РНБОУ National Security and Defense Council of Ukraine

The NCCC at the NSDC of Ukraine warns of a cyberattack on the document management system of state bodies

The National Coordination Center for Cybersecurity under the National Security and Defense Council of Ukraine has recorded attempts to disseminate malicious documents through the System of Electronic Interaction of Executive Bodies (SEI EB).

The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities.

The malicious documents contained a macro that secretly downloaded a program to remotely control a computer when opening the files. The methods and means of carrying out this cyberattack allow to connect it with one of the hacker spy groups from the Russian Federation.

According to the scenario, the attack belongs to the so-called supply chain attacks. It is an attack in which attackers try to gain access to the target organization not directly, but through the vulnerabilities in the tools and services it uses.

The most notorious and large-scale attacks of this type were NotPetya, aimed at damaging Ukrainian infrastructure in 2017, and Solorigate -  Russia’s cyber-espionage operation in 2020-2021, which is currently being investigated in the United States. In these cases, the malicious code was spread through distributed software (MEDOC in Ukraine and Solarwinds products in the United States), which was compromised by the attackers.

The main indicators of the attack

Domains

                   enterox.ru

IP addresses

                   109.68.212.97

Link (URL)

                   http://109.68.212.97/infant.php

The NCCC emphasizes the need to:

- regularly install security updates for the operating system and workstation programs connected to the SEI EB system;

- apply strict code integrity policies that allow only authorized programs to work;

- use anti-virus software or other solutions to protect workplaces and monitor security events in them;

- replace passwords for access to the electronic document management system with stronger ones;

- monitor attempts to guess passwords for online (web) electronic document management systems;

- disable the execution of macros in Microsoft Office documents on workstations connected to the SEI EB system.

In case of detecting attack indicators, please notify the National Coordination Center for Cybersecurity (report@ncscc.gov.ua) immediately.