected culprits behind the cyberattack. Officials previous said they were “99.9% sure” that Russia was behind the attack.  

Russia takes down REvil hacking group at US request FSB

Social media was abuzz following the news that Belarusian intelligence services were behind the attack, with speculation of a possible Russian order to carry out the attack on the Kremlin’s behalf. However, no evidence has come to light to decide the question one way or the other. While Belarus and Russia are allies, Moscow has only limited influence over Belarus' President Alexander Lukashenko. On the other hand, ties between Russia’s Federal Security Service (FSB) and Belarus’ KGB are tight, according to analysts.  

To confuse the situation further, Russia arrested members of the ransomware hacker group REvil at the request of the US.  

Russia suffers from domestic cybercrime as much as the US suffers from cross-border hacking attacks originating in Russia, and the effort to combat cybercrime was a key topic during the Geneva summit between Russian President Vladimir Putin and US President Joe Biden on June 16 last year.  

The two leaders agreed to co-operate in the battle against criminal groups and this weekend’s arrest is the fruit of that agreement. The arrest was also thought to be a gesture by the Kremlin that it was holding the door open for more talks after a week-long diplomatic effort to agree on Russia’s demands for a legal treaty to limit Nato expansion was largely seen to have failed. The Kremlin has yet to pronounce a final judgement, as it waiting for a written response to its eight-point list of demands from the White House due sometime this week.  

The arrests of the REvil members are a rare apparent demonstration of collaboration between Russia and the US on cybercrime.  

A joint police and FSB operation searched 25 addresses, detaining 14 people, the FSB said, reports Reuters. The FSB said it had seized RUB426mn ($5.6mn), $600,000 and €500,000 in cash as well as computer equipment and 20 luxury cars.

The group is wanted by the US in connections with dozens of attacks in the US against American companies. The FSB had informed Washington directly, the FSB said on its website. The US Embassy in Moscow said it could not immediately comment, reports Reuters.  

"The investigative measures were based on a request from the... United States," the FSB said. "... The organised criminal association has ceased to exist and the information infrastructure used for criminal purposes was neutralised.”

The state-controlled REN TV reported on the arrests and showed footage of FSB agents raiding homes and arresting people, pinning them to the floor, and seizing large piles of dollars and Russian rubles.

The group members face up to seven years in prison for the alleged cybercrimes.  

A source familiar with the case told Interfax that the group's members with Russian passports would not be extradited as Russia’s constitution forbids extradition of its nationals, but those with other passports might be deported to the US to stand trial.  

In November the US offered a reward of up to $10mn for information leading to the identification or location of anyone holding a key position in the REvil group.