Cybersecurity firm Wordfence, responsible for some 8320 WordPress sites’ security in Ukraine, has reported a significant rise in the number of cyberattacks on Ukrainian sites ever since the Russian invasion started. 144,000 attacks were reported on February 25 alone.
The attacks are primarily focused on academic websites, especially on a subset of 376 academic websites, which were attacked 209,624 times between February 25 and 27. These coordinated attacks have compromised 30 Ukrainian university websites, resulting in complete defacing and service unavailability.
Wordfence reports that these numbers only include attacks on WordPress sites that the company protects. In their report, the word ‘attack’ also refers to a sophisticated exploit attempt and doesn’t include brute-forcing or DDoS attacks.
A war on all fronts
Wordfence has narrowed down four IP addresses attacking .EDU.UA websites during their two-day monitoring window. One of these IP addresses is a .EDU.UA server which seems to have been compromised and instructed to attack other servers in the country has launched 1991 attacks.
The company logged over 7000 IP addresses, but apart from the top four, every other IP accounted for less than 100 attacks. 18.104.22.168 was the biggest offender with over six times the attacks of the second-highest offender. Wordfence has identified 22.214.171.124 as a pro-Russian group called ‘theMx0nday’. The group also posted evidence of their activity at Zone-H, a defacement aggregator.
Further investigation reveals that the group is based in Brazil but has routed its attacks through Finnish IPs using Njalla, an anonymous internet service provider. The group is known for previously hacking Argentinian, Brazilian, Indonesian, Spanish, Turkish and US websites.
Wordfence is countering these attacks by deploying real-time threat intelligence for all their customers regardless of their subscription tier, a feature previously reserved for premium customers. The feed will be activated for all WordPress websites under them until further notice, making them much more secure against attacks like this.
IP addresses used in the attack have already been added to all associated blocklists, which keep updating to accommodate any new IPs that attack monitored domains. Additionally, the company is also pushing new firewall rules to its websites straightaway, a process that previously took about 30 days.