The Ukrainian government said hackers recently attempted to disseminate malicious documents through a system used by government agencies and departments to share documents and files.
The Ukrainian government’s National Coordination Center for Cybersecurity said in a statement that hackers attempted a cyber attack to spread malicious documents through the System of Electronic Interaction of Executive Bodies (SEI EB). The agency has directly accused a Russian government-backed hacker group of attempting to victimize the entire Ukrainian government infrastructure through this attack.
“The malicious documents contained a macro that secretly downloaded a program to remotely control a computer when opening the files. The methods and means of carrying out this cyberattack allow to connect it with one of the hacker spy groups from the Russian Federation,” it said.
The System of Electronic Interaction of Executive Bodies (SEI EB) is a web-based portal that is used by most public authorities to circulate documents between departments.
According to officials from Ukraine’s National Security and Defense Council, the hackers uploaded malicious documents containing macro scripts on the SEI EB portal. Once the user downloads any of the scripts and enables editing, the macros would download malware secretly onto the victim’s computer and gain control over the system.
According to the National Security and Defence Council of Ukraine, “the purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities.”
“According to the scenario, the attack belongs to the so-called supply chain attacks. It is an attack in which attackers try to gain access to the target organization not directly, but through the vulnerabilities in the tools and services it uses,” it added.
The officials also published the main indicators of compromise (IOCs) of the attack.
IP address: 22.214.171.124
Link (URL): http://126.96.36.199/infant.php
This is the second such high-scale cyber attack conducted by Russian hackers that NSDC has announced publicly in February alone. Last week, NSDC revealed that hackers had launched a massive DDoS attack on the Ukrainian segment of the Internet, mainly on the websites of the security and defence sector. The agency also revealed that addresses used for those attacks belonged to certain Russian traffic networks.
While Russian hackers have continually targeted Ukrainian organisations and the country’s government, especially in the aftermath of the Crimean crisis, the most destructive attack they ever launched was the Petya ransomware attack which compromised Ukraine’s power grid, its central bank, and two postal services.
Hackers behind the ransomware attack used a popular Ukrainian tax-filing software as a vector to spread the malware to the networks of multiple Ukrainian organisations. The ransomware didn’t just encrypt files stored in computers but systematically destroyed large networks owned and run by the Ukrainian government and it’s allied agencies which included the country’s central bank.
According to Ukrainian member of Parliament Anton Gerashenko, the Petya ransomware attack destabilised operations in banks, media organisations, communication facilities, transport, telecommunications, and energy departments. Among the hardest hit were Ukr telecom, Dniproenergo, Ukrzaliznytsia, Boryspil Airports, and the Cabinet of Ministers of Ukraine.
The malware later spread to other countries in Europe as well as to the United States, affecting operations of global firms like Danish shipping company Maersk, Russian oil giant Rosneft, aircraft manufacturer Antonov, US pharmaceutical giant Merck as well as its subsidiary Merck Sharp & Dohme (MSD) in the UK.
Commenting on Russian hackers exploiting a file-sharing system to target Ukrainian government agencies, Casey Ellis Co-founder, Chairman and CTO of Bugcrowd, said that the incident highlights that every organization — regardless of its size and popularity — are prone to cyberattacks.
“Oftentimes, the impacts of a cyberattack goes beyond the targeted organization, as seen in this instance with the Ukrainian System of Electronic Interaction of Executive Bodies (SEI EB) acting as an all-access pass to other Ukrainian government agencies. Cybercriminals were able to exploit vulnerabilities in the SEI EB and use the file sharing portal as a “water hole” to distribute a malicious trojaned word document. Even more concerning, the party responsible for the attack remains at large as Ukranian officials used a .ru domain in their published indicators of compromise (IOCs) — signaling attribution to whoever is paying attention.
“While many questions have been spurred regarding recent state-sponsored attacks, government agencies must acknowledge the scale and distributed nature of the threats they face in the cyber domain and recognize the need to accept the assistance of security researchers who are offering to help defend against a growing legion of adversaries.
“In fact, many governments and private organizations around the globe have already recognized the threats they face and are leaning into the benefits of vulnerability disclosure programs (VDPs) and bug bounty programs to leverage the talents of cybersecurity researchers, who work to counter and outsmart adversaries and more importantly — help create confidence in their constituents’ security ecosystem. Vulnerabilities are actively being discovered within nation-states’ programs whether there is an invitation or not, making the decision to adopt VDP and bug bounty programs a no-brainer,” he added.