At least 15 websites belonging to various Ukrainian public institutions were compromised, defaced and subsequently disconnected.
This includes the websites of the Ministry of Foreign Affairs, Agriculture, Education and Science, Security and Defense, and the online portal for the cabinet of ministers.
The defacement messages were posted in Ukrainian, Russian and Polish, warning site visitors that all citizen data uploaded to the public network had been compromised.
As of this writing, some of the websites remain inaccessible as the country’s IT specialists are still in the process of restoring them.
As a result of a massive cyber attack, the websites of the Ministry of Foreign Affairs and other government agencies are temporarily down. Our specialists have already started to restore the functioning of the computer systems and the cyber police have opened an investigation.
-Oleg Nikolenko (@OlegNikolenko_) January 14, 2022
The Ukrainian cyber police has also published an announcement underlining that no personal data was compromised due to these attacks and that the warning messages to visitors were false and only intended to scare citizens.
“To avoid the spread of the attack to other resources and the location of the technical problem, the work of other government sites was temporarily suspended,” explains the police announcement (translated).
“Currently, the Cyber Police Department together with the State Special Communications Service and the Security Service of Ukraine are collecting digital evidence and identifying those involved in cyber attacks.”
This is a critical authentication flaw (CVSS: 9.1) that allows an attacker to send a specially crafted request to perform a password reset on the platform, thereby taking over administrator accounts.
This vulnerability was fixed with build 472 version 1.1.5, launched in August 2021, but it appears that several Ukrainian government websites had not applied the security updates.
A. later notice The Ukrainian Cyber Police confirmed Zetter’s report on the October CMS vulnerability as the vector of intrusion.
Was Poland also affected?
Today, after Ukraine acknowledged its attacks, the Polish Ministry of National Defense also announced that some of its databases containing confidential military information were compromised.
The ministry stresses that it is not sure whether the accessed database contained test files or actual data, and investigations are still ongoing.
However, members of the local press speak with certainty about the validity of the leaked files and the link to the Ukrainian cybersecurity incident.
Not only the Ukrainian servers were hacked. In #Poland 1.8 million data points of military equipment, units were put online. That is the status of Polish F-16s or the location of individual soldiers. Reported by @OnetWiadomosci. This is big. He is now demanding that the defense minister resign.
– Philipp Fritz (@phil_ipp_fritz) January 14, 2022
The cyber police have opened criminal proceedings under section 361 (unauthorized interference in computers and computer networks), but the perpetrators remain unknown.
The Poles noticed obvious grammatical errors in the messages posted on the defaced pages and claimed that this was a product of the Yandex translation. As such, the actor could be Russian.
But nevertheless, researchers theorize that the attacks could have been carried out by the hacker group Ghost Writer APT, which has a history of targeting government entities in Poland and Ukraine.
In November, Mandiant published a report linking the Ghostwriter group to the Belarusian government.
“UNC1151 has targeted a wide variety of government and private sector entities, with a focus on Ukraine, Lithuania, Latvia, Poland and Germany,” explains a Mandiant report.
The target also includes Belarusian dissidents, media entities and journalists. While there are multiple intelligence services that are interested in these countries, the scope of the specific guidance is more consistent with the interests of Belarus. “
In addition, yesterday, the Ukrainian cyber police announced the arrest of five ransomware affiliates responsible for more than 50 attacks against companies worldwide.
The chances that this wave of disfigurements are an act of retaliation are slim, as the messages do not mention anything relevant.