Ukrainian WordPress sites under massive complex attacks

Researchers observed a spike in the attacks against Ukrainian WordPress sites since the beginning of the military invasion of the country.

Cyber attacks are an important component of the military strategy against Ukraine, experts observed a spike in the attacks against Ukrainian WordPress sites since the beginning of the military invasion of the country.

The attacks aimed at making the websites unreachable and causing fear and distrust in the Ukrainian government, WordPress security firm Wordfence reported.

The company analyzed the number of exploit attempts on websites that it protects which is of 8,320 WordPress websites belonging to universities, government, military, and law enforcement entities in the country.

Experts pointed out that the term “attack” indicates a sophisticated exploit attempt and does not refer to simple brute force attacks (login guessing attempts) or distributed denial of service traffic.

The attacks were aimed at exploiting vulnerabilities on a target WordPress website.

Wordfence reported that the number of attacks peaked at 144,000 on February 25.

“The Russian invasion of Ukraine started on February 24th. The chart below shows the overall number of exploit attempts on websites that we protect, with the .UA Ukrainian TLD before and after the invasion. This data set includes 8,320 .UA websites. We will use the term “attack” in this blog post to indicate a sophisticated exploit attempt.” reads the analysis published by Wordfence. “This does not include simple brute force attacks (login guessing attempts) or distributed denial of service traffic. It only includes attempts to exploit a vulnerability on a target WordPress website, which are the sites that Wordfence protects.”

A big portion of these attacks focuses on a subset of 376 academic websites, starting February 25th, experts observed a spike that peaked at over 104,000 attacks in a single day.

Below is the attacks observed by the company:

• 479 attacks on Feb 24th
• 37,974 attacks on Feb 25th
• 104,098 attacks on Feb 26th
• 67,552 attacks on Feb 27th

At least 30 Ukrainian university websites, were compromised by attackers that defaced some of them while others were unavailable.

The threat actor behind the attacks against universities was named “theMx0nday,” evidence of the defaced websites are available on Zone-H.org. 

The group in the past hit Brazilian, Indonesian, Spanish, Argentinian, US, and Turkish websites, its activity is while their first entries on Zone-H date back to April 2019.

One of the tweets published by the group expressed support to the Russian government.

Wordfence decided to deploy real-time threat intelligence to all Ukrainian websites, a feature that is normally included only in Premium subscriptions.

“We are doing this to assist in blocking cyberattacks targeting Ukraine. This update requires no action from users of the Free version of Wordfence on the UA top-level domain. We are activating this live security feed for UA websites automatically until further notice. Within the next few hours, over 8,000 Ukrainian websites running the free version of Wordfence will automatically become far more secure against attacks, like these, that are targeting them.” concludes Wordfence. “The malicious IP addresses involved in this attack are included in our blocklist, which will completely block access to WordPress and other PHP applications installed alongside WordPress.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ukrainian WordPress websites)

[adrotate banner=”5″]

[adrotate banner=”13″]