CERT of Ukraine says Russia-linked APT backdoored multiple govt sites

The CERT of Ukraine (CERT-UA) revealed that Russia-linked threat actors have compromised multiple government websites this week.

The Computer Emergency Response Team of Ukraine (CERT-UA) said that Russia-linked threat actors have breached multiple government websites this week. The government experts attribute the attack to UAC-0056 group (DEV-0586, unc2589, Nodaria, or Lorec53).

“the Government Computer Emergency Response Team of Ukraine CERT-UA is taking measures to investigate the circumstances of the incident on February 23, 2023.” reads the alert published by Ukraine’s Computer Emergency Response Team. “As of 11:00 on 02/23/2023, a previously known encrypted web shell was detected on one of the websites, and the fact of its use was confirmed in the period from 22:00 on 02/22/2023 to 05:30 on 02/23/2023, as a result of which, among other things , the file “index.php” was created in the root web directory, which provided modification of the content of the main page of the web resource.” 

The SSSCIP’s National Cybersecurity Coordination Center along with the Cyber ​​Police are working together to lock out the threats and investigate the security breaches.

“Today, on February 23, an attack was detected on a number of websites of Ukrainian central and local authorities, resulting in a modification of the content of some of their webpages.” reads the advisory published by Ukraine’s cybersecurity defense and security agency SSSCIP.

The state-sponsored hackers used a web shell created no later than December 23, 2021, to deploy multiple backdoors. 

The nation-state actor employed the SSH backdoor CredPump (PAM module) to achieve remote SSH access (with a static password value) and logging of logins and passwords when connecting via SSH.

The attackers also used the HoaxPen and HoaxApe backdoors, experts discovered that the malicious codes were in the form of a module for the Apache web server and were installed in February 2022.

The alert states that attackers employed GOST (Go Simple Tunnel) and the Ngrok program in the early stages of the attack.

The alert also includes Indicators of compromise (IoCs) for the attacks.

The UAC-0056 APT group has been active since at least March 2021, it focuses on Ukraine, despite it has been involved in attacks on targets in Kyrgyzstan and Georgia.

In early February, the UAC-0056 group has been observed deploying a new information stealer dubbed Graphiron in attacks against Ukraine.

In early February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a phishing campaign aimed at state authorities that involves the use of the legitimate remote access software Remcos.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)