Ukraine has accused the Russian government of hacking into one of the government’s web portals and posting malicious documents that would install malware on end users’ computers.
“The target of the attack was the massive contamination of government agency information sources, as this system is used for the distribution of documents in most government agencies,” officials from Ukraine’s National Cybersecurity Coordination Center said in a statement released Wednesday. “The malicious documents contain a macro that secretly downloaded a program to remotely control a computer when opening the files.”
Wednesday’s statement said the methods used in the attack linked the hackers to the Russian Federation. Ukraine did not say whether the attack succeeded in infecting authorities’ computers. A large body of evidence has linked the Russian government to several very aggressive hacks against Ukraine in the past. The hacks include:
- A computer hack at regional energy authorities in Ukraine in late 2015 caused a power outage that left hundreds of thousands of homes without electricity in the dead of winter.
- Almost exactly a year later, a second attack on a power station outside Kiev left residents without power again.
- A malicious update to popular tax software in Ukraine that distributed disk-wiping malware to users. The so-called NotPetya worm shut down computers worldwide and led to the world’s most expensive hack.
Elsewhere, Russia’s SVR intelligence agency has also been accused of carrying out the recently discovered hack that targeted at least nine US agencies and 100 companies in a supply chain attack on customers of the SolarWinds network management software.
Wednesday’s statement did not identify which of several well-known Russian hacking groups was accused of the breach.
Macro attacks like the one mentioned in the statement usually work by tricking Microsoft Office users into enabling macros, often under the guise that the macro is necessary to render the document correctly. The macros then download and install malware from an attacker-controlled server.
The statement did not provide details on how or when Ukraine’s electronic interaction system of executive bodies – a portal that distributes documents to government agencies – was hacked or how long the break-in lasted.
Indicators that someone has been compromised include:
IP addresses: 18.104.22.168
Link (URL): http://22.214.171.124/infant.php
Wednesday’s statement came two days after Ukraine’s National Cybersecurity Coordination Center reported what it said were “massive DDoS attacks on the Ukrainian segment of the Internet, mainly on the websites of the security and defense sector.” An analysis found that the attacks used a new mechanism not seen before. DDoS attacks take out targeted servers by bombarding them with more data than they can handle.