The National Security and Defence Council (NSDC) of Ukraine believes Russian hacker-spy group Pterodo/Gamaredon is behind a cyberattack on a Ukrainian government file-sharing system.
The threat actors attempted to disseminate malicious documents through the country’s System of Electronic Interaction of Executive Bodies by using the ASKOD electronic document-management system, the NSDC said.
The malicious documents contained a macro which secretly downloaded a program to remotely control a computer when opening the files.
“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities,” it added.
“The methods and means of carrying out this cyberattack allow [us] to connect it with one of the hacker-spy groups from the Russian Federation.”
The NSDC described it as a supply chain attack by which attackers try to gain access to a target organisation indirectly through vulnerabilities in tools and services it uses.
According to the council, the main indicators of the attack are the enterox.ru domain name with the IP address 22.214.171.124 and URL http://126.96.36.199/infant.php
Other indicators are the domains: bonitol.ru, mulleti.ru, mullus.ru, sardanal.online, thermop.ru, omyce.ru, butyri.ru, tridiuma.ru, rificum.ru, guill.ru, candidar.ru, lipolys.ru, mondii.ru, subtila.ru and tropisti.ru. The National Coordination Centre for Cybersecurity (NCCC), part of the NSDC gives the IP address as 188.8.131.52.
The NCCC recommends, if possible, blocking on firewalls and monitoring the following IP addresses commonly used by Pterodo/Gamaredon: 184.108.40.206 to 220.127.116.11; 18.104.22.168 to 22.214.171.124; 126.96.36.199 to 188.8.131.52; 184.108.40.206 to 220.127.116.11; 18.104.22.168 to 22.214.171.124; 126.96.36.199 to 188.8.131.52; 184.108.40.206 to 220.127.116.11; 18.104.22.168 to 22.214.171.124; 126.96.36.199 to 188.8.131.52; 184.108.40.206 to 220.127.116.11; 18.104.22.168 to 22.214.171.124; 126.96.36.199 to 188.8.131.52; and 184.108.40.206 to 220.127.116.11
The NSDC said there are similarities between the latest attack and the 2017 NotPetya cyberattack which aimed to damage Ukrainian infrastructure plus last year’s Solarwinds attack in the United States, which US authorities are investigating. In those cases, a malicious code was spread through distributed software which was compromised by the attackers.
Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox