Skip to content
RUSSIAN HACKING ACCUSATIONS

Ukraine says Russia hacked its document portal and planted malicious files

Ukraine says Russia also backed massive DDoS attack using never-before-seen methods.

Dan Goodin | 55
Credit: Oleksii Leonov

Ukraine has accused the Russian government of hacking into one of its government Web portals and planting malicious documents that would install malware on end users’ computers.

“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities,” officials from Ukraine’s National Coordination Center for Cybersecurity said in a statement published on Wednesday. “The malicious documents contained a macro that secretly downloaded a program to remotely control a computer when opening the files.”

Wednesday’s statement said that the methods used in the attack connected the hackers to the Russian Federation. Ukraine didn’t say if the attack succeeded in infecting any authorities’ computers.

A large body of evidence has linked Russia’s government to several highly aggressive hacks against Ukraine in the past. The hacks include:

  • A computer intrusion in late 2015 against regional power authorities in Ukraine caused a power failure that left hundreds of thousands of homes without electricity in the dead of winter.
  • Almost exactly one year later, a second attack at an electricity substation outside Kyiv that once again left residents without power.
  • A malicious update for widely used tax software in Ukraine that distributed disk-wiping malware to users. The so-called NotPetya worm ended up shutting down computers worldwide and led to the world’s most costly hack.

Elsewhere, Russia’s SVR intelligence agency has also been accused of carrying out the recently discovered hack that targeted at least nine US agencies and 100 companies in a supply chain attack against customers of the SolarWinds network management software.

Wednesday’s statement didn’t identify which of several known Russian hacking groups was accused of the breach.

Macro attacks like the one mentioned in the statement typically work by tricking Microsoft Office users into enabling macros, often under the guise that the macro is required for the document to display properly. The macros then download malware from an attacker-controlled server and install it.

The statement provided no details on how or when Ukraine’s System of Electronic Interaction of Executive Bodies—a portal that distributes documents to public authorities—was hacked or how long the intrusion lasted.

Indicators that someone has been compromised include:

Domain: enterox.ru

IP addresses: 109.68.212.97

Link (URL): http://109.68.212.97/infant.php

Wednesday’s statement came two days after Ukraine’s National Coordination Center for Cybersecurity reported what it said were “massive DDoS attacks on the Ukrainian segment of the Internet, mainly on the websites of the security and defense sector.” An analysis revealed that the attacks used a new mechanism that hadn’t been seen before. DDoS attacks take down targeted servers by bombarding them with more data than they can process.

Listing image: Oleksii Leonov

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
55 Comments
Prev story
Next story