Business Continuity Management / Disaster Recovery
Critical Infrastructure Security
Unauthorized Access to TV Station CDN Servers Enabled Attackers to Reroute Traffic
The broadcast of the Football World Cup 2022 qualifier game between Wales and Ukraine on Sunday was interrupted in Ukraine by a cyberattack that targeted OLL.TV, a Ukrainian online broadcasting platform.
See Also: Fireside Chat | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries
Victor Zhora, deputy head of the State Service of Special Communications and Information Protection of Ukraine, or the SSSCIP, stated in a press briefing that the traffic was rerouted to a Russian propaganda-based channel to spread disinformation among Ukrainians.
“It’s one more attempt of Russians to spread propaganda and to interfere with Ukrainian medium and media to seed disinformation with the use of cyberattacks.” It is a misinformation warfare tactic employed by Russians, Zhora said.
The SSSCIP, in a separate statement, reiterated Zhora’s sentiment and described these attempts at further destabilizing the situation in Ukraine as using PsyOps – or psychological warfare.
On Sunday, Ukraine’s football team was playing a decisive match against Wales to qualify for the Football World Cup 2022’s main event, to be held in November 2022. But minutes before the first whistle, a Ukrainian online platform was hit by a cyberattack and several TV channels including Football 1 & 2, Indigo Ukraine, Ukraine 24, and UA:First – aka Pershyi, were disrupted, according to SSSCIP.
In place of the live game, some local Ukrainian media outlets reported that viewers were sent Russian propaganda via a video feed from Russian channel Izvestia, which started running on the Ukrainian TV channels.
During the cyberattack, the attackers also changed the logo on the online portal, says local news journalist Oleksandr Sazhko in his Telegram channel.
OLL.tv confirmed the cyberattack on its Facebook page and apologized for the inconvenience.
“Envious [Russia] is trying to spoil the viewing of the match of the National Team for the 2022 World Cup. We are making every effort to neutralize the cyberattack as soon as possible,” the Facebook statement says.
The company says that it had shut down the service as a precautionary measure and to turn off the Russian propaganda channel. As a temporary fix, the broadcast of the football match was then streamed on OTT.tv’s YouTube channels.
The company also announced compensation for viewers of the service “soon after the resumption,” according to the Facebook statement.
Zhora, in the press briefing, says that the entire online platform was not targeted and only certain content was “altered” by the unnamed Russian attackers.
The SSSCIP in its statement did not share many details about the attack, saying that the “hacking mechanism” and “circumstances” under which the attack took place are still being investigated. Both the SSSCIP and Zhora in his press briefing confirmed that the rerouting of the online traffic to a Russian channel took place because the attackers had gained unauthorized access to a content delivery network node of the OTT.tv platform.
A content delivery network is a geographically distributed group of servers that work together to provide fast delivery of Internet content.
“IT specialists at the service have, [however], managed to temporarily stop the broadcasting, localize the affected CDN, and restart the traffic flow,” the SSSCIP says.
Zhora, in the press briefing says, “It can be called some kind of a defacement but it doesn’t seem like any kind of serious penetration of the network infrastructure.”
It took more than six hours to restore the systems from this cyberattack, according to the press briefing, and the SSSCIP justified the time as being necessary to conduct a thorough investigation and to be “doubly sure.” “The service resumed operation once the cyberattack was deflected and a thorough check for possible hidden vulnerabilities was conducted,” the SSSCIP says in the statement.
Information Security Media Group asked the SSSCIP for further details, but the spokesperson declined to comment, citing the ongoing investigation. During the press briefing, Zhora stated that the SSSCIP would soon release additional details.
100 Days of War and Cyberwar
Russia’s invasion of Ukraine began on Feb. 24, and hours before the invasion, Viasat’s KA-SAT satellite communications network suffered a cyberattack through active exploitation of a VPN misconfiguration (see: Viasat Traces Outage to Exploit of VPN Misconfiguration).
In May, the U.S., U.K., EU and Ukraine attributed this attack to Russia, which continues its cyber offensive against Ukraine, including using various wipers and DDoS attacks (see: Viasat Cyberattack Attributed to Russia by EU, UK and US).
The Computer Emergency Response Team of Ukraine – CERT-UA – confirmed targeted attacks on a Ukrainian energy facility in April (see: Russia-Linked Sandworm Attacks Ukrainian Energy Facility).
A joint operation carried out by CERT-UA with security companies Microsoft and ESET found that an ICS-capable malware and several regular disk wipers for Windows, Linux and Solaris operating systems were used in the attack and that CERT-UA narrowly averted the attack just hours before it was due to be triggered.
In the press briefing, which was held on the 100th day of the war against Ukraine, Zhora said, “The targets of cyberattacks continue to be the same – media, telecommunication, broadcasting, security and government sectors, commercial and finance sector, and energy.”
The initial attacks were mainly focused on destruction, but Zhora said there had been a slight change in tactic and that the majority of the attacks are now related to “information gathering, use of malicious code, and provision[ing] of intrusion to critical networks,” which could be used against Ukraine and its allies in the days to come.