In a targeted attack purportedly undertaken in favor of Russia’s invasion of Ukraine, at least 30 university websites have been hacked. In a recently-posted report, researchers from Wordfence stated that the business had observed a “massive attack” on Ukrainian educational institutions by threat actors known as the “Monday Group,” which has publicly endorsed Russia’s recent activities.
Since February 24, when Russian soldiers formally invaded Ukraine, the gang, which calls itself ‘the Mx0nday,’ has targeted WordPress-hosted sites more than 100,000 times. According to a blog post by Wordfence founder and CEO Mark Maunder, the firm secures over 8,000 websites in Ukraine, including over 300 universities. It also supports government, military, and law enforcement websites.
Maunder explained that the security company saw a surge of 144,000 online assaults on February 25, one day after the kinetic onslaught began. “The peak is roughly three times the number of daily attacks from earlier in the month across the Ukrainian websites that we protect,” he said. “An attacker was making a concerted effort to attack universities in Ukraine, and they started immediately after the Russian invasion started.”
Four IP addresses have been identified as being behind the attacks. They all are routed through a VPN provider situated in Sweden. Wordfence claims that the hacker gang also appears to have ties to Brazil. However, the perpetrators of the event have yet to be officially recognized.
The analysis follows ESET’s recent findings that multiple malware families are being employed in targeted cyberattacks on Ukrainian entities. According to an ESET blog post, a “destructive campaign” exploiting HermeticWiper attacked various businesses on February 23.
HermeticWiper, which renders a device useless by corrupting its data; HermeticWizard, which spreads HermeticWiper all over a local network through WMI and SMB; and HermeticRansom, ransomware developed in Go, were all employed in the attack.
“This cyber-attack preceded, by a few hours, the start of the invasion of Ukraine by Russian Federation forces,” as per the blog. “Malware artifacts suggest that the attacks had been planned for several months.”
The cybersecurity company ESET believes that HermeticWiper has been identified on hundreds of computers in at least five Ukrainian companies. However, it has found no evidence of a link to a recognized threat actor.