Ukraine ‘s government attributes a cyberattack on the government document management system to a Russia-linked APT group.
The Ukraine ‘s government blames a Russia-linked APT group for an attack on a government document management system, the System of Electronic Interaction of Executive Bodies (SEI EB).
According to Ukrainian officials, the hackers aimed at disseminating malicious documents to government agencies.
The SEI EB is used by the Ukrainian government agencies to share documents.
According to Ukraine’s National Security and Defense Council, attackers acted to conduct “the mass contamination of information resources of public authorities.”
“The National Coordination Center for Cybersecurity under the National Security and Defense Council of Ukraine has recorded attempts to disseminate malicious documents through the System of Electronic Interaction of Executive Bodies (SEI EB).” reads a statement published by the NSDC.
“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities.”
The @ncsccUA warns of a cyberattack on the document management system of state bodies. The attack belongs to the so-called supply chain attacks. Methods and means of carrying out this cyberattack allow to connect it with one of Russia's hacker spy groups.https://t.co/ICgYxuuflH
— NSDC of Ukraine (@NSDC_ua) February 24, 2021
According to the Ukrainian authorities, the threat actors uploaded weaponized documents to the document management system. When the users that downloaded the files enabled the macros in the document, they would download and execute malware that allowed the attacker to take control of a victim’s computer.
“The malicious documents contained a macro that secretly downloaded a program to remotely control a computer when opening the files. The methods and means of carrying out this cyberattack allow to connect it with one of the hacker spy groups from the Russian Federation.” continues the statement.
“According to the scenario, the attack belongs to the so-called supply chain attacks. It is an attack in which attackers try to gain access to the target organization not directly, but through the vulnerabilities in the tools and services it uses.”
The NSDC did not attribute the attack to a specific Russia-linked cyberespionage group, the agency also provides indicators of compromise (IOCs) related to this attack.
Early this week, Ukraine accused unnamed Russian internet networks of massive attacks that targeted Ukrainian security and defense websites. The Ukrainian officials did not provide details about the attacks either the damage they have caused.
“It was revealed that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks,” the Council said.
The Ukrainian authorities did not attribute the attack to a specific threat actor.
“Kyiv has previously accused Moscow of orchestrating large cyber attacks as part of a “hybrid war” against Ukraine, which Russia denies. However, a statement from Ukraine’s National Security and Defence Council did not disclose who it believed organized the attacks or give any details about the effect the intrusions may have had on Ukrainian cyber security.” reported The Reuters agency.
The massive attacks began on February 18, hackers targeted the websites of local institutions, including Ukraine’s Security Service and the council.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Ukraine)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Ukraine ‘s government attributes a cyberattack on the government document management system to a Russia-linked APT group.
The Ukraine ‘s government blames a Russia-linked APT group for an attack on a government document management system, the System of Electronic Interaction of Executive Bodies (SEI EB).
According to Ukrainian officials, the hackers aimed at disseminating malicious documents to government agencies.
The SEI EB is used by the Ukrainian government agencies to share documents.
According to Ukraine’s National Security and Defense Council, attackers acted to conduct “the mass contamination of information resources of public authorities.”
“The National Coordination Center for Cybersecurity under the National Security and Defense Council of Ukraine has recorded attempts to disseminate malicious documents through the System of Electronic Interaction of Executive Bodies (SEI EB).” reads a statement published by the NSDC.
“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities.”
The @ncsccUA warns of a cyberattack on the document management system of state bodies. The attack belongs to the so-called supply chain attacks. Methods and means of carrying out this cyberattack allow to connect it with one of Russia's hacker spy groups.https://t.co/ICgYxuuflH
— NSDC of Ukraine (@NSDC_ua) February 24, 2021
According to the Ukrainian authorities, the threat actors uploaded weaponized documents to the document management system. When the users that downloaded the files enabled the macros in the document, they would download and execute malware that allowed the attacker to take control of a victim’s computer.
“The malicious documents contained a macro that secretly downloaded a program to remotely control a computer when opening the files. The methods and means of carrying out this cyberattack allow to connect it with one of the hacker spy groups from the Russian Federation.” continues the statement.
“According to the scenario, the attack belongs to the so-called supply chain attacks. It is an attack in which attackers try to gain access to the target organization not directly, but through the vulnerabilities in the tools and services it uses.”
The NSDC did not attribute the attack to a specific Russia-linked cyberespionage group, the agency also provides indicators of compromise (IOCs) related to this attack.
Early this week, Ukraine accused unnamed Russian internet networks of massive attacks that targeted Ukrainian security and defense websites. The Ukrainian officials did not provide details about the attacks either the damage they have caused.
“It was revealed that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks,” the Council said.
The Ukrainian authorities did not attribute the attack to a specific threat actor.
“Kyiv has previously accused Moscow of orchestrating large cyber attacks as part of a “hybrid war” against Ukraine, which Russia denies. However, a statement from Ukraine’s National Security and Defence Council did not disclose who it believed organized the attacks or give any details about the effect the intrusions may have had on Ukrainian cyber security.” reported The Reuters agency.
The massive attacks began on February 18, hackers targeted the websites of local institutions, including Ukraine’s Security Service and the council.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Ukraine)