valerybrozhinsky - stock.adobe.c
‘Russian-backed’ hackers defaced Ukrainian websites as cover for dangerous malware attack
Kiev claims that a hacking group in Belarus – a close ally of Russia – was responsible for hacking Ukrainian government websites amid threats of military action
Malicious malware posing as ransomware has been discovered on multiple computer systems in the Ukraine following a hacking attack on Friday that targeted more than 70 government websites.
A hacking group linked to Belarus used multiple techniques to break into government computer systems, including hacking into a Ukrainian IT company to launch a "supply chain" attack against its government customers.
The hacking group also exploited applications containing the Log4J2 security vulnerability which remains un-patched in many computer systems and allows attackers to execute Java code to take control of targeted servers.
Distributed denial of service attacks were launched against an undisclosed number of state organisations, according to updates from the Ukrainian government.
The attacks were accompanied by a series of highly visible attempts to deface government websites with provocative messages, in an attempt to distract from more serious attempts to manually plant malicious "wiper" malware on government IT systems.
The hacking group made use of a known vulnerability in an open-source content management system used by government agencies and other organisations to place threatening messages warning Ukrainians “to expect the worst” on government websites, drawing attention away from more serious attacks.
Microsoft disclosed over the weekend that it had detected “destructive malware” on dozens of computer systems belonging to Ukrainian agencies and organisations, including IT companies, that work closely with the Ukrainian government.
The "wiper" malware, first detected on 13 January 2020, masquerades as ransomware, but is designed to destroy information on infected computer systems without offering victims the ability to recover the data in return for a ransom payment.
Microsoft wrote in a blog post: “We do not know the current stage of this attacker’s operation cycle or how many other victim organisations exist in Ukraine or other geographic locations. However, it is unlikely that these impacted systems [discovered by Microsoft] represent the full scope of the impact.”
The attack comes at a time of heightened geopolitical tension between Russia and the West after warnings by western governments that the cyber attacks could be a precursor to military action by Russia, which has positioned 100,000 troops on the Ukrainian border.
Russian influence
Ukraine’s deputy prime minister, Olha Stefanishyna, speaking on the BBC World News, said she believed there was a “shadow of Russian influence” behind the cyber attacks impacting the country. “The cyber attacks are happening on a daily basis on websites of the Ukraine of a regional and central nature,” she said.
Jan Psaki, press secretary to the Whitehouse, said on Saturday that Russia was planning a “false flag” operation in eastern Ukraine against Russian proxy forces as a pretext for military action.
She said Russia had stepped up the spread of “misinformation” on social media to blame the West for escalating tension, to make a case for Russian intervention in Ukraine on humanitarian grounds and to encourage domestic support for military action.
“Russian-language content on social media covering all three of these narratives increased to an average of nearly 3,500 posts per day, a 200% increase from the daily average in November,” said Psaki.
Belarus accused of hacking
Kiev told Reuters that it blamed last week’s attacks on UNC1151, a Russian-backed cyber-espionage group linked to Belarus, a close ally of Russia.
Serhiy Demedyuk, deputy secretary of the national security and defence council, told the news agency that the defacement attacks on Friday were cover for more destructive actions behind the scenes.
According to Microsoft, malware discovered on Ukrainian computer systems last week has the capability to overwrite the master boot record of infected systems, when activated. It is designed to overwrite system files and rename filenames with random strings of letters.
The company said the malware, which delivers a fake ransomware note, represented “an elevated risk to any government agency, non-profit or enterprise” with computer systems in Ukraine.
Unpatched exploit
The defacement attacks on Friday exploited unpatched versions of an open-source content management system “October CMS” which was supported by Ukrainian software company Kitsoft and other IT companies.
The Kiev-based IT company supplied services to government agencies and organisations in Ukraine.
The vulnerability, made public in August 2021, allowed attackers to request a password reset and to then gain access to the account using a specially crafted request.
The fault required little knowledge or skill to exploit and provided hackers with limited ability to modify files or information, according to a public disclosure.
The assessment lends weight to the theory the attack was likely to have been a cover for other, more dangerous cyber attacks conducted against Ukrainian infrastructure.
A “hot fix” published by the Ukrainian Computer Emergency Response Team (CERT) advises users to update October CMS to the latest version of the software.
Oleksandr Iefremov, CEO of Kitsoft, said in a statement to Computer Weekly that websites supported by Kitsoft and other IT companies had been disrupted by the hackers.
As well as the 70 sites affected, a further 20 sites that used software from other suppliers were also impacted, including Ukraine’s judiciary, a government domain name server, a site for making driving licence applications, an education site, and others.
Iefremov said the company’s corporate site does not use October CMS, but Kitsoft had taken a decision to shut down its infrastructure because of the attack.
“The infrastructure of Kitsoft was also damaged during the hacker attack,” he said. “Our specialists have identified this as one of the vectors for attack. The hacking was a complex operation, with several parallel vectors.”
The company said separately that it had tested for vulnerabilities and bugs and software updates on websites that it supports, but not all its clients, including government organisations, have support contracts.
Supply chain attack
The Ukrainian Security Service confirmed that “hackers exploited a specific vulnerability” in a content management system used by government.
“We can say with high probability that there was a so-called supply chain attack,” it said in a statement. “The attackers hacked the infrastructure of a commercial company that had access to the rights to administer the web resources affected by the attack.”
The hackers defaced government websites on Friday with messages written in three languages.
They referred to incidents in Ukrainian history, including the annexing of Volyn – formerly part of Poland – to Ukraine in 1939, which led to the deportation of thousands of Poles to Siberian labour camps.
Analysis of the Polish version of the hacker’s message revealed that it was not written by a native Polish speaker. Commentators said it appeared to be a crude attempt to point the blame at Poland for the hacking operation.
The messages read: “Ukrainian! All your personal data has been uploaded to the public network. All data on the computer is destroyed, it is impossible to recover. All information about you has become public, be afraid and expect the worst.”
National Bank attack failed
The National Bank of Ukraine reported on Friday that its website had been subjected to attempted attacks by individuals from around the world, but the attack was unsuccessful and that all systems, including the national electronic payment system, internal bank computers and the official website, were working normally.
“In the wake of a hacker attack on a number of government websites, the National Bank is urging banks and other financial sector players to step up security measures to counter possible cyber attacks,” it said in a statement.
Hybrid war
The Centre for Strategic Communication, a Ukrainian government body that aims to counter disinformation from Russia and elsewhere, claimed in a blogpost that the attack forms part of a campaign that has been continuing since 2014.
It said the timeline of news reports about the attack, which first appeared on disinformation channels, followed by Russian publications, indicated Russian involvement.
“Russia’s cyber troops are often working against the United States and Ukraine, trying to use technology to shake up the political situation,” it said. “The latest cyber attack against Ukraine is one of the manifestations of the hybrid war against our state.”
The centre said it expected last week’s hacking operations to be followed by “fake” attacks on the country’s critical national infrastructure. “Its goal is to destabilise the situation in Ukraine by stopping the work of the public sector and undermining the confidence of the government on the part of Ukrainians,” it said.
Data about Ukrainian citizens has not been put at risk by the hacks and is protected in secure government databases, it added.
Nato, the European Union and the US have offered technical support to Ukraine following the attack.
Kitsoft CEO Iefremov told Computer Weekly that the company’s priority was to “restore state resources as soon as possible and to install additional elements of infrastructure protection”.
The Ukrainian government said that "almost all" of the affected websites were back up and running by 2.00pm on 17 January, and work was underway to restore the rest.
The Ukrainian government is working with Microsoft and has engaged international experts to identify the origin of the attack.
This story was updated on 18 January 20202