NSDC, the National Security and Defense Council, released on the 24th of February an official statement confirming that a cyber-attack pointed at SEI EB (System of Electronic Interaction of Executive Bodies) took place.

The National Coordination Center for Cybersecurity has recorded several attempts regarding the dissemination of malicious documents through SEI EB, a web-based portal used by the Ukrainian government agencies to circulate documents between each other and public authorities as well.

A Ukrainian official stated that “The methods and means of carrying out this cyberattack allow to connect it with one of the hacker spy groups from the Russian Federation.”

Malicious documents were uploaded into the SEI EB with the purpose of deploying a malware payload onto the targets’ computers.

Once this type of malware infected the computer, the hackers gained full access to it and to the documents stored on it.

The malicious documents contained a macro that secretly downloaded a program to remotely control a computer when opening the files. The methods and means of carrying out this cyberattack allow to connect it with one of the hacker spy groups from the Russian Federation. 

According to the scenario, the attack belongs to the so-called supply chain attacks. It is an attack in which attackers try to gain access to the target organization not directly, but through the vulnerabilities in the tools and services it uses.”

According to the NCDC official website

The Ukrainian cybersecurity agency did not attribute this attack yet to a specific group but it gave some IOAs to give a heads up to security admins so they could detect and block future attacks using the same infrastructure.

This is the second cyberattack that Ukraine is facing this month. The previous one took place on February 18th and is also believed to have originated from hackers based in Russia.

The National Coordination Center for Cybersecurity (NCCC) and the NSDC state that these DDoS attacks were massive and targeted government websites in the defense and security sector.

It may be just a hypothesis but some think that the DDoS attack happened because some members of the nefarious ransomware group Egregor were arrested, and the group’s equipment was seized, as the following day the SBU’s (Security Bureau of Ukraine) website become inaccessible due to a DDoS attack.

The Egregor ransom group has attacked well-known organizations such as Barnes and Noble, Kmart, Cencosud, Randstad, Vancouver’s TransLink metro system, and Crytek.

In February, some of the Egregor’s members were put under arrest following a joint operation between French and Ukrainian law enforcement teams.

Leave a Reply

Your email address will not be published. Required fields are marked *