The software was reportedly used as part of a short-lived software supply chain attack
Russian authorities claim they quickly thwarted a cyber-attack that sought to compromise government websites via a hacked statistics widget.
The software, developed by the Russian Ministry of Economic Development and built into the websites of several state-run agencies, was hacked on Tuesday (March 8) and this allowed unidentified hackers to “publish incorrect content on the pages of the websites”, a representative of Russia’s communications agency told official news agency Interfax.
Although the incident was “promptly localized”, it nonetheless resulted in a disruption of the operation of the affected websites for a short time before services were restored to normal “within an hour”, according to Interfax.
The widget used to collect visitor statistics was reportedly hacked by unidentified parties as part of a software supply chain attack.
Interfax reports that the compromised websites included those maintained by the “Russian Federal Penitentiary Service, the Federal Bailiff Service, the Federal Antimonopoly Service, the Culture Ministry, the Energy Ministry, the Federal State Statistics Service, and a number of other agencies”.
Russian authorities are downplaying the incident.
Although an independent assessment of the seriousness of the apparent defacement campaign is hard to come by, the incident can nonetheless be seen as an example of conflict that has accompanied Russia’s invasion of Ukraine spilling over into cyberspace.
Days after Russia invaded Ukraine, a destructive wiper malware strain – dubbed ‘HermeticWiper’ – was unleashed. That subsequently infected “hundreds of systems in at least five Ukrainian organizations”, according to security software vendor ESET.
In an attack against Russian targets, meanwhile, attackers launched the so-called ‘RURansom’ malware.
Despite its name, RURansom is better thought of as a data wiper than ransomware in the purest sense because it discards the separate and individual encryption key used to encrypt each file as it spreads, as explained in a write- up of the threat by Trend Micro.
“This is a wiper, so encrypted files are lost, and recovery is possible only from a backup, if [they] exists,” Trend Micro told The Daily Swig.
The malware – first spotted by independent security researchers MalwareHunterTeam at the start of March, is written in the .NET programming language and spreads as a worm by copying itself under the file name ‘Россия-Украина_Война-Обновление.doc[dot]exe’ (‘Russia-Ukraine_War-Update.doc[dot]exe’).
Several versions of the malware attempt to check if the target machine is located in Russia before commencing its infection and file destruction routine, indicating a degree of targeting.
A note left on compromised machines is explicit in stating that the malware is designed to harm Russia.
The note was originally written in Bengalese. These and other factors have allowed Trend Micro to speculate that the author is a native of western India who has developed other strains of malware previously linked to cryptocurrency mining.
“We think it was created by an individual, likely based in India, as stated in the ‘note’,” according to Trend Micro.
It’s unclear how many machines the Windows-specific RURansom malware has infected. “Based on our telemetry, we have not seen any targets in our user base,” Trend Micro told The Daily Swig.