Ransomware Attack On Ukraine’s Energy Ministry Website

As part of our security experts comments series Andrea commented below on the news that malicious actors have used ransomware to take the website of Ukraine’s energy ministry offline and encrypt its files. IT security experts commented below.

Andrea Carcano, Co-Founder and Chief Product Officer at Nozomi Networks:

“Due to the criticality of their services critical infrastructure systems have become a juicy target for cyber criminals interested in cyber espionage, cyber warfare, hacktivism and cyber ransom attacks. In addition, over the years CNI have become more dependent upon interconnected devices which has also opened them up to cyber risk.

“In this type of cyber-threat, the attacker was targeting the Ukraine energy and coal ministry’s IT networks.  It doesn’t appear there were any intentions or efforts to attack critical infrastructure. That said, IT is often used as an entry point for attackers who are targeting OT networks and this case is yet another reminder of the vulnerabilities within both IT and OT networks.

“Cyber-risk management must be a treated as a high priority for CNI. This requires both public and private sector collaboration and investments in better prevention and resiliency. With technological advances, such as machine learning and artificial intelligence, it’s now possible to model and monitor even large, complex networks and critical physical processes typical of refineries, power plants and pipelines. Operators can gain asset visibility and identify vulnerabilities.”

Craig Young, security researcher at Tripwire: 

While many people might be quick to cast blame on Russia for this incident, I believe this was probably not the case. Looking over the Internet archive of this site, it appears that they were running Drupal 7 which is currently under active attack by automated attackers armed with “Drupalgeddon2” exploits. “Drupalgeddon2” is a highly critical remote code execution bug affecting most Drupal sites which was disclosed at the end of March. It is also possible (although less likely) that someone is already exploiting CVE-2018-7602 which the Drupal team announced just yesterday but has yet to provide a public fix.

Organizations need to understand that off-the-shelf content management systems like Drupal, Wordpress, and Joomla may start seeing exploitation within days or even hours of a critical disclosure. These public facing systems must be a top priority for infosec teams.

Users of these systems should also be certain to maintain up to date backups of their content to facilitate recovery after a ransomware attack.

The information was determined by looking at the source on the Wayback machine here:

https://web.archive.org/web/20180419075742/http://www.mev.gov.ua/

And noting that it shows <meta name=”Generator” content=”Drupal 7 (http://drupal.org)”/>

Experts Comments

Stay Tuned! Our Information Security Experts Community is responding .....

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.