Russian Threat Actor Had Access to Ukraine Government Site Since 2021

Category: Russia & Ukraine | Industry: Government | Level: Strategic | Source: SSSCIP

According to Ukrainian security agencies the Computer Emergency Response Team of Ukraine (CERT-UA) and the State Special Communications Service of Ukraine (SSSCIP), government websites have been compromised this week by Russian state hackers who utilized backdoors that had been installed as early as December 2021. CERT-UA made the correlation after a web shell was discovered on the government site on the morning of February 23rd, 2023, attributed to Russian threat actor Ember Bear (aka UAC-0056 or Lorec53). Analysis of the web shell revealed it had been created in December 2021, and was utilized to deploy various tools, including CredPump, HoaxPen, and HoaxApe backdoors, in February 2022. A statement released by SSSCIP reveals the attack affected "a number of websites of Ukrainian central and local authorities, resulting in a modification of the content of some of their webpages." Although no impact was made on Ukrainian government operations, "the incident has not caused any essential system failures or disruptions in the operation of the public authorities. Operation of most of the information resources has been recovered already, and they are running and available as usual."

‍