Ukrainian sites saw a 10x increase in attacks when invasion started


Internet security companies have recorded a massive wave of attacks against Ukrainian WordPress sites since Russia invaded Ukraine, aiming to take down the websites and cause general demoralization.

Cybersecurity firm Wordfence, which protects 8,320 WordPress websites belonging to universities, government, military, and law enforcement entities in Ukraine, reports having recorded 144,000 attacks on February 25 alone.

Attacks on UA Domains
Attacks on UA Domains
Source: Wordfence

The focus of the attacks appears to be a subset of 376 academic websites that received 209,624 attacks between February 25 and 27.

This massive wave of coordinated attacks has resulted in the compromise of 30 Ukrainian university websites, which mostly suffered complete defacement and service unavailability.

“We will use the term “attack” in this blog post to indicate a sophisticated exploit attempt. This does not include simple brute force attacks (login guessing attempts) or distributed denial of service traffic” explains a blog post by Wordfence.

“It only includes attempts to exploit a vulnerability on a target WordPress website, which are the sites that Wordfence protects.”

Targeting Ukraine education

The hacking group behind these attacks is a pro-Russian group called “theMx0nday,” who have posted evidence of the hacks on defacement aggregator Zone-H.

Most recent theMx9nday defacement acts
Most recent theMx9nday defacement acts
Source: BleepingComputer

Wordfence has found that the threat actors are based in Brazil but routed their attacks via Finish IP addresses using the anonymous internet service provider Njalla.

The particular group of actors has previously attacked Brazilian, Indonesian, Spanish, Argentinian, US, and Turkish websites, while their first entries on Zone-H date back to April 2019.

The hacking group declaring their support for Russia
The hackers declaring their support for Russia
Source: Wordfence

Wordfence takes special measures

For the first time in its history, Wordfence has decided to deploy real-time threat intelligence to all Ukrainian websites regardless of their subscription tier to its services. Usually, this feature is only available to Premium customers.

“We are doing this to assist in blocking cyberattacks targeting Ukraine. This update requires no action from users of the Free version of Wordfence on the UA top-level domain,” details Wordfence.

“We are activating this live security feed for UA websites automatically until further notice. Within the next few hours, over 8,000 Ukrainian websites running the free version of Wordfence will automatically become far more secure against attacks, like these, that are targeting them.”

The IP addresses used in these attacks have already been added to the associated blocklists, which are dynamically updated to add fresh IPs used in regular rotation.

Additionally, Wordfence will immediately push all new firewall rules to Ukrainian websites, without a 30-day delay that is usually associated with the customers using a free license.