Malicious malware masquerading as ransomware was discovered on several computer systems in Ukraine following a hacking attack on Friday that targeted more than 70 government websites.
Hackers exploited a known vulnerability in a content management system used by government agencies and other organizations to deface websites with threatening messages written in Ukrainian, Polish and Russian.
The Ukrainian government has accused a Russian-influenced hacking group of defacing government websites with messages warning Ukrainians “to expect the worst”.
But it emerged over the weekend that Friday’s attacks appeared to have been an exercise in distraction to distract from more serious malware planted on Ukrainian government and corporate computer systems.
Microsoft revealed over the weekend that it had detected “destructive malware” on dozens of computer systems belonging to Ukrainian agencies and organizations, including IT companies, which work closely with the Ukrainian government.
The malware, first detected on January 13, 2020, masquerades as ransomware, but is designed to destroy information on infected computer systems without offering victims the chance to recover the data for a ransom.
Microsoft wrote in a blog post: “We don’t know the current stage of this attacker’s operation cycle or how many other victims’ organizations exist in Ukraine or other geographic locations. However, it is unlikely that these impacted systems [discovered by Microsoft] represent the full extent of the impact.
The attack comes at a time of heightened geopolitical tension between Russia and the West after warnings from Western governments that cyberattacks could be a precursor to military action by Russia, which has positioned 100,000 troops on the border Ukrainian.
Ukrainian Deputy Prime Minister Olha Stefanishyna, speaking on BBC World News, said she believed there was a “shadow of Russian influence” behind the cyberattacks affecting the country. “Cyberattacks are happening daily on Ukraine’s regional and central websites,” she said.
White House press secretary Jan Psaki said on Saturday that Russia was planning a false flag operation in eastern Ukraine against Russian proxy forces as a pretext for military action.
She said Russia had stepped up the spread of “disinformation” on social media to blame the West for escalating tensions, to advocate for Russian intervention in Ukraine on humanitarian grounds and to encourage the national support for military action.
“Russian-language social media content covering these three stories has grown to an average of almost 3,500 posts per day, a 200% increase from the November daily average,” Psaki said.
Belarus accused of hacking
Kiev told Reuters it blamed last week’s attacks on UNC1151, a Russian-backed cyber-espionage group linked to Belarus, a close Russian ally.
Serhiy Demedyuk, deputy secretary of the National Security and Defense Council, told the news agency that Friday’s degrading attacks were a cover for more destructive actions behind the scenes.
According to Microsoft, malware discovered on Ukrainian computer systems last week has the ability to overwrite the Master Boot Record of infected systems, when activated. It is designed to overwrite system files and rename filenames with random letter strings.
The company said the malware, which delivers a fake ransomware note, poses “a high risk to any government agency, non-profit or business” with IT systems in Ukraine.
Friday’s defacement attacks exploited unpatched versions of the “October CMS” content management system developed by Ukrainian software company Kitsoft.
The Kyiv-based IT company has provided its content management system to government agencies and organizations in Ukraine.
The vulnerability, made public in August 2021, allowed attackers to request a password reset and then gain access to the account using a specially crafted request.
The flaw required little knowledge or skill to exploit and gave hackers limited ability to modify files or information, according to a public disclosure.
The assessment lends weight to the theory that the attack was likely to have served as a cover for other, more dangerous cyberattacks against Ukrainian infrastructure.
A “hot fix” released by the Ukrainian Computer Emergency Response Team (CERT) advises users to update the October CMS to the latest software version.
Oleksandr Iefremov, CEO of Kitsoft, said in a statement to Computer Weekly that websites developed by Kitsoft and other IT companies have been disrupted by hackers.
In addition to the 70 affected sites, 20 other sites using software from other vendors were also affected, including the Ukrainian court system, a government domain name server, a driver’s license application site, an education site, etc
Iefremov said the company’s corporate site was not using the October CMS, but Kitsoft made the decision to shut down its infrastructure due to the attack.
“Kitsoft’s infrastructure was also damaged in the hacker attack,” he said. “Our specialists identified this as one of the attack vectors. Hacking was a complex operation, with several parallel vectors.
The company said separately that it has tested vulnerabilities, bugs and software updates on websites it supports, but not all of its customers have support contracts.
Supply chain attack
Ukraine’s security service confirmed that “hackers exploited a specific vulnerability” in a content management system used by the government, but did not name Kitsoft.
“We can say with a high probability that there was a so-called supply chain attack,” he said in a statement. “The attackers hacked into the infrastructure of a commercial company that had access to administrative rights to the web resources affected by the attack.”
Hackers defaced government websites on Friday with messages written in three languages.
They referenced incidents in Ukrainian history, including the annexation of Volyn – formerly part of Poland – to Ukraine in 1939, which led to the deportation of thousands of Poles to labor camps siberians.
Analysis of the Polish version of the hacker’s message revealed that it was not written by a native Polish speaker. Commentators said this appeared to be a crude attempt to blame Poland for the hacking operation.
The messages read: “Ukrainian! All your personal data has been uploaded to the public network. All data on the computer is destroyed, it is impossible to recover them. All information about you has become public, be afraid and expect the worst.
The National Bank attack failed
The National Bank of Ukraine reported on Friday that its website had been attacked by individuals around the world, but the attack failed and all systems, including the national electronic payment system , the bank’s internal computers and the official website, were operating normally.
“Following an attack by hackers on several government websites, the National Bank urges banks and other players in the financial sector to strengthen security measures to counter possible cyberattacks,” she said. in a press release.
The Center for Strategic Communication, a Ukrainian government body that aims to counter disinformation from Russia and elsewhere, claimed in a blog post that the attack was part of a campaign that has been ongoing since 2014.
He said the timeline of reporting on the attack, which first appeared on disinformation channels, followed by Russian publications, indicated Russian involvement.
“Russian cyber troops often work against the United States and Ukraine, trying to use technology to shake up the political situation,” he said. “The latest cyber attack on Ukraine is one of the manifestations of hybrid warfare against our state.”
The center said it expected last week’s hacking operations to be followed by “fake” attacks on the country’s critical national infrastructure. “His goal is to destabilize the situation in Ukraine by stopping public sector work and undermining Ukrainians’ trust in the government,” he said.
Data on Ukrainian citizens was not endangered by the hacks and is protected in secure government databases, he added.
NATO, the European Union and the United States offered technical support to Ukraine after the attack.
Kitsoft CEO Iefremov told Computer Weekly that the company’s priority is to “restore state resources as soon as possible and install additional infrastructure protections.”