Ukrainian agency links cyberattack on government to Russia

2021-02-26T14:50:00+00:00

No comments

The National Security and Defence Council (NSDC) of Ukraine believes Russian hacker-spy group Pterodo/Gamaredon is behind a cyberattack on a Ukrainian government file-sharing system.

The threat actors attempted to disseminate malicious documents through the country’s System of Electronic Interaction of Executive Bodies by using the ASKOD electronic document-management system, the NSDC said.

The malicious documents contained a macro which secretly downloaded a program to remotely control a computer when opening the files.

“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities,” it added.

“The methods and means of carrying out this cyberattack allow [us] to connect it with one of the hacker-spy groups from the Russian Federation.”

The NSDC described it as a supply chain attack by which attackers try to gain access to a target organisation indirectly through vulnerabilities in tools and services it uses.

According to the council, the main indicators of the attack are the enterox.ru domain name with the IP address 109.68.212.97 and URL http://109.68.212.97/infant.php

Other indicators are the domains: bonitol.ru, mulleti.ru, mullus.ru, sardanal.online, thermop.ru, omyce.ru, butyri.ru, tridiuma.ru, rificum.ru, guill.ru, candidar.ru, lipolys.ru, mondii.ru, subtila.ru and tropisti.ru. The National Coordination Centre for Cybersecurity (NCCC), part of the NSDC gives the IP address as 188.225.37.128.

The NCCC recommends, if possible, blocking on firewalls and monitoring the following IP addresses commonly used by Pterodo/Gamaredon: 176.53.162.0 to 176.53.163.255; 188.225.24.0 to 188.225.27.255; 188.225.44.0 to 188.225.47.255; 188.225.78.0 to 188.225.78.255; 188.225.79.0 to 188.225.79.255; 2.59.40.0 to 2.59.41.255; 2.59.42.0 to 2.59.43.255; 92.53.124.0 to 92.53.125.255; 185.231.153.0 to 185.231.153.255; 5.252.192.0 to 5.252.195.255; 141.8.195.0 to 141.8.195.255; 91.210.170.0 to 91.210.170.255; and 5.23.52.0 to 5.23.52.255

The NSDC said there are similarities between the latest attack and the 2017 NotPetya cyberattack which aimed to damage Ukrainian infrastructure plus last year’s Solarwinds attack in the United States, which US authorities are investigating. In those cases, a malicious code was spread through distributed software which was compromised by the attackers.

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox

Topics

No comments

Article
US utilities struggling to meet demand of energy-thirsty AI

2024-04-19T11:53:00Z

In the US, demands for power are outstripping availability as energy-thirsty technologies such as generative AI pile pressure on national electrical systems.
Article
Banks poised for increased risk due to AI

2024-04-19T09:06:00Z

A leading banking regulator has issued a stern warning over the risks that financial institutions face as they move to integrate artificial intelligence (AI) and machine learning (ML) into governance operations.
News
Chicago Gears Up for GRC Connect: Sharpen Skills, Network, and Navigate the Future of GRC

2024-04-15T11:39:00Z By Jonathan Sumner, Chief Digital & Marketing Officer, GRC World Forums.

Get ready, Chicago! GRC Connect kicks off tomorrow, bringing together the brightest minds in governance, risk management, and compliance (GRC) for two days of insightful learning, valuable networking opportunities, and expert guidance on navigating the ever-evolving GRC landscape.