Ukraine’s SBU: Russia carried out a cyberattack on Judiciary Systems

Ukraine is accusing Russian intelligence services of carrying out cyberattacks against one of its government organizations.

Ukraine’s security service SBU announced to have blocked a cyber attack launched by Russian intelligence aimed at breaching information and telecommunications systems used by the country’s judiciary.

Attackers launched a spear phishing attack using messages purporting to deliver accounting documents. The weaponized document included a strain of malware that was developed to disrupt the exfiltrate data and disrupt the Judiciary Systems.

Ukrainian government experts were able to determine the command and control (C&C) infrastructure that is using Russian IP addresses.

The attack was detected and neutralized thanks to the efforts of  result of collaboration between the State Service on Intellectual Property (SSIP) and the State Judicial Administration.

“Employees of the Security Service of Ukraine blocked the attempt of Russian special services to conduct a large-scale cyberattack on the information and telecommunication systems of the judiciary of Ukraine. Specialists of the SBU noted that the cyberattack began due to the sending by e-mail of counterfeit accounting documents infected by the virus.” reads the alert published by the SBU.

“After opening files on computers, malicious software for unauthorized interference with judicial information systems and theft of official information were hidden. Employees of the Security Service of Ukraine found that the detected virus program was connected from control-command servers that have, in particular, Russian IP addresses.”

In July, Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station, the malware infected the network equipment in the facility that supplies water treatment and sewage plants.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose, it is originating from Russia.

Technical analysis of the code revealed many similarities with another nation-state malware, the BlackEnergy malware that was specifically designed to target ISC-SCADA systems and attributed to Russian threat actors. BlackEnergy is considered the key element in the attack aimed at Ukrainian power grid in 2015 and 2016, it was also involved in attacks against mining and railway systems in the country.

This week, Adobe released security updates for Flash Player that address two vulnerabilities, including a zero-day flaw, tracked as CVE-2018-15982, exploited in targeted attacks.

Experts observed the exploitation of the Flash zero-day exploit in an attack aimed at the FSBI “Polyclinic No. 2” of the Administrative Directorate of the President of the Russian Federation.

Once opened, the decoy document shows a questionnaire for personnel of the Moscow-based hospital, while the zero-day exploit is executed in the background.

Gigamon has also published a blog post describing the flaw and the attack, the experts pointed out that the decoy document in Russian language was submitted to VirusTotal from a Ukranian IP address. Qihoo 360 researchers observed the attack was launched just days after the Kerch Strait incident that occurred on November 25, when Russian Federal Security Service (FSB) border service coast guard boats fired upon and captured three Ukrainian Navy vessels that had attempted to pass from the Black Sea into the Sea of Azov through the Kerch Strait while on their way to the port of Mariupol.

Some of the injured crew members were taken to hospitals in Moscow and one of these hospitals could be the Polyclinic No. 2. Malicious documents involved in this attack were uploaded to VirusTotal from a Ukrainian IP address, which could indicate that Ukrainian cyberspies targeted the hospital to obtain information on the state of the crew members.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Ukraine, Russia)

[adrotate banner=”5″]

[adrotate banner=”13″]