Details on Cyberattack Against Ukraine - Threatwire
Added 2022-01-19 18:01:24 +0000 UTCBy Shannon Morse, ThreatWire
Ukrainian law enforcement disclosed a major cyberattack on several government websites happened this past weekend. Affected sites included the Ukrainian Foreign Ministry, Ukrainian cabinet, and the Ministry of Education and Science. In total over 70 sites were attacked. Ten websites were subjected to unauthorized interference, meaning they were defaced. No personal data was accessed or stolen even though the attackers left messages on the domains for several of these sites stating otherwise. Some of these sites do store personally identifying information such as electronic passports and vaccine certificates.
An investigation is underway by Ukraine’s cyber police department as well as the State Special Communications Service and the Ukraine Security Service. Some websites were restored as early as Friday morning while others were still offline. By the end of the day, law enforcement was able to say “with high probability that it was a supply chain attack [...] against the infrastructure of a commercial company that had rights to administer the web resources affected by the attack”.
How did it happen? Sources claimed that the compromised sites were using an outdated October CMS which is vulnerable to CVE-2021-32648, which is a critical authentication flaw, allowing admin takeover of accounts. This WAS fixed, but some sites didn’t apply the patch. Law enforcement confirmed this vulnerability was used.
Who was at fault? Some speculated Russia may be involved, because the attacks happened just hours after economic sanctions were renewed against Russia by the EU for another six months, and because of Russia’s threats to invade the country. Ukraine’s digital transformation ministry also stated that evidence points to Russian involvement while Ukraine’s National Security and Defense Council suspects Belarusian intelligence were the ones behind the attack. Belarus is allied with Russia, though no country was formally attributed to the attack until Sunday. At that time, Ukraine did formally accuse Russia for the attacks, saying all evidence points to them. Russia denied the accusations.
In similar news, Microsoft’s Threat Intelligence Center also found a malware operation that is targeting Ukrainian organizations that first appeared on January 13. The malware in this case is designed to look like ransomware but includes no recovery options or payout options - it’s just meant to be destructive. This malware is being called WhisperGate and is targeting government, non profit, and IT orgs in Ukraine. The malware overwrites the Master Boot Record, then retrieves a file corrupter malware which is hosted via a Discord channel. Russia may not be physically invading Ukraine at time of recording, but the country is definitely under siege digitally.
Ukraine Cyberattack:
https://cert.gov.ua/article/17899
https://www.ft.com/content/0bdfafb8-a340-4e6a-a688-d878c45d1010
https://thehackernews.com/2022/01/ukrainian-government-officially-accuses.html
https://thehackernews.com/2022/01/a-new-destructive-malware-targeting.html
