Ukraine reports cyber-attack on government document management system

Ukrainian officials blame "one of the hacker spy groups from the Russian Federation."

ukraine-flag.jpg

Image: Oleksii Leonov (CC BY 2.0)

The Ukrainian government said today that Russian hackers compromised a government file-sharing system as part of an attempt to disseminate malicious documents to other government agencies.

The target of the attack was the System of Electronic Interaction of Executive Bodies (SEI EB), a web-based portal used by Ukrainian government agencies to circulate documents between each other and public authorities.

In a statement published today, officials with Ukraine's National Security and Defense Council said the purpose of the attack was "the mass contamination of information resources of public authorities."

Ukrainian officials said the attackers uploaded documents on this portal that contained macro scripts. If users downloaded any of these documents and allowed the scripts to execute (usually by pressing the "Enable Editing" button inside Office apps), the macros would secretly download malware that would allow the hackers to take control of a victim's computer.

Ukraine links the attacks to Russian cyberspies

"The methods and means of carrying out this cyberattack allow [us] to connect it with one of the hacker spy groups from the Russian Federation," NSDC officials said.

Even if most state-sponsored hacker groups have been assigned names by the cyber-security industry, Ukrainian officials did not attribute the attack to a specific Russian activity cluster.

Officials did, however, publish indicators of compromise (IOCs) used in the attacks. They include:

  • Domains: enterox.ru
  • IP addresses: 109.68.212.97
  • Link (URL): http://109.68.212.97/infant.php

Based on these IOCs, ZDNet was able to link the group to Gamaredon, a Russian state-sponsored hacking group that has historically targeted Ukraine for years.

Today's NSDC security alert is the second warning the agency has published this week. The agency also warned on Monday that Russian hackers launched DDoS attacks last week that targeted the websites of the Security Service of Ukraine, the National Security and Defense Council of Ukraine, and resources of other state institutions and strategic enterprises.