Ukrainian Authorities Targeted In Russian Supply Chain Malware Attack

Posted on February 27, 2021 at 7:23 AM

Ukrainian Authorities Targeted In Russian Supply Chain Malware Attack

Ukraine’s National Security Defense Council (NSDC) has announced that some cyberattackers are targeting some industries in the country.

The council issued two press releases accompanying the announcement. NSDC said the threat actors are trying to send malicious documents via the System of Electronic Extraction of Executive Bodies (SEI EB), generally utilized by government organizations to share documents. The development is coming barely two days after the NCCC and NSDC issued alerts about a massive DDoS service targeting websites of Ukraine security and defense sector.

Malicious file contain macro codes

The security body also stated that the malicious documents contain macro codes generated to download malware, allowing the threat actors have control on the breached device remotely.

They have already breached a government file-sharing system while trying to spread their malware to other government agencies.

According to the Ukrainian officials, the reason for the attack was “the mass contamination of information resources of public authorities.”

The threat actors uploaded files containing macro scripts. When a user downloads the script and allows it to run its executable file, the macros would download malware secretly. This will now give the hackers access to the victim’s computer.

Attack linked to Russian cybercriminal group

These hackers, according to the Ukraine government, are likely Russian hackers due to their operational method.

“The methods and means of carrying out this cyberattack allow [us] to connect it with one of the hacker spy groups from the Russian Federation,” the Ukraine authority stated.

There are several hacking groups supposedly coming from the Russian federation. But NSDC didn’t mention any specific name in its press release.

The officials, however, published some evidence that links the attack to Russia, which includes the attacker’s IP address and their domain names bearing enterox.ru.

From the above, ZDNet researchers were able to connect the Russian hackers to the Gamaredon group, which is renowned for attacking Ukraine’s organizations for many years.

Based on previous report from Cisco, the hacking group carries out its own operations but also make themselves available for hack-for-hire for advanced persistent threat (APT) actors.

Attack similar to SolarWinds attack

This is the second time the Ukraine agency is warning organizations about attacks. On Monday, the agency also warned that Russian threat actors targeted websites through DDoS attacks last week. According to the warning, the threat actors targeted the NSDC as well as networks of other strategic enterprise and state institutions. In addition to strategic enterprises, the threat actors also targeted websites related to the security and defense sectors.

According to the report about the attack, the incident is a supply chain attack similar to the SolarWinds attack and the NotPetya attack that took place in 2017.

It’s not clear when the threat actors executed their attacks or how long it lasted. Also, there is still no update regarding the level of impact the attack has had on affected organizations.

No organization has come out to claim it was attacked, but just like the SolarWinds attack, more revelation from the impact of the attack is expected.

The NSDC also revealed that the agency has received several threats of DDoS attacks since last week.

The attackers used a new mechanism

NSDC also pointed out that the mechanism utilized by the attackers has never been seen before in the wild. Additionally, the attackers planted malware on government web servers.

The previously undocumented botnet was used on the Ukrainian government servers. During this process, it coopted the breached devices into an attacker-controlled botnet.

As a result, government websites were blocked by Internet Service Providers (ISPs), denying users the access to the site even after the DDoS attack is controlled.

After the infection and compromise, the infected systems were subsequently utilized for DDoS attacks on other Ukraine websites, according to the report.

Summary
Ukrainian Authorities Targeted In Russian Supply Chain Malware Attack
Article Name
Ukrainian Authorities Targeted In Russian Supply Chain Malware Attack
Description
Ukraine’s National Security Defense Council (NSDC) has announced that some cyberattackers are targeting some industries in the country.
Author
Publisher Name
Koddos
Publisher Logo

Share this:

Related Stories:

Newsletter

Get the latest stories straight
into your inbox!

YOUTUBE

Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading