Posted on February 27, 2021 at 7:23 AM
Ukraine’s National Security Defense Council (NSDC) has announced that some cyberattackers are targeting some industries in the country.
The council issued two press releases accompanying the announcement. NSDC said the threat actors are trying to send malicious documents via the System of Electronic Extraction of Executive Bodies (SEI EB), generally utilized by government organizations to share documents. The development is coming barely two days after the NCCC and NSDC issued alerts about a massive DDoS service targeting websites of Ukraine security and defense sector.
Malicious file contain macro codes
The security body also stated that the malicious documents contain macro codes generated to download malware, allowing the threat actors have control on the breached device remotely.
They have already breached a government file-sharing system while trying to spread their malware to other government agencies.
According to the Ukrainian officials, the reason for the attack was “the mass contamination of information resources of public authorities.”
The threat actors uploaded files containing macro scripts. When a user downloads the script and allows it to run its executable file, the macros would download malware secretly. This will now give the hackers access to the victim’s computer.
Attack linked to Russian cybercriminal group
These hackers, according to the Ukraine government, are likely Russian hackers due to their operational method.
“The methods and means of carrying out this cyberattack allow [us] to connect it with one of the hacker spy groups from the Russian Federation,” the Ukraine authority stated.
There are several hacking groups supposedly coming from the Russian federation. But NSDC didn’t mention any specific name in its press release.
The officials, however, published some evidence that links the attack to Russia, which includes the attacker’s IP address and their domain names bearing enterox.ru.
From the above, ZDNet researchers were able to connect the Russian hackers to the Gamaredon group, which is renowned for attacking Ukraine’s organizations for many years.
Based on previous report from Cisco, the hacking group carries out its own operations but also make themselves available for hack-for-hire for advanced persistent threat (APT) actors.
Attack similar to SolarWinds attack
This is the second time the Ukraine agency is warning organizations about attacks. On Monday, the agency also warned that Russian threat actors targeted websites through DDoS attacks last week. According to the warning, the threat actors targeted the NSDC as well as networks of other strategic enterprise and state institutions. In addition to strategic enterprises, the threat actors also targeted websites related to the security and defense sectors.
According to the report about the attack, the incident is a supply chain attack similar to the SolarWinds attack and the NotPetya attack that took place in 2017.
It’s not clear when the threat actors executed their attacks or how long it lasted. Also, there is still no update regarding the level of impact the attack has had on affected organizations.
No organization has come out to claim it was attacked, but just like the SolarWinds attack, more revelation from the impact of the attack is expected.
The NSDC also revealed that the agency has received several threats of DDoS attacks since last week.
The attackers used a new mechanism
NSDC also pointed out that the mechanism utilized by the attackers has never been seen before in the wild. Additionally, the attackers planted malware on government web servers.
The previously undocumented botnet was used on the Ukrainian government servers. During this process, it coopted the breached devices into an attacker-controlled botnet.
As a result, government websites were blocked by Internet Service Providers (ISPs), denying users the access to the site even after the DDoS attack is controlled.
After the infection and compromise, the infected systems were subsequently utilized for DDoS attacks on other Ukraine websites, according to the report.