Several Ukrainian government websites hacked and defaced

At least 15 websites belonging to various Ukrainian public institutions were compromised, defaced and then taken offline.

This includes the websites of the Ministry of Foreign Affairs, Agriculture, Education and Science, Security and Defence, as well as the online portal of the Cabinet of Ministers.

The defacement messages were posted in Ukrainian, Russian and Polish, warning site visitors that all citizen data uploaded to the public network had been compromised.

As of this writing, some websites remain inaccessible as IT specialists in the country are still restoring them.

Following a massive cyberattack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily unavailable. Our specialists have already started to restore the functioning of the computer systems and the cyberpolice have opened an investigation.

— Oleg Nikolenko (@OlegNikolenko_) January 14, 2022

Ukraine’s cyber police also released an announcement in which they stress that no personal data was compromised due to these attacks and that the warning messages to visitors were fake and only intended to scare citizens.

“In order to prevent the spread of the attack to other resources and the localization of the technical problem, the work of other government sites has been temporarily suspended,” explains the police announcement (translated).

“Currently, the Cyber ​​Police Department, the Special State Communications Service and the Security Service of Ukraine collect digital evidence and identify those involved in cyber attacks.”

Sources told the reporter Kim Zetter that the 15 compromised Ukrainian sites were using an outdated version of the CMS from October, which was vulnerable to CVE-2021-32648.

This is a critical authentication flaw (CVSS: 9.1) allowing an attacker to send a specially crafted request to perform a password reset on the platform, thereby taking control of user accounts. administrator.

This vulnerability has been fixed with build 472 version 1.1.5, published in August 2021, but it seems that several Ukrainian government websites have not applied security updates.

A subsequent notice Cyber ​​Police of Ukraine confirmed Zetter’s reporting of the October CMS vulnerability as an intrusion vector.

Poland also impacted?

Today, after Ukraine acknowledged its attacks, the Polish Ministry of National Defense also announced that some of its databases containing sensitive military information had been compromised.

The ministry stresses that it is uncertain whether the database consulted contains test files or real data, and that investigations are still ongoing.

However, members of the local press speak with certainty about the validity of the leaked files and the connection to the Ukrainian cybersecurity incident.

Ukrainian servers aren’t the only ones hacked. In #Poland 1.8 million data points of military equipment, units have been uploaded. This is the state of Polish F-16s or the location of lone soldiers. Reported by @OnetNews. It’s big. Now demand that the Minister of Defense resign.

— Philipp Fritz (@phil_ipp_fritz) January 14, 2022

Unknown actors

The cyber-police opened criminal proceedings under article 361 (unauthorized interference with computers and computer networks), but the actors remain unknown.

The Poles noticed obvious grammatical errors in the messages posted on the defaced pages and claimed that it was the product of the Yandex translation. As such, the actor could be Russian.

Even though Ukraine is going through extreme tensions With Russia, acts of defacing websites are not the typical attack method of a Russian state-sponsored hacking group like GRU.

However, researchers theorize that the attacks could have been carried out by the hacking group GhostWriter APT, which has a history of targeting government entities in Poland and Ukraine.

In November, Mandiant published a report linking the Ghostwriter group to the Belarusian government.

“UNC1151 targeted a wide variety of government and private sector entities, with a focus on Ukraine, Lithuania, Latvia, Poland and Germany,” says a Mandiant report.

The targeting also includes Belarusian dissidents, media and journalists. Although there are several intelligence services with an interest in these countries, the scope of specific targeting is most in line with Belarusian interests.”

Additionally, yesterday Ukrainian cyberpolice announced the arrest of five ransomware affiliates responsible for more than 50 attacks against businesses worldwide.

The chances that this wave of degradations was an act of retaliation are slim, because the messages do not mention anything relevant.