On the night of January 13 – 14, 2022, many Ukrainian government websites were defaced. As a result of the attack, access to the Diia platform, which is the equivalent of the Polish mObywatel application, was also cut off. An initial vector that allowed the attacker to take control over the above-mentioned resources was the vulnerability of the October CMS application, used to manage the content of the websites.
We are publishing analysis review prepared by CSIRT MON - Polish MOD Computer Security Incident Response Team. Team is responsible for the incidents referring to Polish MOD Constituency. It is the National POC for NATO. CSIRT MON operates within the structure of National Cyber Security Centre (NCSC).
The content of the defacement was published simultaneously in Ukrainian, Russian and Polish. The content of the prepared message used the theme of the Volhynia massacre and historical, controversial issues that may have negatively affect bilateral relations between Poland and Ukraine. In-depth analyses, the first results of which were published on January 15, 2022, showed that the compromise of websites was also aimed at distracting attention from the activities involving in the use of malware by the adversary, the purpose of which was to destroy data on the infected device. The exact scale of the damage is currently unknown, but the information shows that the same malware samples were also detected in many government organizations, non-profit organizations and private companies’ networks in Ukraine.
According to the Ukrainian State Service for Special Communication and Information Protection, nearly 70 Ukrainian websites (domestic and international) were attacked on January 13-14, 2022. As a result of these attacks, numerous websites in the gov.ua domain were compromised (as of January 14, 2022):
Government services portal "Diia" - diia.gov.ua (unavailable),
Cabinet of Ministers - kmu.gov.ua (unavailable),
Ministry of Foreign Affairs - mfa.gov.ua (defaced, unavailable),
State Rescue Service - dsns.gov.ua (unavailable),
Ministry of Education and Science - mon.gov.ua (unavailable),
Ministry of Youth and Sport - sport.gov.ua (unavailable),
Ministry of Energy - mpe.kmu.gov.ua (unavailable),
Ministry of Agrarian Policy - minagro.gov.ua (unavailable),
Ministry of Veterans Affairs - mva.gov.ua (unavailable),
Ministry of Environment Protection and Natural Resources - mepr.gov.ua (unavailable),
State Treasury Service - treasury.gov.ua (unavailable);
Other sites likely to be affected by this attack (status unknown):
State Register of Court Orders - reyestr.court.gov.ua
Ministry of Territories and Communities Development - minregion.gov.ua
State Service for Special Communications and Information Protection - new.cip.gov.ua,
Supreme Court of Ukraine - supreme.court.gov.ua,
High Anti-Corruption Court of Ukraine - hcac.court.gov.ua,
"Court system" official portal - court.gov.ua,
National Civil Service Agency - nads.gov.ua,
State Inspectorate of Nuclear Supervision - snriu.gov.ua,
local authorities of Rivne - rv.gov.ua,
local authorities of Transcarpathia - carpathia.gov.ua,
local authorities of Donetsk - dn.gov.ua,
State Agency for Forest Resources - forest.gov.ua,
Ministry of Strategic Industry - mspu.gov.ua,
local authorities of Mukachevo - mukachevo-rada.gov.ua,
Social Protection Fund for the Disabled - ispf.gov.ua,
Municipal Enterprise "KyivTeploEnergo" - teplo.org.ua,
Antimonopoly Committee of Ukraine - amcu.gov.ua,
National Sports Committee of People with Disabilities - paralympic.org.ua,
State Sea and River Transport Service - marad.gov.ua,
local authorities of Dnipro - adm.dp.gov.ua,
Ukrainian State Center for Radio Frequencies - ucrf.gov.ua.
On January 14, 2022 the Ukrainian CERT issued a statement  which describes that, after preliminary analysis, it was determined that the probable attack vector was the vulnerability of the Octobercms platform used to manage the content of websites (CVE-2021-32648). Octobercms is a CMS platform based on the Laravel PHP framework. In vulnerable versions of the October package, an attacker could request for an account password reset and then access it with a specially crafted request. The bug has been fixed in Build 472 and v1.1.5.
A graphic file (index.jpeg) containing content written in Ukrainian, Russian and Polish was published on compromised websites where the content of the page was changed (Figure 1).
The metadata of the above image file contained the following coordinates:
Latitude: 52° 12' 31.1'' N, Longitude: 21° 0' 33.9'' E, GPS : 52.208630, 21.009427.
The above geographical data indicate a car park of the Warsaw School of Economics (Figure 2). However, it should be remembered that the graphic file in question, which appeared on the compromised pages, is not a photo, so the above geographical data was probably added manually.
On January 15, 2022, Microsoft published a report  in which it describes that the Microsoft Threat Intelligence Center (MSTIC) identified an operation involving the use of malicious software by an adversary (DEV-0586), aimed at destroying data on an infected device. The report indicates that the use of malware is related to a large-scale campaign targeting Ukrainian government entities and IT companies that are engaged in maintaining Ukrainian government websites . The malware described in the report first appeared on the systems of Ukrainian victims on January 13, 2022. MSTIC estimates that malware (which is designed to appear ransomware) does not actually have a data recovery mechanism. So it was created for destructive purposes (wiper), the effect of which is to prevent the operation of target devices.
At the moment, the exact attribution is not known, however, according to the Deputy Secretary of the National Security and Defense Council of Ukraine (Serhiy Demediuk), the UNC1151 group may be responsible for the attack, and the malware used to destroy data resembles the tools used by the APT29 group, associated with the Russian SVR .
Particularly noteworthy is the fact that the attacker prepared metadata in the graphic file used for defacement. The location hidden under the given coordinates indicates the area of the Warsaw School of Economics. CSIRT MON suspects that the real intention of the adversary was to use the geolocation of the General Staff of the Polish Army to lead potential analysts and public opinion to a false, controversial trail.
Due to the situation in Ukraine, the CSIRT MON team warns about the potential risk of extending the attack to other countries in the region.
The CSIRT MON team recommends intensifying activities leading to the security of ICT systems used to provide key services and constituting critical infrastructure.
For this purpose, it is recommended:
Implementation of recommendations contained in the Mandiant report , reducing the risk of infection with the software used in this attack.
Analyzing own resources in terms of the presence of IoCs included in this announcement, as well as ongoing updating of signatures used by security tools such as antivirus software, EDR, IDS, IPS, etc.
In-depth monitoring of the security of ICT systems, in particular analyzing alerts generated by security tools such as antivirus software, EDR, IDS, IPS, firewalls, e-mail protection systems, etc.
Installing the latest security patches for all elements of the ICT infrastructure (including operating systems, application software, network devices) giving the highest priority to vulnerabilities that are actively exploited .
The use of multi-factor authentication in access control mechanisms, in particular for e-mail and critical resources.
Verification of the computer incident response plan and the resulting procedures.
Maintaining backup copies and verification of procedures allowing to restore the ICT system after a computer incident.
Reporting to the appropriate CSIRT team identified computer incidents that may have been caused by attacks.
Any new information on this subject will be updated on a regular basis.
Update of 18.01.2022 at 4:00 p.m.
On January 17, 2022, the Ukrainian SBU service reported that 95% of all attacked websites had been restored to operation. In connection with the above-described attack, CSIRT MON together with CSIRT NASK and CSIRT GOV is working on the analysis of malware used for this attack. The preliminary findings show that malware consists of at least 3 different modules (executable files) that are launched on the victim's computer in a strictly defined order. The first module, called PAYWIPE,is malware disguised as ransomware. The following information is presented to infected victims, urging them to pay a ransom.
Your hard drive has been corrupted.
In case you want to recover all hard drives of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.
In fact, this malware is a wiper, so there are no functionalities implemented in it that allow you to restore the system to its original form. This module is designed to overwrite the Master Boot Record, which results in the deletion of information about system partitions and prevents the operating system from starting after reboot.
Another module called WHISPERGATE  is designed to download the next module called FINETIDE  using the resources uploaded by the adversary to Discord communication platform. The addresses of malicious resources hosted on Discord are listed in a table with indicators of compromise. The WHISPERGATE module is an application written in .NET. Downloading malicious content from Discord resources is preceded by running the Sleep command for 10 seconds by a PowerShell application with base64-encoded arguments. This operation is done to avoid potential detection mechanisms on the attacked machine. The FINETIDE module is downloaded as a file with a JPEG extension, while the task of WHISPERGATE is to read all bytes from the end to the beginning of the JPEG file and save them to a new DLL file. WHISPERGATE then executes a malicious DLL file (FINETIDE module) that is obfuscated using the Eazfuscator software .
There are three resources available within the DLL file. At the moment, only one of the resources has been analyzed. The analysis showed that it consists of the AdvancedRun and Waqybg module. The AdvancedRun module is a tool from Nirsoft , which is used in this case to disable Windows Defender, while the Waqybg module damages files with the following extensions by modifying their content and extension.
. HTML . HTM . PHTML . PHP . JSP . ASP . PHPS . PHP5 . ASPX . PHP4 . PHP3 . DOC . DOCX . XLS . XLSX . PPT . PPTX . PST . MSG . EML . TXT . CSV . RTF . WKS . WK1 . PDF . DWG . JPEG . JPG . DOCM . DOT . DOTM . XLSM . XLSB . XLW . XLT . XLM . XLC . XLTX . XLTM . PPTM . POT . PPS . PPSM . PPSX . HWP . SXI . STI . SLDX . SLDM . BMP . PNG . GIF . RAW . TIF . TIFF . PSD . SVG . CLASS . JAR . SCH . VBS . BAT . CMD . ASM . PAS . CPP . SXM . STD . SXD . ODP . WB2 . SLK . DIF . STC . SXC . ODS .3DM . MAX .3DS . STW . SXW . ODT . PEM . P12 . CSR . CRT . KEY . PFX . DER . OGG . JAVA . INC . INI . PPK . LOG . VDI . VMDK . VHD . MDF . MYI . MYD . FRM . SAV . ODB . DBF . MDB . ACCDB . SQL . SQLITEDB . SQLITE3 . LDF . ARC . BAK . TAR . TGZ . RAR . ZIP . BACKUP . ISO . CONFIG
The following graphic (Figure 3) illustrates how and in which sequence malware runs. Further analyses on the characteristics of the FINETIDE tool are currently underway.
Update of January 19, 2022 at 2:00 p.m.
As indicated by the Security Service of Ukraine  and the Cyber Police of Ukraine , the attack also exploited (in addition to vulnerabilities in content management systems - OctoberCMS) the Log4j vulnerability. In addition, according to the above-mentioned sources, the government websites were also compromised as a result of the takeover of the accounts of employees of the IT service provider that provided services to the Ukrainian government. In addition, the Cyber Police of Ukraine noted DDoS attacks on a number of Ukrainian government entities.
Update of January 20, 2022 at 3:00 p.m.
Considering the fact that the recent attacks on Ukrainian government websites exploited CVE-2021-32648 vulnerability (related to the OctoberCMS content management system), there is a risk of further exploitation of this software vulnerability.
In order to prevent the use of CVE-2021-32648 vulnerability, as well as to introduce additional security measures, it is recommended to:
1. Update October CMS to the latest version. 2. Allow access to the CMS login panel only through a trusted point-to-point connection or from a specific IP address. 3. Implement two-factor authentication login process. 4. Change the path to the OctoberCMS login panel from the default (/backend/*) to another path, which consists of a string of pseudo-random characters. 5. Uninstall any plugins that come from unknown sources. Install add-ons only from the official platform provided by the manufacturer, taking into account the need to update.