Search This Blog

Showing posts with label Ukraine Websites. Show all posts

Anonymous Rises Again Amid Russia Ukraine War

 

Anonymous, the international hacktivists collective has surfaced again, this time, the group claims to have hacked RoskoAmnadzor (known as Federal Service for Supervision of Communications, Information Technology and Mass Media), a federal Russian agency. Anonymous has also claimed that it stole more than 360,000 files. You have mostly read about Russian banning VPNs, Telegram, or email services, however, there's a particular agency that bans these services. 

It's called Roskomnadzor, a major federal executive agency that is responsible for handling, managing, and censoring Russian media. "Anonymous also targeted and hacked misconfigured/exposed Cloud databases of Russian organizations. Tho shocking aspect of the attack was the fact that Anonymous and its affiliate hackers hacked 90% of Russian Cloud databases and left anti-war and pro Ukrainian messages," Hackread reports. 

Details about the attack 

The size of the leaked data is 820 GB, most of these database files in the database related to Roskomnadzor's data are linked to the Republic of Bashkortostan, Russia's largest provinces. The full dataset is now available on the official website of Distributed Denial of Secrets (aka DDoSecrets), a non for profit whistleblower organization. However, it should be noted that initially started as an Anonymous affiliate shared Roskomnadzor's data with DDoSecrets and the agency itself is not responsible for the attack. Besides this, the first announcement of the data leak came from a journalist and co-founder of DDoSecrets Emma Best in March 2022. 

YourAnonNews, a famous representative of the Anonymous collective also tweeted about the attack. Anonymous has openly sided with Ukraine over the ongoing war with Russia, the Russian government has restricted all important sources of information, especially news and media outlets, and Roskomnadzor was told to block Facebook, Twitter, and other online platforms. 

Hackread reports, "While Twitter launched its Tor onion service, authorities in Russia have also amended the Criminal Code to arrest anyone who posts information that contradicts the government’s stance. Nevertheless, since Roskomnadzor is a major government agency responsible for implementing government orders Anonymous believes the Russian public must have access to information about what is going on within Roskomnadzor."

Ukrainian Government Websites Shut Down due to Cyberattack

 

Ukrainian state authorities' websites have stopped working. At the moment, the website of the Ukrainian president, as well as resources on the gov.ua domain are inaccessible. 
According to the source, a large-scale cyberattack by the Russian hacker group RaHDit was the reason. A total of 755 websites of the Ukrainian authorities at the gov.ua domain were taken offline as a result of the attack. 

Hackers posted on government websites an appeal written on behalf of Russian soldiers to soldiers of the Armed Forces of Ukraine and residents of Ukraine. "The events of the last days will be the subject of long discussions of our contemporaries and descendants, but the truth is always the same! It is absolutely obvious that what happened is a clear example of what happens when irresponsible, greedy, and indifferent to the needs of their people come to power," they wrote. 

Another of the hacked websites published an appeal on behalf of Zelensky. In it, the President of Ukraine allegedly stated that he had agreed to sign a peace treaty with Russia. "This is not treason to Ukraine, to the Ukrainian spirit, it is exclusively for the benefit of the Ukrainian people," the banner said. 

The third message called on civilians to "refuse to support national radical formations formed under the guise of territorial defense." It was warned that any attempts to create armed gangs would be severely suppressed. In another announcement, Ukrainian soldiers were asked not to open fire on the Russian army and lay down their weapons: "Return fire will kill you. You are guaranteed life, polite treatment, and a bus home after the war." 

This information could not be confirmed. Currently, when entering government websites, it is reported that access to them cannot be obtained.

Earlier it became known that Russian hackers from the Killnet group hacked the website of the Anonymous group, which had previously declared a cyberwar against Russia. They urged Russians not to panic and not to trust fakes. 

On February 25, hackers from Anonymous announced their decision to declare a cyberwar against Russia due to the start of a special operation in the Donbas. The attackers attacked Russian Internet service providers and government websites. They also hacked the websites of major media outlets: TASS, Kommersant, Izvestia, Forbes, Mela, Fontanka. 

As a reminder, the special operation in Ukraine began in the morning of February 24. This was announced by Russian President Vladimir Putin.

UNC1151 Targets Ukrainian Armed Forces Personnel with Spear Phishing Campaign

 

The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian military personnel. The Ukrainian agency attributes the campaign to the UNC1151 cyber espionage gang, which is linked to Belarus. In mid-January, the Kyiv administration blamed Belarusian APT group UNC1151 for the defacement of tens of Ukrainian government websites. 

“We believe preliminarily that the group UNC1151 may be involved in this attack,” Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters. “This is a cyber-espionage group affiliated with the special services of the Republic of Belarus. The defacement of the sites was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.”

The following message was shown on defaced websites in Russian, Ukrainian, and Polish. “Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab public, fairy tale and wait for the worst. It is for you for your past, the future, and the future. For Volhynia, OUN UPA, Galicia, Poland, and historical areas.” read a translation of the message. 

Mandiant Threat Intelligence researchers attributed the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus in November 2021. FireEye security analysts discovered a misinformation campaign aimed at discrediting NATO in August 2020 by circulating fake news articles on compromised news websites. According to FireEye, the GhostWriter campaign has been running since at least March 2017 and is aligned with Russian security interests. 

GhostWriter, unlike other disinformation campaigns, did not propagate via social media; instead, threat actors behind this campaign employed compromised content management systems (CMS) of news websites or forged email accounts to disseminate bogus news. The attackers were disseminating false content, such as forged news articles, quotations, correspondence, and other documents purporting to be from military authorities and political people in some targeted countries. According to researchers, the campaign particularly targeted people in specific alliance member states such as Lithuania, Latvia, and Poland. 

The phishing messages employed a typical social engineering method to deceive victims into submitting their information in order to prevent having their email accounts permanently suspended. According to Ukraine's State Service of Special Communications and Information Protection (SSSCIP), phishing assaults are also targeting Ukrainian citizens.

DDoS Assaults on Ukrainian Banking Elite has Resumed Yet Again


Cyberattacks took down Ukrainian official and bank websites, prompting the government to declare a statewide state of emergency amid growing fears that Russian President Vladimir Putin could launch a full-scale military invasion of Ukraine. The websites of Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank) were also blasted in the onslaught and brought down Ukrainian government sites as well, according to Internet monitor NetBlocks. 

"At around 4 p.m., another massive DDoS attack on the state commenced. We have relevant data from several banks," stated Mykhailo Fedorov, Minister of Digital Transformation, who also mentioned the parliament website had been hacked. Hackers were prepared to conduct big attacks on government organizations, banks, and the defense sector, as Ukrainian authorities said earlier this week. 

SSSCIP and other national cybersecurity authorities in Ukraine are currently "working on countering the assaults, gathering and evaluating information." According to the Computer Emergency Response Team of Ukraine (CERT-UA), the attackers used DDoS-as-a-Service platforms and numerous bot networks, including Mirai and Meris, to carry out the DDoS attacks on February 15th. The DDoS attacks were traced to Russia's Main Directorate of the General Staff of the Armed Forces on the same day, according to the White House. 

"We have technical information indicating ties the Russian main intelligence directorate, or GRU," Deputy National Security Advisor for Cyber Anne Neuberger stated. "Known GRU infrastructure was spotted delivering huge volumes of communication to Ukraine-based IP addresses and domains." 

Neuberger went on to say as, despite the "limited impact," the strikes can be considered as "setting the framework" for more disruptive attacks, which could coincide with a possible invasion of Ukraine's territory. 

The UK government also blamed Russian GRU hackers for the DDoS strikes last week which targeted Ukrainian military and state-owned bank websites. Following a press release from Ukraine's Security Service (SSU), which also had its website hacked, the country was attacked by a "huge wave of hybrid warfare." The SSU announced earlier this month so, during January 2022, it stopped over 120 cyberattacks aimed at Ukrainian governmental entities.

Ukraine: DDoS Attacks on State Websites Continue

 

Since February 23, some Ukrainian government websites have been subjected to DDoS attacks: web resources of the Ministry of Defense, the Verkhovna Rada of Ukraine, the Ministry of Foreign Affairs and others have suffered interruptions. 

The Insider publication (the organization is included in the list of foreign agents by the Ministry of Justice of Russia), referring to the data of the independent cyber analyst Snorre Fagerland, stated that the hacker group ART23 (Fancy Bear), which is attributed to links with the Main Intelligence Directorate of the Russian Federation, was behind the attacks. 

However, Igor Bederov, head of the Information and Analytical Research Department at T.Hunter, called this statement a provocation. "The investigation of a cyberattack (attribution) is a long and complex process that cannot be carried out from beginning to end in hours. Analysis of hacker software and malicious code is always a long and painstaking process," Mr. Bederov said. 

According to him, even if traces leading to Fancy Bear were indeed found, it's still impossible to say that this particular group was behind the attack. Mr. Bederov thinks that other hackers could have also taken advantage of the malware previously used by Fancy Bear. It's possible because hacker tools are openly resold on the Darknet. 

"Primary attribution is based on matching the hacker code used in today's attack with the code used in yesterday's attack, as well as special characters specific to a language group. This approach is fundamentally wrong, because the code can be stolen or bought, and the linguistic features can be imitated," said the expert. 

Mr. Bederov also noted that within the framework of pro-state activity, mainly Chinese groups like to engage in substitution of attribution. In addition, according to him, the NATO cyber intelligence center located in Tallinn was previously noticed for the substitution of attribution. 

Earlier it was reported that DDoS attacks on the website of the Ministry of Defense of Ukraine could have been deliberately set up by the United States. Earlier, Viktor Zhora, Deputy Chairman of the State Service for Special Communications and Information Protection of Ukraine, said that the government of Ukraine is ready for the scenario of forced destruction of secret data on servers. According to him, the authorities do not want to take risks and are not going to leave documentation and detailed information about the population of Ukraine to the enemy. 

He also said that if Russia gets access to government passwords, Ukrainian specialists "will quickly block access to hacked accounts."

Cyberattacks Were Launched Against Government Sites of Both Russia and Ukraine

 

Following Russia's attack on Ukraine, the Kremlin's official website and several other major Russian government websites have gone offline. Currently, the websites to go offline include Kremlin (kremlin.ru), the official website of Russian President Vladimir Putin, the Russian Ministry of Defense, and the Russian Parliament's official website (aka the Duma). Although it is unclear whether these websites were taken down as a result of a cyberattack or a technical error. 

This comes just one day after a suspected hack took out a number of Ukrainian government websites. Ukraine is on the radar of cybercriminals, according to two cybersecurity organisations with a strong presence in the country, ESET and Symantec Threat Intelligence, which have revealed that the country's computer networks are being targeted with devastating data-wiper malware. 

According to an ESET assessment, the new data wiper malware has targeted hundreds of computer systems in Ukraine. In one example, it infiltrated the victim's device's Microsoft Active Directory server. The virus appears to have been created five hours before it was released into the world, implying that its code and operational infrastructure were likely already set up and ready to go. 

According to ESET's analysis, the malware employed in the attack was HermeticaWiper, which is typically distributed via Windows group policies. This suggests that attackers may have gained complete control of their target's internal networks. According to the organisation, the malware corrupts data by exploiting genuine drivers from a disk management utility, EaseUS Partition Master software. 

Furthermore, the Wiper binary is signed "using a code signing certificate issued to Hermetica Digital Ltd," according to ESET researchers. When the wiper is activated, it launches the EaseUS disk partition application and, if the data is corrupted, it reboots the machine. 

However, Stairwell's security researcher Silas Cutler noted that HermeticaWiper may access both local data and the master boot record part of the hard drive, preventing the computer from booting into the operating system following the device's forced reboot. This is comparable to the WhisperGate malware. 

Given the time-stamp data of one of the samples, this attack could have been in the works for two months. According to Symantec Threat Intelligence, the Wiper is followed by a distributed denial of service (DDoS) attack on a number of Ukrainian websites.

It should be noted that on February 16th, 2022, Ukrainian banks and government websites were also subjected to a series of DDoS attacks. The cyberattacks were blamed on Russia by the governments of the United Kingdom and the United States. The sites of Ukraine's Ministry of Foreign Affairs, Cabinet of Ministers, and Parliament were among those affected.

DDoS Attacks Hit Ukrainian Government Websites

 

DDoS attacks are causing havoc for the Ministry of Defense and the Armed Forces of Ukraine, as well as two of the country's state-owned banks, Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank). 

Bank customers got text messages saying that bank ATMs were down today, according to Ukraine's Cyberpolice, who added that the messages were "part of an information attack and do not correspond to reality." 

The Ukrainian Ministry of Defense, whose website was taken down as a result of the attacks, stated their website was most likely assaulted by DDoS: an excessive number of requests per second was observed. 

"Starting from the afternoon of February 15, 2022, there is a powerful DDOS attack on a number of information resources of Ukraine," Ukraine's State Service for Special Communication and Information Protection added. 

"In particular, this caused interruptions in the work of web services of Privatbank and Oschadbank. The websites of the Ministry of Defense and the Armed Forces of Ukraine were also attacked."

While the Ukrainian defence ministry's website is down, Oschadbank and Privatbank's websites are still up and running, albeit users are unable to access their online banking. Privatbank users have been experiencing problems with payments and the bank's mobile app, according to the Ukrainian Center for Strategic Communications and Information Security. Some stated that they couldn't get into their Privat24 internet banking accounts, while others said they observed inaccurate balances and recent transactions. 

A traffic geofencing rule was added to Privatbank's web application firewall (WAF), which automatically removed the website's contents for IP addresses outside of Ukraine and displayed a "BUSTED! PRIVATBANK WAF is watching you)" message. 

The Security Service of Ukraine (SSU) stated on Monday that the country is being targeted in a "massive wave of hybrid warfare" aimed at instilling fear in Ukrainians and undermining their faith in the state's ability to safeguard them. The SSU further stated that it has already blocked many such attempts related to hostile intelligence agencies, as well as dismantled bot farms aimed at spreading fear in Ukrainian residents through bomb threats and fake news.  

Attacks on Ukrainian authorities are being coordinated by the Gamaredon hacking organisation (connected to Russia's Federal Security Service (FSB) by Ukrainian security and secret agencies), according to the country's Computer Emergency Response Team. 

A day later, the SSU announced that it has prevented more than 120 cyberattacks aimed at Ukrainian governmental institutions in January 2022. 

Gamaredon has been directing a wave of spear-phishing emails targeting Ukrainian businesses and organisations relevant to Ukrainian issues since October 2021, according to Microsoft.

WhisperGate Wiper Malware Far More Dangerous Than Previous Malware

 

Cybersecurity researchers with Cisco Talos have examined the WhisperGate wiper malware employed to strike Ukrainian government websites, noting similarities between the ‘WhisperGate’ and the previously seen NotPetya wiper.

According to researchers, WhisperGate has more capabilities ‘designed to inflict additional damage’ using multiple wipers to successfully target multiple modern systems. 

The first wiper attempts to eradicate the master boot record (MBR) and to block any recovery options. "Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten," the researchers explained.

However, with many modern systems now shifting to GUID Partition Tables (GPTs), this executable may not be as penetrative, therefore malicious authors have included an additional wipe in the attack chain.

In the second stage of the infection chain is a downloader that retrieves the third stage from a Discord server URL that's hard-coded in the downloader. The downloader starts by implementing a base64-encoded PowerShell command twice to make the endpoint sleep for 20 seconds. 

The restored file is a DLL and serves as the third stage of the infection chain. After restoration, it loads the third-stage DLL and attempts to retrieve all of its public methods to search for a method with the name "Ylfwdwgmpilzyaph". If the method is discovered, the downloader will execute it by calling ".Invoke(null, null)", transferring the execution flow over to the third-stage DLL. 

"The fourth-stage wiper payload is probably a contingency plan if the first-stage wiper fails to clear the endpoint," Cisco Talos says. 

The wiper seeks out fixed and remote logical drives to target in the fourth stage. Enumeration then occurs, and files are wiped in drives outside of the "%HOMEDRIVE%\Windows" directory. Files with one of 192 extensions, including .HTML, .PPT, .JPG, .RAR, .SQL, and .KEY is destroyed. 

"The wiper will overwrite the content of each file with 1MB worth of 0xCC bytes and rename them by appending each filename with a random four-byte extension. After the wiping process completes, it performs a delayed command execution using Ping to delete "InstallerUtil.exe" from the %TEMP% directory. Finally, it attempts to flush all file buffers to disk and stop all running processes (including itself) by calling ExitWindowsEx Windows API with EWX_SHUTDOWN flag," the researchers concluded.

 To mitigate risks, CISA has advised organizations to implement multi-factor authentication for remote systems, disable ports and access points that are not business-critical, and that strong controls be implemented for cloud services.

Hackers Attacked Ukrainian Sites Again

 

The State Service for Special Communications and Information Protection on Monday, January 17, reported a new hacker attack similar to those that were committed on the websites of government agencies on January 14. 

On Friday, the press secretary of the Ministry of Foreign Affairs of Ukraine, Oleg Nikolenko, said that the websites of the Ministry of Foreign Affairs and a number of other government agencies are down due to a hacker attack. 

The Ministry of Education and Science website's home page reported that allegedly all personal data of Ukrainians had been uploaded to a shared network. The State Service for Special Communications reported that there was no leak of personal data due to a hacker attack. According to the agency, state websites in the country were subjected to the most powerful attack in the last four years. 

"Today at 8 o'clock in the morning, a message appeared on the Prozorro Infobox forum page, similar to those used during the cyberattack on other government sites on January 14. The page has been disabled, and experts are investigating and working to promptly resume the work of the forum," the civil service noted. 

The Prozorro Infobox Forum is a separate system that is not connected to the Prozorro procurement system. "According to the available information, neither the Prozorro Infobox information resource nor the Prozorro portal itself were affected. The public procurement system is operating normally," the ministry said. 

Also, the State Service reported that almost all state resources, which were attacked by hackers, resumed their work. The Security Service of Ukraine and the National Police have opened a criminal case on the fact of a cyber attack. 

On the same day, the press secretary of the Russian president Dmitry Peskov said that Moscow had nothing to do with these incidents.

Ukraine Government Websites Targeted in a Suspected Russian Cyber Attack

 

Threat actors targeted multiple Ukrainian government websites on Friday, temporarily disabling sites and leaving messages warning readers to “be afraid and expect the worse.”

According to Ukrainian officials said, it is too early to draw any conclusions but they pointed to a “long record” of Russian cyber-attacks against Ukraine as tensions between Russia and the West over Ukraine escalate following several rounds of unsuccessful talks. 

Ukraine’s foreign ministry described the incident as a “massive cyberattack,” but noted that no content on the sites had been altered and no personal details had been leaked.

Websites for the government’s cabinet, security and defense councils, and ministry for education were among those affected. “Our specialists are already working on restoring the work of IT systems, and the cyber police opened an investigation,” said the spokesperson. 

The foreign ministry website temporarily displayed a message in Ukrainian, Russian, and Polish that appeared to suggest the attack was in response to Ukraine's pro-Western stance. "Ukrainians! All of your personal data .. have been deleted and are impossible to restore. All information about you has become public, be afraid and expect the worst. This is for your past, present and future. For Volyn, OUN, UPA, Galitsia, Polesye and for historical lands," it said, referring to ultra-nationalist organizations and regions of Ukraine. 

The authorities including the SBU security service and Cyberpolice are working to address the issue. The education ministry said that the attack comes as tensions between Russia and the West soar over Ukraine, a strategic ex-Soviet country. The Western intelligence has blamed Russia for deploying tanks, artillery, and about 100,000 soldiers on Ukraine's war-torn eastern border in recent weeks, in what NATO says is preparation for an invasion. Meanwhile, Moscow says it has no plans to invade Ukraine. 

Earlier this week the United States and its NATO allies held talks with Russian officials in an attempt to ease tensions, but all three rounds of negotiations -- in Geneva, Brussels, and Vienna -- proved unsuccessful. 

Ukraine has suffered a series of cyber-attacks since 2014, which have knocked out power supplies, frozen supermarket tills, and forced the authorities to prop up the hryvnia currency after banks' IT systems crashed.