Ukraine Government Document Portal Suffers Cyber Attack

In late February 2021, the Ukrainian government reported a cyber attack on government document sharing infrastructure. The country's cybersecurity center stated that the "methods and means" of the attack suggest the involvement of a "hacker spy group" originating from Russia.

The attack was targeted at the System of Electronic Interaction of Executive Bodies, a Ukrainian web portal used for sharing documents between government bodies and public authorities.

Ukrainian authorities discovered malicious documents uploaded on the portal that contained macros. This is not an unusual or particularly novel attack approach, but sadly one that still works quite well.

Once a malicious document has been opened, it would ask the user to allow macro execution. If permission is given, the macro scripts would quietly download the real payload of whatever malware the bad actors behind the attack have prepared.

This sort of attack vector can be used to distribute all manners of second-stage payloads, from Trojans and backdoors to information scrapers, key loggers and ransomware.

The Ukrainian authorities did not name any particular body or group that has a codified name, but said that the attack contained a number of indicators of compromise, including the domain, as well as an IP address and a PHP page hosted on it.

Based on research conducted by the ZDNet security team, the domain name likely indicated that the attack is linked to the Gamaredon APT. Gamaredon are considered to be a state-sponsored group of hackers, operating out of Russia, who have launched attacks on Ukrainian networks in the past.

A few days prior to the announcement of this attack, Ukrainian authorities also reported that Russian bad actors targeted a number of different Ukrainian institutions including the country's Security Service website, with distributed denial of service attacks.

February 25, 2021

Leave a Reply