On the evening of Thursday, 13 January, cyberattacks were launched against Ukraine government via their website, En-masse. The cyberattacks were termed and considered as cyberwarfare. They were suspected of coming from Russia whilst discussions between the two countries and NATO took place. Russian forces continued increasing and building their forces on the border of the two countries at the same time as the talks.
N.B: The Not Secure Ukraine Government Website, one of around 70 that were attacked.
There have been numerous events in the region, ranging from standoffs to attacks over the last decade. Russia has continued to perfect its offensive cyber capabilities during this period. One notable attack included ‘‘Black Energy’’ which closed the Ukraine Electric Grid when Russia took over command and control (C2) of the grid’s infrastructure. Black Energy’s malicious code was subsequently found in critical infrastructure in the U.S.
Cyberattacks on Not Secure
We launched an immediate research program into the events leading up to the cyberattacks. We intuitively knew how the attacks had gained access and started, having already researched over 1000 cyberattacks. We have been campaigning, informing, alerting and warning governments, central banks and commercial firms over the last several years of their adopted and maintained insecure positions, consisting, in part of, Insecure and Not Secure websites due to a lack of basic and fundamental security controls. This includes the FBI, CISA (Cybersecurity and Infrastructure Security Agency), NCSC (National Cyber Security Council) and GCHQ.
Reuters, a credible news organization, in its headlines, used: ‘’Ukraine Cyberwar, No Light, No Heat, No Money.’’ Their reporters are not fear mongers, and Reuters is not a sensationalist tabloid.
Our research quickly provided evidence of some 100 Ukraine government websites that have suboptimal, insecure and Not Secure positions being maintained. All are easily exploitable if they have not been compromised already.
For ease, we have tried to simplify this report and its content. Suffice to say it evidences a systematic lack of basic, fundamental security. Furthermore, it also evidences a shared responsibility and therefore, potential shared liability. Make no mistake, the Government of Ukraine is guilty of allowing their critical websites, which have been used even more so during the COVID-19 pandemic for all government-related correspondence, to be completely exposed, vulnerable and exploitable for many months. In some cases, for years.
A Grim Example: Man in the Middle Attack
It is critically important that a complete Man in the Middle (MiTM) attack could be simply executed due to the security failings. Through the DNS MX Insecure record. This could allow complete Bcc’ing (unbeknownst to the sender) of all electronic communication, including attachments, both in and out, and amending as desired in transit. Imagine a war being played out whereby the aggressor also has full control of the defender by altering the defender’s digital communications on the fly and thereby influencing the outcome and dictating battlefield actions, all while unknown to the recipients, and therefore shaping the outcomes.
To exemplify just how damaging this could be, picture this grim example: An order to move a unit of tanks 100 miles west for the battle is accessed and changed to move the tanks 100 miles to the east. Or the tanks could be ordered to be placed at point X, only to be obliterated due to having manipulated the order and compromising it. This capability allows the attacker to play both sides of a chess game. Any adversary with this ability will always be the victor.
And Ukraine’s DNS MX record, by being insecure, is capable of being manipulated to allow the creation of a MiTM attack that could lead to the above outcomes.
Going Back to Basics
Let us first consider what a Domain Name System is. A Domain Name System (DNS) is a hierarchical and decentralized naming system used to identify computers, services and other resources reachable through the internet or other internet protocols. It is often known and considered as the internet’s reverse phonebook and allows Internet Protocol (IP) addresses to be translated from human-friendly names into the numbers the internet’s routers and switches understand.
Let us also confirm what a Content Delivery Network is. A Content Delivery Network (CDN) is a geographically distributed network of data centres hosting connected proxy servers. A CDN enables high availability and immediacy of web content to end-users. The proxy servers around the world remove latency issues for multiple users for high volume usage as in the cases of government and commercial websites such as Amazon.
Content Delivery Networks Compromised
A CDN provider is used for this specialized, and invisible to the end-user, method of distributing content. The CDN is responsible for the availability, which it controls through DNS for its customer. Weakness and security holes in DNS at the CDN mean the potential for a successful cybersecurity attack against the CDN’s customers. This has been known for many years by agencies, governments and more recently, cybercriminals, allowing them to manipulate and abuse security oversights that all too frequently occur in the hand-off of DNS from the customer to CDN provider. The CDN customer, if not doing quality control testing, is left unwittingly at risk from the introduction of this hole created by the hiring of, and hand-off of DNS, to the CDN.
Below for mfa.gov.ua, a Ukraine Government subdomain is an output of the Ukraine Government’s DNS records. You will see highlighted the MX (Mail Exchange) DNS record. The Ukraine Government’s email was outsourced to Microsoft, and the process created a DNS security hole that neither side has caught and closed. This one Microsoft DNS Record server is, as our research evidence, using a mismatched digital certificate since Tuesday 31 August 2021. This, in turn, means that the Ukraine Government’s email could have been compromised by a Man in the Middle attacked as far back as 31 August 2021. Among our recommendations, we recommend that the Ukraine Government should assume its email was and remains compromised and that the Russians have read every important email in and out of the outsourced Microsoft email infrastructure since 31 August 2021.
DNS Red Flags
When we then looked at the URL (Uniform Resource Locator) address mfa-gov-ua.mail.protection.outlook.com we saw that the subdomain resolved as Not Secure, as displayed in the top left-hand URL address bar.
This Not Secure text and warning confirm the domain cannot be trusted, is Not Secure and hackers might be trying to steal information from the domain, which in this case is the Ukrainian Government’s email accounts, which were outsourced to Microsoft. Access to this domain is potentially far worse than accessing the homepage, as all Ukraine governmental email accounts could potentially be compromised and used for nefarious purposes as well as for revealing confidential government information or sending legitimate-looking “false flag” emails.
Such a situation occurred at the FBI late last year when they too fell afoul by maintaining insecure subdomains and being hacked. In the FBI’s case, their email server was commandeered by criminals who sent under the aegis of the FBI 100,000 phishing emails complete with malicious links and falsified content. The FBI personnel themselves did not send the emails. Instead, the FBI servers were used to do so because of security negligence.
N.B. The Not Secure DNS MX (Mail Exchange) record.
When we looked at the overall DNS of the same URL, we saw no less than 8 Insecure DNS records, 3 Delegation issues, 3 Red Errors Warnings. This DNS could not be any more exposed or more vulnerable.
Those of you reading this will no doubt have realized that this DNS is Microsoft for the Ukrainian Government’s email. There is zero protection against a successful MiTM attack. None. A position that has been maintained since 31 August 2021.
Liability and Responsibility
This then brings into question liability and responsibility. We know that around 70 government websites were infiltrated and abused, and we also know that Microsoft announced they had identified malicious malware on systems. However, one question is left unanswered, what was the root cause? What we can confirm is that all electronic emails by the Ukrainian government are outsourced to Microsoft and as such, the compromised DNS has enabled, and quite likely allowed, a MiTM attack that we believe is ongoing.
We know unequivocally that the attackers could have gained Domain Admin Access and controls as well as committed MiTM attacks. We also know that they can infiltrate Insecure and Not Secure domains, subdomains and servers. This could be a direct result of website offensive capability into insecure websites. However, it could also be because of insecure DNS positions under the management of Microsoft.
If Russia is directly, or through proxy hackers, responsible for this attack on Ukraine, we suspect that they have simply used regular website offensive tactics as their domains, subdomains, servers and DNS are equally, and simply quite unbelievably, as Insecure and Not Secure as the www.government.ru homepage displays below. The reality is that every country remains ignorant as to implementing robust, basic security and as such, remains exposed and exploitable.
Cyberattacks, ransomware attacks and even cyberwar will only have one outcome, the aggressor will be the victor on every occasion until our governments, DNS and CDN providers take security seriously. This must commence with the basics. We always say the weaknesses are in the joints, and security is certainly no different especially with the plethora of insecure DNS Customer to CDN handoffs showing a woeful lack of controls and management.