Ukraine’s National Coordination Center for Cybersecurity (NCCC) under the National Security and Defense Council reported that Russia-backed hackers compromised its government Web portals and planted malicious documents that would install malware on end users’ computers.
Hackers got access to Ukraine’s System of Electronic Interaction of Executive Bodies, a portal that hosts official documents for public authorities.
“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities,” officials from NCCC said in a statement.
They said malicious documents contained a macro that covertly downloaded a program to remotely control a computer when a user opened the documents. Such attacks typically depend on making Microsoft Office users enable macros. The macros then can freely download malware and install it.
Ukraine’s security agency did not reveal the exact methods the hackers used in the attack nor how long the intrusion lasted but said the methods pointed to the Russian Federation.
The reported indicators of compromise included:
IP addresses: 22.214.171.124
Link (URL): http://126.96.36.199/infant.php
The Ukraine agency didn’t reveal whether the hackers succeeded in infecting any computers and didn’t tell anything on which of several known Russian hacking groups was behind the breach.
This was the latest attack in a series of aggressive hacks against Ukraine from hackers backed by Russia in the past few years. The previous attacks targeted Ukraine’s electrical power grid and a widely used in Ukraine tax software that distributed disk-wiping malware, the so-called NotPetya worm. The last one shut down computers worldwide and resulted in the world’s most costly hack.
Two days earlier Ukraine also reported a massive DDoS attack of which it also accused Russia.