Belarusian Intelligence Behind Ukrainian Government Website Cyber Attacks

Ukrainian government websites were hit by cyber attacks over the weekend. According to this Reuters article, the Ukraine suspects UNC1151 (a group linked to Belarus intelligence) to be tied to this activity.

Notify of
9 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Raj Dodhiawala
Raj Dodhiawala , President
InfoSec Expert
January 20, 2022 4:53 pm

<div>The massive cyber attack that took down the Ukrainian government\’s websites was a result of a key technique: lateral movement. This technique is successful when admin credentials are compromised or harvested from the initial system that is breached. <br /><br />This specific ransomware that was deployed in the attack is dangerous and disruptive to both public and private sector enterprises because it wants to destroy data, not interested in collecting a ransom (and decrypting the data back). While I commend the CISA\’s efforts in issuing insights to help enterprises protect themselves against the increase of cyber attacks, it does not go far enough: it must recommend paying close attention to securing access to privileged accounts via Least Privilege. Multi-factor authentication (MFA) is often not sufficient if the malware can harvest an admin\’s hash from memory to move laterally. </div>
<div> </div>
<div>Looking ahead, organizations must prioritize protecting their assets against lateral movement by maintaining zero standing privilege (ZSP). Even if malware, such as the type that\’s used in the recent attacks, gets on a system, organizations need to isolate it to just that system in order to prevent it from spreading.</div>

Last edited 10 months ago by Raj Dodhiawala
Garret F. Grajek
InfoSec Expert
January 17, 2022 4:42 pm

<p>If there is any proof needed that cyberwarfare is now as much part of warfare as bullets and tanks – this is it. +In fact, the ability to undermine a nation\’s economy, political systems, and infrastructure – are all now available via a remote keyboard and make the other mechanisms arcane and less attractive. But there is nothing clean and harmless about cyberwarfare – shutting down a countries ability to feed, hospitalize and care for its own people is as much as act of war as bombing or attacking through other means. </p>
<p>The U.S. CISA organization (Cybersecurity and Infrastructure Security Agency) has just put out a set of alerts focused directly on the activities of Russia and its aggressive cross-border sponsored hacking. It\’s important to note – CISA is part of the U.S. Dept of Homeland Security.</p>

Last edited 10 months ago by Garret F. Grajek
Peter Draper
Peter Draper , Technical Director, EMEA
InfoSec Expert
January 17, 2022 4:40 pm

<p>In terms of attribution, the current and historic tensions between Ukraine and Russia suggest that this was Russian State sponsored attack. However, it seems less hardcore than previous Russian state sponsored attacks which have been seen in the wild. There are many hacker groups within Russia and this attack seems more likely to have come from one of the lesser groups and potentially more patriotic focused than trying to do real damage.  This attack may be evidence of a campaign that ran over a few years, where the groundwork for the attack was laid during the annexation of Crimea. Now hackers could be exploiting the vulnerabilities they had access to because it was convenient for them to do so.</p>

Last edited 10 months ago by Peter Draper
Jamie Akhtar
Jamie Akhtar , CEO and Co-founder
InfoSec Expert
January 17, 2022 4:35 pm

<p>Although this looks like a nation-state attack, it perfectly illustrates how supply chains and networks make everybody vulnerable. In this case, it only needed a breach in one arm of the Ukrainian government to take whole swathes of it down.</p>
<p>It’s a timely reminder to all of us to be mindful of our interconnectedness, whether that’s in our personal online lives or at work. And it’s also a reminder that the best way to prevent cyberattacks of this nature is through cooperation between businesses, partners or state departments.</p>

Last edited 10 months ago by Jamie Akhtar
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Expert
January 17, 2022 4:31 pm

<p>These attacks show signs of being a coordinated state-backed operation. </p>
<p>It highlights the importance for all organisations and countries to take cyber security seriously and invest in the appropriate controls to help prevent, detect, and respond to any attacks. Many times, state-backed actors will also use standard attack methods such as social engineering, taking advantage of unpatched software, or weak credentials. </p>
<p>Detection controls could have also helped spot data being inappropriately accessed and exfiltrated.</p>
<p>In today\’s day and age, protecting data isn\’t just about protecting data, but it\’s about protecting people.</p>

Last edited 10 months ago by Javvad Malik
Would love your thoughts, please comment.x