Ukraine: nation-state hackers hit government document management system

Pierluigi Paganini February 24, 2021

Ukraine ‘s government attributes a cyberattack on the government document management system to a Russia-linked APT group.

The Ukraine ‘s government blames a Russia-linked APT group for an attack on a government document management system, the System of Electronic Interaction of Executive Bodies (SEI EB).

According to Ukrainian officials, the hackers aimed at disseminating malicious documents to government agencies.

The SEI EB is used by the Ukrainian government agencies to share documents.

According to Ukraine’s National Security and Defense Council, attackers acted to conduct “the mass contamination of information resources of public authorities.”

“The National Coordination Center for Cybersecurity under the National Security and Defense Council of Ukraine has recorded attempts to disseminate malicious documents through the System of Electronic Interaction of Executive Bodies (SEI EB).” reads a statement published by the NSDC.

“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities.”

According to the Ukrainian authorities, the threat actors uploaded weaponized documents to the document management system. When the users that downloaded the files enabled the macros in the document, they would download and execute malware that allowed the attacker to take control of a victim’s computer.

“The malicious documents contained a macro that secretly downloaded a program to remotely control a computer when opening the files. The methods and means of carrying out this cyberattack allow to connect it with one of the hacker spy groups from the Russian Federation.” continues the statement.

“According to the scenario, the attack belongs to the so-called supply chain attacks. It is an attack in which attackers try to gain access to the target organization not directly, but through the vulnerabilities in the tools and services it uses.”

The NSDC did not attribute the attack to a specific Russia-linked cyberespionage group, the agency also provides indicators of compromise (IOCs) related to this attack.

Early this week, Ukraine accused unnamed Russian internet networks of massive attacks that targeted Ukrainian security and defense websites. The Ukrainian officials did not provide details about the attacks either the damage they have caused.

“It was revealed that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks,” the Council said.

The Ukrainian authorities did not attribute the attack to a specific threat actor.

“Kyiv has previously accused Moscow of orchestrating large cyber attacks as part of a “hybrid war” against Ukraine, which Russia denies. However, a statement from Ukraine’s National Security and Defence Council did not disclose who it believed organized the attacks or give any details about the effect the intrusions may have had on Ukrainian cyber security.” reported The Reuters agency.

The massive attacks began on February 18, hackers targeted the websites of local institutions, including Ukraine’s Security Service and the council.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment