Ukraine’s Computer Emergency Response Team (CERT-UA) has accused Russian state hackers of breaching several previously-backdoored government websites this week.
The attacks have raised concerns over the vulnerability of Ukrainian cybersecurity infrastructure. CERT-UA disclosed the discovery of a web shell created in December 2021 on a compromised website.
According to the agency, the threat actors, tracked as Ember Bear, Lorec53, or UAC-0056, used the web shell to inject malware, such as HoaxPen, CredPump and HoaxApe backdoors. They also leveraged additional utilities, such as NGrok and Go Simple Tunnel (GOST).
“Interaction with the web shell was carried out from IP addresses, which, among other things, belong to peripheral devices of other affected organizations,” reads CERT-UA’s security advisory. “This became possible as a result of the compromise of accounts and subsequent connection to VPN hubs of the relevant organizations.”
Analysis of time attributes shows the perpetrators couldn’t have created the web shell later than Dec. 12, 2021, the agency says.
According to the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), the perpetrators’ attacks didn’t hinder the functionality of the services.
“So far, it is safe to say that the incident has not caused any essential system failures or disruptions in the operation of the public authorities,” the SSSCIP said in an announcement. “Operation of most of the information resources has been recovered already, and they are running and available as usual.”
Ukraine has long been a target of cyberattacks from Russia, with tensions between the two countries running high since Russia’s annexation of Crimea in 2014. The latest breaches are part of Russia’s ongoing campaign to destabilize Ukraine through cyber warfare.
The incident highlights the growing importance of cybersecurity in today’s climate. As the world becomes increasingly interconnected, governments must work together to address cybersecurity challenges and protect their citizens’ data from malicious actors.