The recent attacks against Ukraine’s government websites and other critical infrastructure are part of a wider campaign that targeted various industries.
Nearly 70 Ukrainian government websites went offline on Friday in what appears to be a coordinated cyberattack. Also this week, we reported that unknown hackers deployed a data-wiper malware called WhisperGate on select Ukrainian government systems in a fake ransomware campaign.
Today, the Ukraine Secret Service (SSU) confirmed that those attacks were connected. The attackers used compromised accounts belonging to a development company and exploited security weaknesses and the Log4j vulnerabilities.
“The attack used vulnerabilities in the site’s content management systems (October CMS) and Log4j, as well as compromised accounts of employees of the development company,” the SSU said, echoing a disclosure by the Ukraine CERT team.
This disclosure comes after Microsoft warned about a potentially harmful campaign that targeted government, information technology, and non-profit organizations in Ukraine. Microsoft attributed the attacks to a threat actor group codenamed “DEV-0586.”
“The attackers corrupted MBR records (the service information on the media required to access the data) on individual servers and user computers. Moreover, this applies to both operating systems running Windows and Linux.”
The Ukraine Cyber Police noted that it was investigating three vectors used to carry out the attacks: supply chain attack targeting an IT firm that works for the Ukrainian government, exploitation of the flaw in the CMS, and Log4j vulnerabilities.
Microsoft Threat Intelligence Center (MSTIC) that “has identified evidence of a major destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on systems in Ukraine on January 13, 2022. MSTIC has not found any notable associations between this observed activity, and other known activity groups.”
In response, the Ukrainian developer company mentioned by Microsoft, Kitsoft, confirmed on Facebook that it was hit by the campaign using the WhisperGate malware.
“Kitsoft’s infrastructure was also damaged during the cyberattack. Our specialists have identified this as one of the ways the attack was developed. Kitsoft’s corporate website does not use the October CMS platform. It will also be operational soon,” said Oleksandr Iefremov, CEO of Kitsoft.
In addition, the company blamed Russia for the campaign, which it claimed was aimed at sowing panic and fear in the country:
“The current situation is not just about hacking websites, it is an attack aimed at sowing panic and fear, destabilizing the country from within,” the company claimed.
The Ukraine Ministry of Digital Transformation, too, accused Russia of launching the attacks. It noted that the country was trying to wage a hybrid war. However, neither the Cyber Police nor the SSU attributed tahe attacks to any threat group or state-sponsored actor.