Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Ukraine Finds 2-Year-Old Russian Backdoor

Threat Actor Tracked as UAC-0056 Is Behind the Attacks
Ukraine Finds 2-Year-Old Russian Backdoor
Members of the Airborne Assault Troops of the Armed Forces of Ukraine (Image: Ministry of Defense of Ukraine)

Russian hackers breached and modified several Ukrainian state websites on Thursday morning using a backdoor planted nearly two years ago.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The incident did not cause significant disruption, says the State Service of Special Communications and Information Protection of Ukraine. But discovery of an encrypted web shell created no later than Dec. 23, 2021, hiding on the server of an official website led to an investigation revealing several additional backdoors.

"At the moment, it can be stated that the incident did not affect the performance of the functions of the state bodies. The work of most information resources has already been restored and they are working normally," the SSSCIP said on Thursday.

The Computer Emergency Response Team of Ukraine is investigating the attacks in coordination with the SSSCIP, the Security Service of Ukraine and the country's Cyber Police. Their findings identified the hackers as belonging to a group tracked as UAC-0056 and said they activated the web shell late Wednesday night. Hackers used the web shell to create an index.php file in the root web directory.

UAC-0056 is also known as SaintBear, UNC2589 and TA471. The group has been active since at least March 7, 2021, and has made attacks against Ukrainian and Georgian government organizations and critical infrastructure. Cybersecurity firm Rapid7's assesses that the group's activities are aligned with the Kremlin, but no evidence exists that the group is state-sponsored.

The investigation also revealed the presence of three backdoors: CredPump, HoaxPen and HoaxApe. Hackers installed HoaxPen and HoaxApe in February 2022 in the guise of an Apache web server module.

The initial access vector used by the threat actor is unclear, although CERT-UA did reveal that the group used security tunnels such as the Go Simple Tunnel and Ngrok in the early stages of the attack to deliver the HoaxPen backdoor.

Security researchers spotted the same threat actor in spring 2022 deploying malware variants using a malicious Excel file delivered through phishing mails (see: Cyberespionage Actor Deploying Malware Using Excel).


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.