- Ukraine’s cybersecurity authorities are responding to a series of breaches spanning multiple government websites using backdoors that were installed in the final weeks of 2021.
The discovery and response to the attacks come as Russia’s invasion of Ukraine hits the one-year mark. “It is safe to say that the incident has not caused any essential system failures or disruptions in the operation of the public authorities,” State Service of Special Communications and Information Protection of Ukraine said in a statement Thursday.
The Cybersecurity and Infrastructure Security Agency did not respond to questions about the breaches on websites for central and local authorities in Ukraine. The agency did issue an alert warning that the U.S. and European nations may experience cyberattacks around the anniversary of Russia’s 2022 invasion of Ukraine.
The war in Ukraine raised awareness for cyber risk across governments and companies. For security stakeholders, physical war was expected to spill over into cyberspace.
But in the early weeks of the war, top U.S. national security and law enforcement officials said they were tracking a surprisingly limited number of cyberattacks in Ukraine. CISA in July formalized closer cooperation with Ukraine's SSSCIP.
The SSSCIP said the incident hasn’t resulted in any essential system failures or disruptions. “Operation of most of the information resources has been recovered already, and they are running and available as usual,” the agency said.
The Computer Emergency Response Team of Ukraine said it detected a previously known encrypted web shell on a government site on Wednesday. The web shell was created and used to download a PHP backdoor no later than Dec. 23, 2021, according to CERT-UA.
“Based on the set of signs, we can make a preliminary conclusion that the violation of the normal operation mode of the investigated web resources was carried out by the UAC-0056 group,” CERT-UA said in a statement, according to a translation. The Russian-state sponsored threat actor is also tracked as Ember Bear or UNC2589.