Ukraine investigates multiple intrusion vectors in last week’s website defacements, data wiper attacks
Catalin Cimpanu January 18, 2022

Ukraine investigates multiple intrusion vectors in last week’s website defacements, data wiper attacks

Ukraine investigates multiple intrusion vectors in last week’s website defacements, data wiper attacks

The Ukrainian government said on Monday that it is investigating multiple intrusion vectors that could have been used to carry out the cyber-attacks that hit its government agencies last week.

The attacks, which took place last Friday, included an attempt to deface more than 70 Ukrainian government websites and the deployment of a data-wiper on some government systems, a wiper that was designed to corrupt files and look like the affected systems were hit with a ransomware attack.

On Monday, Ukrainian officials said the website defacements were also accompanied by data destruction attacks, suggesting for the first time that the two incidents are part of the same attack chain and not separate as initially thought. This was formally confirmed on Tuesday in a separate statement by the State service for Special Communications and Protection of Ukraine.

The statements echo and confirm an independent investigation from cybersecurity reporter Kim Zetter, who described in her Zero-Day newsletter an attack where the threat actor used different entry points into government systems and defaced or wiped data depending on the level of access they had gained.

Log4Shell?

On Monday, the Ukrainian Cyber Police and the Ukrainian Security Service said they were tracking three potential intrusion vectors that attackers could have used to pull off last week’s attacks:

  • The exploitation of a vulnerability in the October CMS platform, which the Ukrainian government had used for some of the defaced websites;
  • The compromise of employee accounts at a private company that provided the Ukrainian government with managed IT services;
  • The use of the Log4Shell vulnerability to gain access to some of the compromised systems.

The October CMS vulnerability referenced by the Cyber Police and SSU appears to be CVE-2021-32648, which Ukraine’s CERT team said it had identified as one of the primary suspects in some of the defaced websites.

But not all of the attacked government websites ran on October CMS, and the hackers appear to have tried to gain access to some of these other sites by compromising an employee at an IT company that managed some of the government’s websites.

The name of this company appears to be Kitsoft, a Kyiv-based software developer, which confirmed on Facebook that its infrastructure was hit by a data wiper.

Kitsoft referenced itself as the unnamed private company in a blog post published on Sunday by Microsoft, a blog post in which researchers analyzed the data-wiping malware and named one of the victims as an “IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced.”

As Zetter also concluded in her newsletter, some details about the attack still remain shrouded in mystery, such as who was behind the attack and the number of threat actors involved in the operation.

In addition, the government’s press release also throws a new wrench in the investigation as to what role the Log4Shell exploit also played in all of this. It is unclear if government agencies are merely referencing Log4Shell due to the fact that blaming attacks on this vulnerability seems to be an easy cop-out or if they have actual evidence that this bug was exploited against their systems.

Early attribution to Russia

While neither Ukrainian Cyber Police nor the SSU attempted to attribute the attacks to any country just yet, a statement from the Ministry of Digital Transformation did place the blame on Russian hackers.

While it may be a very plausible attribution, especially in regards to Russia’s recent threats to invade Ukraine, security experts have also raised theories that Russian hackers might have also gotten a helping hand from Belarussian cyber units, although no evidence has been presented so far of any tangible collaboration between the two.

Responding to the accusations, Russian officials denied any accusations in statements provided to local news outlets.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.