Internet security companies have recorded a significant wave of attacks against Ukrainian WordPress sites since Russia invaded Ukraine on Feb. 24. These attacks are aimed at taking down Ukrainian websites and causing general demoralization.
Cybersecurity firm Wordfence, which protects 8,320 WordPress websites belonging to universities, government, military, and law enforcement entities in Ukraine, reports having recorded over 144,000 attacks on Feb. 25 alone.
The focus of the cyberattacks appears to be a subset of 376 academic websites that received 209,624 attacks between Feb. 25 and 27.
This massive wave of coordinated attacks has resulted in the breaching of over 30 Ukrainian university websites, which mostly suffered complete defacement and service unavailability.
“We will use the term “attack” in this blog post to indicate a sophisticated exploit attempt. This does not include simple brute force attacks (login guessing attempts) or distributed denial of service traffic,” Wordfence explained in a blog post.
“It only includes attempts to exploit a vulnerability on a target WordPress website, which are the sites that Wordfence protects,” they added.
The threat actor behind these attacks is a pro-Russian group called “theMx0nday,” who posted evidence of the hacks on defacement aggregator Zone-H.
Wordfence has found that the threat actors are based in Brazil but routed their attacks through Finnish IP addresses using the anonymous internet service provider Njalla.
These hackers have also previously attacked Brazilian, Indonesian, Spanish, Argentinian, US, and Turkish websites, with their first Zone_H entries dating back to April 2019.
Wordfence Response
In response, Wordfence has decided to provide all Ukrainian websites with real-time threat intelligence, regardless of their subscription tier. This feature is usually only available to premium customers.
“We are doing this to assist in blocking cyberattacks targeting Ukraine. This update requires no action from users of the Free version of Wordfence on the UA top-level domain,” said Wordfence.
“We are activating this live security feed for UA websites automatically until further notice. Within the next few hours, over 8,000 Ukrainian websites running the free version of Wordfence will automatically become far more secure against attacks, like these, that are targeting them,” they added.
The IP addresses used in these attacks have been added to the associated blocklists, which are dynamically updated to add fresh IPs regularly.
Wordfence will also immediately push all new firewall rules to Ukrainian websites, without a 30-day delay that is usually applied to customers using a free license.