A number of state bodies have been attacked since Russia’s invasion began
A cyber-attack campaign targeting Ukrainian government agencies with MicroBackdoor malware has been confirmed by the country’s Computer Emergency Response Team (CERT-UA).
In a statement released earlier this week (March 7), CERT-UA confirmed that government organizations have been the target of several malicious attacks.
According to intelligence gathered by the agency, phishing emails containing a file named ‘dovidka.zip’, which contains a contextual help file (Microsoft Compiled HTML Help) ‘dovidka.chm’.
The file contained the bait image ‘image.jpg’, which CERT-UA said was information on the procedure for frequent artillery shelling, and HTA-file ‘file.htm’ which contained malicious code in VBScript.
Execution of the malicious code would result in the running of the dropper ‘ignit.vbs’, which will decode the .NET loader ‘core.dll’, later executing the MicroBackdoor malware.
According to CERT-UA, the backdoor and loader were created in January 2022, before Russia’s invasion of the country.
The agency claims that malware campaign bares similarities to the activities of the UAC-0051 threat group, also known as ‘unc1151’, which according to Mandiant has links to the Belarussian government.
The statement from CERT-UA contains further information on the attack.
Russia invaded Ukraine on February 24. Since this time, there have been a number of cyber-attacks targeting organizations across the country.
As previously reported by The Daily Swig, a newly discovered strain of data-wiping malware has also surfaced in the eastern European country.
The Windows-specific data wiper has appeared on “hundreds of machines”, according to telemetry from information security firm ESET.
Although primarily directed towards Ukraine, the newly named ‘HermeticWiper’ malware strain has also been detected in the Baltic states of Latvia and Lithuania.
Date stamps on the malware indicate that it was compiled two months ago – evidence that the attack was possibly premeditated.
Victims of the malware campaign include financial organizations and government contractors, the Wall Street Journal reports.
At least 30 Ukrainian university websites were also hacked in a targeted attack allegedly conducted by threat actors identified as the ‘Monday Group’, which has reportedly publicly supported Russia’s recent actions.
The group, whose members refer to themselves as ‘the Mx0nday’, have targeted the WordPress-hosted sites more than 100,000 times since the invasion.