Threat actors defaced Ukrainian government websites

4 months ago 20

Threat actors defaced multiple Ukrainian government websites after talks between Ukrainian, US, and Russian officials hit a dead this week.

Threat actors have defaced multiple websites of the Ukrainian government on the night between January 13 and January 14. The attacks were launched after talks between Ukrainian, US, and Russian officials hit a dead end on Thursday.

The attackers deleted the content of multiple websites, including the Ukrainian Ministry of Foreign Affairs, Ministry of Education and Science, Ministry of Defense, the State Emergency Service, and the Cabinet of Ministers.

Defaced websites were displaying the following message in Russian, Ukrainian and Polish languages.

“Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.” reads a translation of the message.

Sources tell me ~15 sites in Ukraine – all using October content management system – have been defaced, incl Min of Foreign Affairs, Cabinet of Ministers, Min of Ed, Emergency Services, Treasury, Environmental Protection. Attackers apparently used this:

— Kim Zetter (@KimZetter) January 14, 2022

As a result of a massive cyber attack, the websites of the Ministry of Foreign Affairs and a number of other government agencies are temporarily down. Our specialists have already started restoring the work of IT systems, and the cyberpolice has opened an investigation.

— Oleg Nikolenko (@OlegNikolenko_) January 14, 2022

Ukrainian Government is investigating the attack, but intelligence experts speculate the offensive was launched by Russia-linked actors. The Ukrainian government has yet to officially attribute the attacks to any nation-state actor.

According to journalist Kim Zetter, attackers apparently exploited a vulnerability in the October CMS tracked as CVE-2021-32648, a news later confirmed by the national CERT.

“On the night of January 13-14, a number of government websites, including the Ministry of Foreign Affairs, the Ministry of Education and Science and others, were hacked. Provocative messages were posted on the main page of these sites. The content of the sites was not changed and the leakage of personal data, according to preliminary information, did not occur.” reads the advisory published by CERT-UA “According to the results of processing possible attack vectors, the use of the October CMS vulnerability by attackers is not excluded:”

Ukrainian CERT states personal data was not stolen by attackers.

The CERT-UA provided recommendations on how to recover the compromised websites.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Ukrainian government websites)

Read Entire Article