[BreachExchange] Hackers Destroyed Data at Key Ukraine Agency Before Invasion

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Mon Feb 28 11:39:24 EST 2022


https://www.msn.com/en-us/news/world/hackers-destroyed-data-at-key-ukraine-agency-before-invasion/ar-AAUlL3N

(Bloomberg) -- In the buildup to Russia’s invasion, hackers detonated
powerful data-destroying software on the network of Ukraine’s Ministry of
Internal Affairs, and they siphoned off large amounts of data from the
country’s telecommunications network, according to three people involved in
investigations into the incidents.

The attacks dealt a blow to a key Ukrainian law enforcement agency --
responsible for overseeing the national police  --  while giving the
hackers potentially valuable insights into the communications and movements
of people inside the country before Russian troops began their assault, the
people said. They requested anonymity because they weren’t authorized to
discuss the confidential investigations publicly.

The details, which haven’t been previously reported, illustrate the growing
role of cyber operations in modern military conflicts and the range of
threats facing Ukrainian President Volodymyr Zelenskiy as Russian forces
fight to seize control of the country. The people involved in the
investigations didn’t say who was behind the cyberattacks.

Representatives of the Ukrainian government didn’t respond to requests for
comment.

On Wednesday, the day before the invasion, multiple governmental websites
in Ukraine experienced disruptions that appeared to be the result of
distributed denial-of-service, or DDoS, attacks. Security researchers said
they included the Ministry of Defense, Ministry of Foreign Affairs and the
Ministry of Internal Affairs.

Researchers at the cybersecurity firm ESET LLC had said that more than
three Ukrainian organizations were compromised Wednesday with destructive
malware that infected a few hundred computers at those organizations.

“This was not a widespread attack. They pinpointed specific organizations
and then went in and deployed the malware,” said Jean-Ian Boutin, ESET’s
head of threat research, who declined to name the specific organizations
affected. “The fact that this happened a few hours before the full-scale
invasion, it leads us to believe these organizations were targeted for a
reason.”

The three people involved in the investigations identified the Ministry of
Internal Affairs as one of the organizations compromised by the
data-destroying malware. The extent of the damage is unclear. One of the
people said key officials had evacuated, and as a result, security
specialists have been unable to conduct a full forensics investigation of
its network.

Another person said the hackers removed large amounts of data from the
agency’s network before detonating the malware, indicating that they were
likely gathering intelligence about the agency’s operations before
attempting to disrupt them.

The three people also said that the deployment of the destructive malware
coincided with yet another attack, in which hackers began removing large
amounts of data from Ukrainian telecommunications systems in the weeks
leading up to the invasion, apparently activating malicious code -- or
implants -- that had been embedded into those systems during earlier
intrusions.

The name of the telecommunications company or companies impacted by the
attack weren’t immediately available.

Some details of the cyberattacks against Ukraine have trickled out since
January.

On Jan. 15, for instance, Microsoft Corp. disclosed that it had discovered
a new type of destructive malware on “dozens of impacted systems” spanning
“multiple government, nonprofit and information technology organizations,
all based in Ukraine.” It didn’t identify any victims.

Coming at a time when Russia was massing troops on Ukraine’s borders, and
U.S. and European intelligence services were warning that Putin was
preparing an invasion, the discovery raised fears that Ukraine’s defenses
could be substantially diminished by a coordinated detonation of
data-wiping code.

On Feb. 15 and 16, government and financial websites in Ukraine came under
a disruptive DDoS attack that Mykhailo Fedorov, minister of digital
transformation, said was the worst of its kind the country had ever seen.
“This attack was unprecedented, it was prepared well in advance, and its
key goal was destabilization, sowing panic and creating chaos in our
country,” Fedorov said.

U.S. and U.K. officials attributed those attacks to Russia’s GRU military
intelligence service, the same organization accused the 2017 NotPetya
attacks, which involved similar “wiper” malware. Those attacks began in
Ukraine but spread across the globe, causing an estimated $10 billion in
damages.

Russia has repeatedly denied being behind cyberattacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220228/cae1e581/attachment.html>


More information about the BreachExchange mailing list