Ukraine says Russia hacked its document portal and planted malicious files
Ukraine has accused the Russian government of hacking into one of its government Web portals and planting malicious documents that would install malware on end users’ computers.
“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities,” officials from Ukraine’s National Coordination Center for Cybersecurity said in a statement published on Wednesday. “The malicious documents contained a macro that secretly downloaded a program to remotely control a computer when opening the files.”
Wednesday’s statement said that the methods used in the attack connected the hackers to the Russian Federation. Ukraine didn’t say if the attack succeeded in infecting any authorities’ computers.
A large body of evidence has linked Russia’s government to several highly aggressive hacks against Ukraine in the past. The hacks include:
- A computer intrusion in late 2015 against regional power authorities in Ukraine caused a power failure that left hundreds of thousands of homes without electricity in the dead of winter.
- Almost exactly one year later, a second attack at an electricity substation outside Kyiv that once again left residents without power.
- A malicious update for widely used tax software in Ukraine that distributed disk-wiping malware to users. The so-called NotPetya worm ended up shutting down computers worldwide and led to the world’s most costly hack.
Elsewhere, Russia’s SVR intelligence agency has also been accused of carrying out the recently discovered hack that targeted at least nine US agencies and 100 companies in a supply chain attack against customers of the SolarWinds network management software.
Wednesday’s statement didn’t identify which of several known Russian hacking groups was accused of the breach.
Macro attacks like the one mentioned in the statement typically work by tricking Microsoft Office users into enabling macros, often under the guise that the macro is required for the document to display properly. The macros then download malware from an attacker-controlled server and install it.
The statement provided no details on how or when Ukraine’s System of Electronic Interaction of Executive Bodies—a portal that distributes documents to public authorities—was hacked or how long the intrusion lasted.
Indicators that someone has been compromised include:
Domain: enterox.ru
IP addresses: 109.68.212.97
Link (URL): http://109.68.212.97/infant.php
Wednesday’s statement came two days after Ukraine’s National Coordination Center for Cybersecurity reported what it said were “massive DDoS attacks on the Ukrainian segment of the Internet, mainly on the websites of the security and defense sector.” An analysis revealed that the attacks used a new mechanism that hadn’t been seen before. DDoS attacks take down targeted servers by bombarding them with more data than they can process.