Ukrainian government websites attacked: How could it happen?

During the night from the 13th to the 14th of January 2022, some government websites were down due to the hackers’ attacks, also known as “defacement.” As of the publication time, some of the websites are still down.

The possible gateway for the attack is the vulnerability of open-source OctoberCMS. This guess follows the article by Kim Zetter, an American investigative journalist, the author of “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.” Her book was dedicated to the attack on the Iraqi nuclear infrastructure. AIN.UA is the first media to report on the Ukrainian case. 

Updated: Comments from the State Service of Special Communications and Information Protection of Ukraine have been added.

What is known about the attack

The attack has threatened a few websites of Ukrainian ministries and governmental service providers, including the Ministry of Digital Transformation, the Ministry of Education and Science, the Ministry of Foreign Affairs, the DIIA portal, etc.

According to MP Oleksandr Fediienko, the Deputy Head of the Committee on Digital Transformation and the Head of the Subcommittee on Digital and Smart Infrastructure, Electronic Communications, Cyber-security, and Cyber Protection of Verkhovna Rada, the hackers were only able to change the main pages of the web-sites but could not access the registries and databases themselves:

“There were attacks on several government portals. However, hackers were only able to change the main pages of the websites and could not reach any further. There is ongoing work on limiting the consequences. The state services had reacted promptly, and most of the websites were down to prevent the spread of the problem. The registries and the databases are safe. The was no leakage of the personal data. There is no other information apart from the news stored on the websites.”

The Ministry of Digital Transformation has also said that the content of the sites remained unchanged as a result of the attack, and there was no leak of personal data. All sites are expected to resume operation soon. The Computer Emergency Response Team of Ukraine CERT-UA has made a similar statement.

What is known about the vulnerability of OctoberCMS

OctoberCMS is an open-source content management system. The journalist Kim Zetter cites the source saying the attack was due to the vulnerability of this system. The CVE-2021-32648 vulnerability has been known since last year (more details here). Through this gateway, the hackers could send a password reset request for an account in this system and then gain access to it. The system was updated to resolve the issue back in September 2021. 

Therefore, according to the cybersecurity specialists, IT workers of Ukrainian state services could simply skip the update that has prevented this vulnerability.

“As I understand, Kim has got CVE (a cybersecurity vulnerabilities list of records) from someone related to the investigation of the case. I believe this vulnerability is the cause. This vulnerability has been reported a while ago, and it looks like it simply has not been updated on time. And this was the case for several offices, not just one (and that was a real problem),” said co-founder of the Ukrainian Cyber Alliance, also known as Sean Townsend, to AIN.UA.

According to him, the attack doesn’t seem to have any serious consequences: “If these were just ‘defaces’ and, it seems so, then we are lucky.”

Another anonymous cybersecurity expert agrees with him:

“The vulnerability was reported last year, and it seems Ministries were not aware of the fact. It could be a low level of computer literacy, or they could simply miss the latest CMS updates. Or it could be that they just paid one service provider to install and set up the software, and that was it. In any case, if that was the real cause, then the Ministries, namely their system administrators / DevOps are to be blamed for, they are to look for the security updates of such systems.”

UPD 1: CERT-UA also suggested that hackers could have conducted the attack because of the October CMS vulnerability.

UPD 2: By the end of January 14, the State Service of Special Communications and Information Protection of Ukraine also published its version. In its report, the agency said that the version about СMS was one of those on which the experts worked. But after all, they agreed that there was a supply chain attack:

“We can now state that it is very likely that a so-called supply chain attack took place. That is an attack through the supply chain. The culprits hacked the infrastructure of a commercial company that had access, with administrator privileges, to the websites affected by the attack.”

UPD as of January 19, 2022: The hackers attacked the Ukrainian government websites using the wiper malware WhisperGate. It wiped data on dozens of computers at two Ukrainian government agencies, but it was not critical, the Ukrainian departments, investigating the incident report. The American investigative journalist Kim Zetter, who earlier told about the vulnerability in OctoberCMS, which could have been used for the attack, describes the same version.

WhisperGate works in three stages.

  • In the first stage, the hackers load WhisperGate onto a system, and the malware overwrites the portion of the hard drive responsible for launching the operating system when the machine is booted up. It overwrites it with a ransom note demanding Bitcoin worth $10,000, though the message doesn’t immediately appear on machines.
  • In the second and third stages, the virus downloads additional malicious components via a Discord channel, damaging numerous files on the infected system. The attackers execute the operation by forcing the machine to power down.
  • When it is turned back on, a ransomware message appears onscreen. The user sees it and thinks they can pay and regain access to the system. But in fact, the system is already inoperable and unrecoverable.

We now know that the attack was structured, carried out in several stages, and was not just a defacement. We are already talking about the possibility of destroying certain information on the affected computers. Fortunately, according to Viktor Zhora, deputy head of Ukraine’s State Services for Special Communication and Information Protection, the attack did not lead to the loss of state databases or registries.