Kyiv data center says some services restored after attack affecting state-owned clients

A Ukrainian data center serving several state-owned companies brought back some of its services on Friday after a cyberattack disrupted operations for customers the day before.

The Parkovy facility in Kyiv said on Friday that it restored data access for users of its private cloud infrastructure. Ukraine’s national postal service provider, a railway and a large energy company were among the entities affected by Thursday’s incident.

Parkovy said it is currently working on restoring damaged infrastructure from backup copies and plans to make it accessible within the next two days. The data center’s website was down as of Friday afternoon.

The engineering systems responsible for temperature regulation, power supply, fire safety and security “are working normally,” Parkovy said.

Ukrainian state security services said they are investigating the incident and are helping affected companies to resume their normal operations. Neither Parkovy nor the government has attributed the incident to a specific threat actor, but other sources said Russian groups are suspected.

So far, at least five Ukrainian organizations have reported that their operations were disrupted as a result of the cyberattack:

• The state-owned energy company Naftogaz.
• National postal service provider Ukrposhta.
• State railway Ukrzaliznytsia.
• DSBT, the agency responsible for transport safety.
• The state television channel created for residents of the occupied areas of Ukraine.

The targeted companies haven't responded to requests for comments regarding their current operations. The adviser to Parkovy's CEO told Recorded Future News that the company will provide comments on the incident later.

Parkovy also hosts data for Ukraine’s e-government service “Diia,” which is used by 20 million Ukrainians to access electronic documents such as passports and driver's licenses, pay taxes, or register a business.

The spokesperson for Ukraine’s Ministry of Digital Transformation, which launched Diia, told Recorded Future News that the attack hasn't affected Diia’s operation, and all services “worked as usual.”

Similar to some other affected companies, Diia hosts its data in several locations, including the DeNovo data center. DeNovo’s spokesperson told Recorded Future News that it is "working normally" and will provide more comments when the situation with the Parkovy hack becomes more clear.

Likely suspect

Currently, there's no information on which hacker group is responsible for the incident and how it gained access to Parkovy's system.

On Thursday, a threat actor using the alias “salmoncrew” posted what is claimed to be Parkovy’s database on a leak website. The data dump allegedly includes user emails, names, phone numbers and passwords.

Sample db was posted on the one of breached clones, strong "Free Civilian" vibes and smell of matryoshka, balalayka and tolstoyevsky pic.twitter.com/JrB8PckLa2

— herm1t (@vx_herm1t) January 26, 2024

The spokesperson for Ukrainian Cyber Alliance, who uses the online aliases "herm1t" and “Sean Townsend,” told Recorded Future News that the hacker responsible for posting the dump bears resemblance to another pro-Russian threat actor known as Free Civilian.

Free Civilian is known for leaking data from Ukrainian state websites and is allegedly associated with a hacking group identified as UAC-0056 or SaintBear. This group is believed to be behind the WhisperGate attack in January 2022, which affected government agencies in Ukraine.

Free Civilian may involve Russian state-controlled hackers, said Alex Holden, the founder of the U.S. cybersecurity company Hold Security, in an interview with Forbes Ukraine last year.

The website where the leak was published also looks almost identical to RaidForums, which was frequently used by FreeCivillian before its shutdown in 2022.

The authenticity of leaked data hasn't yet been verified. Ukraine's cybersecurity service has refused to comment on the matter.

Townsend suggested that the attack on Parkovy was likely state-sponsored since hackers didn’t just steal the data — they also disrupted the data center's operation.

Financially motivated hackers mostly want their victims to bounce back swiftly after paying the ransom, according to Townsend. In the case of the Parkovy attack, the group responsible was probably aiming to disrupt the company's services because it hosts government agencies or large businesses, he added.

The attacks on cloud services are common and many of them were attributed to Russian or Chinese state hackers.

Last week, Finland-based cloud hosting services provider Tietoevry announced that one of its data centers in Sweden was hit by a ransomware attack, affecting numerous customers and forcing stores to close across the country. The attack is believed to have been carried out by a Russian hacker group.

In September of last year, the Chinese hacker group labeled Storm-0558 stole 60,000 emails from U.S. State Department accounts after breaching Microsoft's cloud-based Exchange email servers earlier that year.