Ukraine links cyberattack to Belarus
The attack defaced multiple websites belonging to Ukrainian government agencies and comes amid rising tensions in the region, stoked by Russia
Ukraine suspects a hacker group with links to Belrusian intelligence is behind the cyberattack that defaced several government websites last week, using similar malware to that employed by a threat group tied to Russia.
Serhiy Demedyuk, deputy secretary of Ukraine's National Security and Defense Council, told Reuters that Ukraine believes a group known as UNC1151 carried out the large-scale attack on government websites. He said the visible act was cover for more destructive actions behind the scenes.
The attack, which took place on January 13th and 14th, hit multiple websites belonging to Ukrainian government agencies.
The attackers targeted websites belonging to the Ministry of Foreign Affairs, the Cabinet of Ministers, the ministries of energy, education, and agricultural policy and the 'Diia' platform.
"We believe preliminarily that the group UNC1151 may be involved in this attack," Demedyuk said, adding that the consequences of these attacks would be felt "in the near future".
During the attack, the hackers warned Ukrainians to "be afraid and expect the worst." They also claimed that they had stolen Ukrainians' personal data from the targeted agencies, and uploaded it online. Ukraine says no such theft had taken place.
UNC1151 is a cyber-espionage gang with ties to the Belarusian security services. It has a history of using credential harvesting tactics to gain unauthorised access to mail accounts, followed by the spread of malware. The group has a history of targeting Poland, Latvia, Lithuania and Ukraine.
Demedyuk claimed that the malicious tool UNC1151 used to encrypt some government servers was very similar to that used by the APT 29 group.
APT 29, also known as Cozy Bear, is widely believed to have links to Russia's foreign intelligence service. The group came to light in 2016 as the main suspect behind the notorious breach of the USA's Democratic National Committee, during the run-up to the 2016 presidential election.
The attacks on Ukrainian websites have come as tensions in the region are already high, as Russia continues to station troops near its border with Ukraine and attempts to rouse sentiment against NATO.
Western countries are concerned that the Kremlin is planning a new military assault on Ukraine.
Amid these developments, on Saturday Microsoft said it had discovered a highly destructive form of malware in dozens of government and private computer networks in Ukraine, which appeared to be waiting to be triggered by an unknown threat actor.
Tom Burt, corporate vice president of customer security and trust at Microsoft, said malware's presence was first detected on Thursday, 13th January, coinciding with last week's attack on Ukrainian government websites.
According to Microsoft, the malware is designed to look like ransomware, although its ultimate aim may be to wipe out sensitive data at the hackers' direction.
The strain has already been identified on dozens of infected systems across several government, IT and non-profit organisations in Ukraine, according to the Microsoft Threat Intelligence Center (MSTIC).
MSTIC said the two-stage Windows malware, which it has not seen before, is designed to overwrite the part of a hard drive that tells a machine how to load the operating system. It instead replaces the commands with a ransom note. The ransom message contains details of a Bitcoin wallet and an account identifier used in the Tox encrypted messaging protocol.