Search This Blog

Showing posts with label Ukraine. Show all posts

Suspects Linked to the Clop Ransomware Gang Detained in Ukraine

 

Following a joint operation by law enforcement agencies from Ukraine, South Korea, and the United States, multiple persons alleged to be affiliated with the Clop ransomware gang have been arrested in Ukraine. Six arrests were made during searches at 21 locations in Kyiv and the surrounding regions, according to the National Police of Ukraine's Cyber Police Department. 

While it's unclear if the defendants are ransomware affiliates or core developers, they're accused of a "double extortion" technique in which victims who fail to pay the ransom are threatened with the leak of data stolen from their networks before their files are encrypted. “It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies,” alleged Ukraine’s national police force in a statement. 

The police also seized equipment from the alleged Clop ransomware gang, which is accused of causing $500 million in financial losses. This includes computer equipment, a Tesla and a Mercedes, as well as 5 million Ukrainian Hryvnia (about $185,000) in cash. 

Authorities also claim to have successfully shut down the server infrastructure used by gang members to launch prior operations. “Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the statement added. 

“The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology,” said John Hultquist, vice president of analysis at Mandiant’s threat intelligence unit. 

In February 2019, the gang launched an attack on four Korean organizations, encrypting 810 internal services and personal PCs. Clop has since been connected to a slew of high-profile ransomware attacks. These include the attack on ExecuPharm, a US pharmaceutical company, in April 2020, and the attack on E-Land, a South Korean e-commerce company, in November, which prompted the retailer to close over half of its outlets.

Clop is also related to the Accellion ransomware attack and data theft, in which hackers exploited flaws in the IT firm's File Transfer Appliance (FTA) software to steal data from dozens of its clients. Singaporean telecom Singtel, law firm Jones Day, supermarket retail chain Kroger, and cybersecurity firm Qualys are among the victims of this breach.

Ukraine Suspects Russia Behind a Spear Phishing Campaign

 

Three of the many Ukrainian cybersecurity organizations – the Ukrainian Secret Service, Ukrainian Cyber Police, and CERT Ukraine - cautioned last week that Russia-linked cybercriminals were conducting "massive" spear-phishing campaigns against the Ukrainian government and private sector businesses. 

Also, one of the three agencies, the Ukrainian Secret Service has ascribed the attack to the Russian Federation's 'Special Service,' attributing this year's third cyber attack by Russian hackers. 

The spear-phishing campaign occurred at the beginning of June last week, following the Ukrainian Secret Service, Cyber Police, and CERT Ukraine warnings. 

The attackers sent out emails to the Police Department in Kyiv Patrol Police Department, cautioning recipients for the failure to pay local taxes. 

“Specialists of the Security Service of Ukraine established that in early June this year, mass e-mails were sent with the sender’s address changed. Messages, in particular, allegedly from the Kyiv Patrol Police Department contained malicious attachments and were sent to the addresses of several government agencies.” reads the alert published by the Ukrainian Secret Service. 

Recipients of the email were encouraged to install a RAR archive included within the E-mail, that would drop a double extension EXE file (filename.pdf.exe) to appear as a PDF file. 

Victims using the suspicious program would download a modified remote access software, RemoteUtilities, which would revert to remote command servers in Russia, Germany, and the Netherlands. “This allows the foreign intelligence service to remotely exercise full control over the PC,” the Ukrainian Secret Service said on Friday. 

Officials of CERT also noted that the operation last week used tactics similar to other attacks that happened in January and March this year. 

In February, the Government of Ukraine blamed an APT organization, a Russia - based gang, for the attacks on a government document management system, the System of Electronic Interaction of Executive Bodies (SEI EB). The hackers were designed to disseminate malicious documents to government authorities, according to Ukrainian officials. The SEI EB servers are used to communicate documents with Ukrainian government entities. 

The Ukrainian Security and Defense National Council reported that the attackers were conducting “the mass contamination of information resources of public authorities.” 

At the very same time, Ukraine accused Russia of significant offenses targeting Ukrainian security and defense sites on unspecified Russian Internet networks. However, the Ukrainian authorities have not provided any information regarding the attacks or the damage inflicted.

Poisoned Installers Found in SolarWinds Hackers Toolkit

 

The ongoing multi-vendor investigations into the SolarWinds mega-hack took a new turn this week when additional malware artifacts were discovered that could be leveraged in future supply chain operations. 

The current session of attacks linked to the APT29/Nobelium threat actor contains a custom downloader that is part of a "poisoned update installer" for electronic keys used by the Ukrainian government, according to a recent study from anti-malware firm SentinelOne. 

Juan Andrés Guerrero-Saade, SentinelOne's principal threat researcher, detailed the latest discovery in a blog post that extends on prior Microsoft and Volexity investigations. “At this time, the means of distribution [for the poisoned update installer] are unknown. It’s possible that these update archives are being used as part of a regionally-specific supply chain attack,” Guerrero-Saade stated. 

According to Guerrero-Saade, the most recent iteration of malware related to Nobelium uses a convoluted multi-stage infection chain with five to six layers. This involves the usage of NativeZone, a booby-trapped update installer for a Ukrainian cryptographic smartkey used in government operations, which uses ‘DLL stageless' downloaders. 

The Cobalt Strike Beacon payload, according to Guerrero-Saade's analysis of the campaign, serves as an "early scout" that allows for the targeted dissemination of unique payloads directly into memory. “After years of burned iterations on custom toolkits, [this APT] has opted for maximizing return on investment by simply lowering their upfront investment.” 

Furthermore, he added, because they don't have visibility into its distribution channels, they won't call it a supply chain attack. The poisoned installer might be supplied to victims who rely on this regional solution directly. Alternatively, the attackers may have found a way to disseminate their malicious ‘update' by abusing an internal resource. 

Background 

A Russia-linked threat group was suspected of being behind the SolarWinds hack seen initiating a new campaign. The attacks involved a genuine bulk mailing service and impersonation of a government entity, and they targeted the United States and other countries.

Microsoft tracked the threat actor as Nobelium, and incident response firm Volexity, which discovered some similarities to APT29, a prominent cyberspy outfit previously linked to Russia, evaluated the recent assault. 

Government agencies, think tanks, NGOs, and consultants were among the target groups. Microsoft stated at least a quarter of the targets are involved in human rights and international development work.

The National Security and Defense Council of Ukraine announced the imminent creation of cyber forces in the country

Secretary of the National Security and Defense Council (NSDC) Alexey Danilov said that in the near future, President of Ukraine Vladimir Zelensky may sign a decree on the creation of cyber forces in the country.

According to Danilov, this issue was discussed earlier on Friday at a closed meeting of the NSDC.

"I can say that this decision was unanimously supported by all 21 members who attended the meeting. I think there will be a presidential decree about it in the near future. You will hear from the president," he said.

Alexey Podberezkin, Director of the Center for Military and Political Studies of Moscow State Institute of International Relations (MGIMO), and political scientist Ivan Mezyuho commented on the possibility of creating national cyber forces in Ukraine.

"Programmers who were at a high level have now turned into semi-hackers, and the remnants of this potential, including military-technical, are in fact looted. Therefore, I do not really understand how this can be done in Ukraine. Moreover, Ukraine does not produce its own software,” Podberezkin explained.

In turn, Ivan Mezyuho expressed the opinion that the creation of cyber forces in Ukraine is likely to be funded or supervised by the United States.

He also added that such forces will be financed with the help of Ukrainian taxpayers.

In addition, a similar opinion was expressed by the Russian political scientist Bogdan Bezpalko. According to him, the appearance of special units for actions in cyberspace as part of the Armed Forces of Ukraine (AFU) is due to the anti-Russian course of Kiev.

"This kind of troops will be directed primarily against Russia, the Donbas and the Crimea, based on the political course pursued by the President of Ukraine, Vladimir Zelensky," Mr. Bezpalko said.

In his opinion, the organization of cyber troops will require significant financial resources, which can be partially allocated by Western "curators of Ukraine and Zelensky personally".

Recall that in February 2019, the Verkhovna Rada announced the actual creation of cyber forces. The NSDC of Ukraine noted that the cyber forces will become part of the Armed Forces of Ukraine (AFU).

Russia Accused by Ukraine for Major Cyber Attacks

 

Ukraine on Monday alleged major attacks against the Ukrainian security and defense website by unidentified Russian Internet networks but did not provide specifics of any losses or mention who it felt was responsible for the attack. Kyiv, Ukraine's capital, previously described Moscow with major cyberattacks against Ukraine as part of the "hybrid war," which Russia opposes. 

“Kyiv has previously accused Moscow of orchestrating large cyber attacks as part of a “hybrid war” against Ukraine, which Russia denies. However, a statement from Ukraine’s National Security and Defense Council did not disclose who it believed organized the attacks or give any details about the effect the intrusions may have had on Ukrainian cybersecurity.” reported The Reuters agency. 

The Ukrainian National Security and Defense Council however has not released a statement that states that the Ukrainian Cyber Security is believed to coordinated or provides specifics about the consequences that intruders may have had. According to a contact, the attacks began on Feb. 18 and threatened web pages belonging to Ukrainian Security Service, the Council itself, and several other state agencies and strategic businesses. 

“It was revealed that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks,” the Council said. 

“The council added the attacks attempted to infect vulnerable government web servers with a virus that covertly made them part of a botnet used for so-called distributed-denial-of-service (DDoS) attacks on other resources,” concludes Reuters. 

The Council reported that these attacks are intended to infect compromised state web servers with malware that has transformed them into part of a DDoS network. A DDoS attack is a cyber attack in which hackers aim to inundate a network with an extraordinary amount of information traffic so as to paralyze it. 

"It is obvious that it's connected with the latest pro-active efforts by the Service toward protecting national interests and countering Russia, which has been waging its hybrid war against Ukraine, including in the information domain," the official reported. Since Russia annexed Crimea from Ukraine in 2014 and participated in a continuing war in the eastern Donbass region of Ukraine, Russia and Ukraine have been at the loggerhead.

Ukrainian police arrested members of a well-known cyber ransomware group

Members of the Egregor group, which provides the service using the Ransomware-as-a-Service (RaaS) model, have been arrested by the Ukrainian police.

The arrest is the result of a joint operation of the French and Ukrainian law enforcement systems. The names of the arrested citizens were not disclosed, but it is known that they provided logistical and financial support for the service.

It is worth noting that this ransomware has been active since the fall of 2020 and works according to the Ransomware-as-a-Service (RaaS) model. That is, the authors of the malware rent it out to other criminals, who are already hacking companies, stealing data, encrypting files, and then demanding a “double ransom” from victims (for decrypting files, as well as for not disclosing the data stolen in the process of hacking).

If the victims pay a ransom, the group that organized the hack keeps most of the funds, and the developers of Egregor receive only a small share. The attackers laundered funds through the Bitcoin cryptocurrency.

Those arrested are suspected, among other things, of providing such financial schemes.

According to Allan Liska, a cybersecurity researcher at Recorded Future, Recorded Future has discovered that the Egregor infrastructure, including the site and the management and control infrastructure, has been offline since at least Friday (February 12).

The French side joined the investigation after the Egregor software was used in attacks on the computer game developer Ubisoft and the logistics organization Gefco in 2020.

Although the Egregor system based on the RaaS model was launched in September 2020, a number of cybersecurity experts believe that the service operators are the well-known cyber ransomware group Maze.

US court sentenced Ukrainian to seven years in prison for electronic fraud

A court in the United States has sentenced Ukrainian citizen Alexander Musienko to more than seven years in prison for participating in an online money-laundering scheme that legalized millions of dollars.

The suspect admitted his guilt in electronic fraud. On February 11, the court sentenced him to 87 months in prison (more than seven years). In addition, a citizen of Ukraine is obliged to pay more than $98.7 thousand in compensation.

As follows from the materials of the case, from 2009 to 2012, the 38-year-old Alexander Musienko from Odessa collaborated with computer hackers from Eastern Europe in order to get more than $3 million from the bank accounts of American companies. These funds were eventually stolen and legalized using bank accounts abroad.

According to the U.S. Department of Justice, he legalized funds stolen by hackers in the United States. This task was entrusted to private individuals whom Musienko hired by fraud to perform the duties of financial assistants. They transferred the stolen funds to their bank accounts at the agreed time and immediately transferred them to third-party accounts registered outside the United States.

So, in September 2011, Musienko's financial assistants, who were sure that they were working for a legitimate business, hacked the online accounts of the North Carolina company and transferred a total of almost $296.3 thousand to two bank accounts controlled by Musienko.

The Department added that Musienko was arrested in South Korea in 2018 and extradited to the United States in 2019. Around April 2019, the FBI investigated the information on Musienko's laptop. As a result, files containing about 120 thousand payment card numbers and associated identification information were found.

Ukraine’s PrivatBank Database for Sale on a Hacking Forum

 

PrivatBank is the biggest commercial bank in Ukraine, as far as the number of customers, assets value, loan portfolio, and taxes paid to the national budget are considered. Headquartered in Dnipro, in central Ukraine, the bank was nationalized by the government of Ukraine to ensure its 20 million clients and to preserve "financial stability in the country", on 18 December 2016. 

As per their site, PrivatBank's net profit for 2020 was 25.3 billion UAH, which is around $910 million. The database is said to contain 40 million records of customers such as full name, DOB, taxpayer identification number, place of birth, passport details, family status, etc. 

Ukraine has a population of 44 million, and the database’s 40 million records would cover 93% of the population. In any case, it isn't evident whether these are unique records, and it would be improbable that PrivatBank has records of 93% of Ukraine's population, considering ages that wouldn't have bank accounts. 

The threat actor is asking $3,400 in bitcoin for the release of the database. At the point when CyberNews took a gander at the bitcoin address provided, it gives the idea that nobody has purchased the database yet from that specific wallet. However, it is additionally conceivable that the threat actor is generating another wallet for each sale, a process that can be done automatically.

In 2016, hackers allegedly took $10 million from the bank through a loophole in the SWIFT international banking system. Before then, in 2014, the pro-Russian hacker group CyberBerkut asserted credit for hacking into the bank and mining client information, and afterward publishing the information on the Russian social media platform VKontakte. This was obvious retaliation for a PrivatBank accomplice who offered a $10,000 bounty for capturing Russian-backed militants in Ukraine. Earlier in 2014, another group named Green Dragon asserted credit for a DDoS assault on PrivatBank and guaranteed it got to client information during the assault. 

A 2018 report by a US corporate investigations company stated that “PrivatBank was subjected to a large scale and coordinated fraud over at least a ten-year period ending December 2016, which resulted in the Bank suffering a loss of at least USD 5.5 billion.”

The largest international phishing center has been blocked in Ukraine

As a result of an international special operation, the Office of the Prosecutor General of Ukraine has stopped the activity of one of the world's largest phishing services for attacks on financial institutions in different countries.

The Prosecutor's Office said that as a result of the work of the phishing center, banks in 11 countries - Australia, Spain, the United States, Italy, Chile, the Netherlands, Mexico, France, Switzerland, Germany and the United Kingdom - were affected. According to preliminary data, the losses reach tens of millions of dollars.

It is reported that a hacker from Ternopil developed a phishing package and a special administrative panel aimed at the web resources of banks and their clients.

"The admin panel allowed to control the accounts of users who registered on compromised resources and entered their payment data, which were later received by the fraudsters. He created his own online store on the DarkNet network to demonstrate the functionality and sell his developments," the Prosecutor's Office explained the algorithm of the center's functioning.

More than 200 active buyers of malicious software were found.

According to the investigation, the hacker did not only sell their products but also provide technical support in the implementation of phishing attacks.

"According to the results of the analysis of foreign law enforcement agencies, more than 50% of all phishing attacks in 2019 in Australia were carried out with the help of the development of the Ternopil hacker," said the Department.

A criminal case has been opened on this fact under the article on unauthorized interference in the operation of computers, automated systems, computer networks, or telecommunications networks, as well as the creation of harmful software products for the purpose of using, distributing, or selling them.

Earlier, the deputy director of the National Coordination Center for Computer Incidents (NCCI), Nikolai Murashov, said that the United States had placed hackers in Montenegro and Ukraine. This was done allegedly under the pretext of protecting the elections.


Pavel Durov's team advised the Ministry of Finance of Ukraine on cryptocurrencies.

 The Minister of Digital Transformation Mikhail Fedorov said that his department is in contact with the team of the developer of the Telegram messenger Pavel Durov.

According to Fedorov, he is familiar with Durov's team. Employees of the Ministry of Digital Transformation received advice on bills related to virtual assets and cryptocurrency

"I know Durov's team. I know all its management, we communicate, consult even on bills related to cryptocurrency, virtual assets, and so on."

The Minister said that he actively uses the Telegram messenger for fast communications. However, the information exchanged by officials is protected as much as possible, and all documents pass through electronic document management.

"Of course, questions of national importance do not need to be sent in messengers, this is understandable," added Mikhail Fedorov.

Answering the question about which of the messengers is the safest for him, the head of the Ministry of Digital Transformation noted that he most often uses Telegram and WhatsApp.

Recall that on December 2, the Verkhovna Rada of Ukraine in the first reading adopted as a basis the draft law "On virtual assets" regulating operations with cryptocurrencies in the country. The bill classifies virtual assets (VA) as an intangible good.

The function of the market regulator is assigned to the Ministry of Digital Transformation, and in some cases to the National Bank and the National Commission on Securities and Stock Market.

According to experts, the daily volume of cryptocurrency transactions in Ukraine is about $150-200 million. One of the authors of the document, Deputy Oleksiy Zhmerenetsky, noted that the bill will allow cryptocurrency companies to pay taxes and allow specialized foreign firms to cooperate with Ukrainian banks and invest in the industry.

Ukraine did not follow the Russian path of banning virtual assets, because this market is a growth point for Ukraine's GDP and an opportunity to become one of the world's technology leaders. In addition, it makes no sense to prohibit something that is technically impossible to control, as we have already seen in the case of blocking Telegram in Russia.

Recall that Roskomnadzor has added the site of the Binance crypto exchange to the list of banned sites in Russia.

A major Ukrainian IT company has revealed details of the hacker attack

Ukrainian IT company SoftServe has issued an official statement about the recent hacker attack, in which it gave details of the incident and said that its investigation is still ongoing.

As a reminder, in early September SoftServe underwent a hacker attack during which client data, including the source code of a number of developments, were stolen. Later, another confidential data appeared on the network, including scanned copies of internal and foreign passports of company employees.

"As we reported earlier, SoftServe experienced a cybersecurity incident on Tuesday, September 1. It was a complex, multi-step and targeted attack against our company. As a result of the attack, the company's mail server was damaged, a number of corporate services were disabled, and the internal file server was compromised,” noted SoftServe.

The attackers managed to download fragments of various information, and in order to put pressure on the company, they made them publicly available.  SoftServe expects new incidents and declares its readiness for them.

"We expect that new data can be published again and are ready for it. Such actions of attackers, as well as various kinds of provocations and the spread of fakes to escalate the situation are a common tactic in hacker attacks. As noted earlier, SoftServe managed to localize the attack within a few hours after the attack and our team quickly restored the operation of corporate systems that function normally,” noted the company on its Facebook page.

The company also said that SoftServe is currently operating normally and has a "clear plan to deal with the consequences" of the incident. The company promises technical, legal, financial, and other assistance to anyone who suffered from the attack.

SoftServe has engaged one of the world's cybersecurity experts to independently investigate the incident.

The National Security and Defense Council of Ukraine reported a leak of IP addresses of government websites


The leaked list of hidden government IP addresses of government websites occurred in Ukraine. This is stated in the statement of the National Security and Defense Council (NSDC).

It is noted that specialists of the National Cyber Security Coordination Center under the National Security and Defense Council of Ukraine have found in the DarkNet a list of almost 3 million sites using the Cloudflare service to protect against DDoS and a number of other cyberattacks. The list contains real IP-addresses of sites that are under threat of attacks on them.

"The list contains real IP addresses of sites, which creates threats to direct attacks on them. Among these addresses are 45 with the domain" gov.ua" and more than 6,500 with the domain "ua", in particular, resources belonging to critical infrastructure objects",  specified in the message on the official website of the NSDC.

According to Ukrainian experts, some data on Ukrainian sites are outdated, and some are still relevant. In this regard, according to the NSDC, there is a threat to the main subjects of cybersecurity.

It was found that Cloudflare provides network services to hide real IP addresses to mitigate DDoS attacks.

In January of this year, the national police of Ukraine opened criminal proceedings due to a hacker attack on the website of Burisma Holdings. According to Assistant to the Interior Minister Artem Minyailo, the attack "was most likely carried out in cooperation with the Russian special services." To conduct an investigation, Ukraine turned to the US Federal Bureau of Investigation.

In May 2020, representatives of the state service for special communications and information protection of Ukraine announced hacker attacks on the websites of state bodies of Ukraine, including the portal of the office of President Vladimir Zelensky. In the period from 6 to 12 may, more than 10.9 thousand suspicious actions were recorded on state information resources.

Provider Volia reported to the cyber police about the intense cyberattacks on the server


Cable provider Volia appealed to the Cyber Police on the fact of fixing a DDoS attack on the Kharkov servers of the company, which has been ongoing since May 31.

"For three days, from May 31 to today, the Volia infrastructure in Kharkov is subjected to cyberattacks. At first, they were carried out only on subscriber subsystems, later they switched to telecommunications infrastructure. As a result, more than 100,000 subscribers experienced problems using the Internet, IPTV, multi-screen platform, and digital TV," said the company.

In total, the complete lack of access to Volia's services, according to the provider, lasted 12 minutes on May 31, 45 minutes on June 1. There was also an attack on the website volia.com, but it was managed to neutralize.

"DDoS attacks were massive and well-organized. The type of attack is UDP flood and channel capacity overflow with the traffic of more than 200 GB. UDP is a protocol used for online streaming services - streaming, telephony, video conferencing, etc. The attack occurred from tens of thousands of different IP addresses around the world: the United States, Malaysia, Taiwan, Vietnam, etc.", emphasized the press service of the provider.

According to representatives of the company, attacks of this volume are followed by extortion and other attempts to influence the company. Therefore, Volia appealed to the cyber police with a statement about a massive DDoS attack on the infrastructure.

At the same time, Volia stated that they cannot be sure that the attacks will not happen again, but they are doing everything possible to avoid it.
It should be noted that Volia company serves about 2 million cable TV and Internet subscribers in 35 cities of Ukraine.

In Ukraine, a world-famous hacker has been detained


The press center of the Security Service of Ukraine announced the arrest of a world-famous hacker who operated under the nickname Sanix. Last January, Forbes, The Guardian, and Newsweek wrote about the cybercriminal. TV channel Italia 1 dedicated a separate story to it since the database put up for sale by an unknown person was the largest in the history of the stolen database.

The hacker Sanix turned out to be a 20-year-old resident of the small town of Burshtyn. The guy graduated from high school and college, has no higher education.

At the beginning of last year, Sanix attracted the attention of the world's leading cybersecurity experts. On one of the forums, a hacker posted an ad for the sale of a database with 773 million email addresses and 21 million unique passwords. According to the portal Wired, this event should be considered the largest theft of personal data in history.

SBU experts claim that the hacker also sold pin codes for bank cards, electronic wallets with cryptocurrency and PayPal accounts.

During the searches, computer equipment with two terabytes of stolen information, phones with evidence of illegal activity and cash from illegal operations in the amount of $7,000, and more than $3,000 were seized from a hacker.

The National Police of Ukraine added that the 87 GB database proposed by the hacker makes up only a small part of the total amount of data that he possessed. More than 3 TB of such databases, uploaded and broken passwords were found at the hacker. This includes the personal and financial data of EU citizens and the United States.

Sanix himself in private correspondence with a BBC journalist noted that he was only a salesman. Sanix said that poverty in the country and an urgent need for money motivated him to become a cybercriminal.

The Security Service of Ukraine (SBU) counted more than 100 cyberattacks on government websites


The SBU has neutralized 103 cyberattacks on information resources of state authorities since the beginning of the year.

According to the Agency, since March, a significant number of attacks take place against agencies that ensure the fight against coronavirus. The SBU reported that hackers send emails with malicious software code to the mailboxes of state institutions.

“Hacker attacks come from Russian intelligence agencies, which are trying to gain remote access to the computers of Ukrainian government agencies. Then they plan to distort or destroy data, distribute fakes allegedly on behalf of government agencies, as well as discredit the actions of the Ukrainian authorities,” the SBU said, accusing Russia of carrying out coronavirus cyberattacks.

The Department stressed that in January-March, the work of almost two thousand sites that the hackers used to carry out the attacks was stopped. 117 criminal cases were opened. The SBU also sent recommendations to state agencies on compliance with information security.

Earlier, the head of the SBU, Ivan Bakanov, made a proposal to the Council of National Security and Defense of Ukraine to extend sanctions against Odnoklassniki and Vkontakte social networks, as well as other Russian services and programs for another three years.

It is noted that cyber specialists of the SBU analyzed that during the period of sanctions, the number of Ukrainian users in these social networks has decreased by 3 times. And this significantly narrowed down the target audience, to which the information operations of the Russian special services are directed.

“Fakes in countries of established democracy are equated to weapons of mass destruction. A hybrid war continues against Ukraine, and we continue to resist information attacks from the Russian Federation. Therefore, it makes sense to continue the sanctions: this will protect our citizens from fakes and manipulations, and, accordingly, we will preserve the security of the state," said Mr. Bakanov.

It is worth noting that the sites of the Russian antivirus companies Kaspersky Lab and Doctor Web were among the sanctions list.

Police found Ukrainian hackers who insulted Greta Thunberg in Odessa


Attackers broke into the terminal of the Odessa airport and scolded the eco-activist.
Law enforcement authorities in Odessa (Ukraine) said that they found the hackers of the Odessa airport information system, who posted pictures with insulting or obscene language on the organization’s scoreboard against eco-activist Greta Thunberg.

According to police, on February 25, officers with the support of the special forces unit of the National Police of Ukraine searched the houses of the participants and founders of the Ukrainian Cyber Alliance public organization. The search was authorized by a decision of the Odessa court. The seized equipment was sent for examination. Law enforcement officers opened a criminal case on the fact of unauthorized interference in the work of the Odessa terminal. The attackers face imprisonment for a term of three to six years.

Ukrainian Cyber Alliance associates such actions of the National Police of Ukraine with political pressure on its activists.

It is worth noting that the Ukrainian Cyber Alliance is a community of Ukrainian cyber-activists that emerged in the spring of 2016 from the Association of two groups of cyber-activists FalconsFlame and Trinity. Later, a group of cyber activists RUH8 and individual cyber-activists of the CyberHunta group joined the Alliance.

The fact of hacking the Odessa airport information system occurred in October last year. At that time, a new terminal was installed in the renovated hall of the Odessa airport. Hackers posted a photo of the Swedish eco-activist with the inscription "F*** you, Greta" on the new terminal.

Recall that Time magazine awarded 16-year-old Swedish eco-activist Greta Thunberg the title of "Person of the Year". She began her fight for ecology in the late summer of 2018. Every Friday, the girl went on a single picket near the walls of the Swedish Parliament with a poster "School strike for climate", and a year later, similar pickets were staged around the world.

Ukrainian authorities proposed online media to track readers and transfer data to the cyber police


A real scandal began with the rights of journalists, the media and freedom of speech in Ukraine. The Ukrainian cyber police sent a circular to various Internet publications in Ukraine with a proposal to install special software codes on the websites of publications in order to track and identify readers of publications. At the same time, all data must be transmitted to the cyber police of Ukraine.

In the document received by the media, the cyber police proposes to install a special script developed by the Agency on the site of publications, which would allow identifying network users who use a VPN or anonymizer. All data of users of Internet publications who have installed such a code is sent to a special server of this body.

Note that 99.9% of all users of the Ukrainian network use VPN in Ukraine. This is caused by the blocking of all Russian resources by the Ukrainian authorities. In the absence of high-quality Ukrainian services and social networks, Ukrainian citizens continue to use Russian Yandex, Vkontakte, Mail.ru and read Russian media. Obviously, the Ukrainian authorities, on the orders of Vladimir Zelensky, have now decided to identify such citizens.

The cyber police of Ukraine noted that they did not insist on installing such codes but only suggested. At the same time, the Ukrainian cyber police does not see anything shameful in such a proposal but considers it the interaction of the state and the private sector in the field of combating cybercrime.

However, it is important to note that the existence of such a script from the cyber police on Ukrainian media sites is a criminal offense. Such actions of the Ukrainian cyber police violate a number of laws and the Constitution of Ukraine. They violate freedom of speech, freedom of the media, freedom of access and dissemination of information, human rights, processing of personal data, and the presumption of innocence. As well as a number of European and international norms and laws in this area.

Moreover, for a long time, citizens of Ukraine have been asking the President of Ukraine to unblock Russian sites.

Ukrainian government job site posted passport scans of thousands of civil service candidates


Government job site https://career.gov.ua/ published scans of passports and other documents of citizens who registered on the portal to search for work in the government sector. This was announced on January 16 by the Office of the Ombudsman of Ukraine on Facebook.

“A possible leak of personal data of citizens who registered on the site https://career.gov.ua/ with the aim of passing a competition for government service was identified. A copy of the passport and other scanned documents that users uploaded to the Unified Vacancy Portal for public service are in free access," the message said.

It is noted that data leakage became known from posts on Facebook by job seekers in the public sector. So, on January 15 at night in the social network, there were messages from candidates for government posts about publishing scans of their passports, diplomas and other documents. A spokeswoman for the Ukrainian cyber activist community, Ukrainian Cyber Alliance, known as Sean Townsend, filed a complaint with the Ombudsman’s Office.

The press service of the Ombudsman's Office noted that the circumstances of this incident are being established and monitoring is being carried out. However, Ukrainians are afraid that their documents will be used by fraudsters.

"Don't be surprised if a loan is accidentally taken in your name," users write in the comments.
The cybersecurity expert Andrei Pereveziy wrote the following: "Minister Dmitry Dubilet, what about digitalization? Probably, this vulnerability in the framework of #FRD should be demonstrated to the European Ombudsman, so that Europe understands what it supports."

The National Security and Defense Council (NSDC) of Ukraine held an extraordinary meeting of the working group on responding to cyber incidents and countering cyber attacks on state information resources in connection with the leak of data from the Unified Vacancy Portal.
During the meeting, experts noted the need for state authorities to ensure proper cyber protection of their own information systems.

Ukrainian cyber police exposed a fraudulent scheme of financial auctions


Earlier EhackingNews reported that cyber police in the Kharkiv region exposed members of a criminal hacker group who purposefully carried out attacks on private organizations and individuals to illegally gain access to their remote servers. It is established that in this way they managed to hack more than 20 thousand servers around the world.

It turned out that in fact, the cyber police exposed a fraudulent scheme of financial auctions with a monthly turnover of $100 thousand.

According to cyber police, the attackers opened in Kiev several call centers to conduct trading on the world financial markets. They offered their victims to invest money, which in the future, according to them, can bring high profits. Otherwise, they promised to return the invested money.

Scammers created an imitation of trading, appropriating money for themselves. When the client tried to withdraw money, the attackers carried out a number of operations that led to the complete loss of money by the client.

All invested money was credited to the offshore accounts of the attackers. In the end, the income amounted to more than 100 thousand US dollars monthly. The attackers worked on the territory of Ukraine and the European Union. Cyber police identify all victims.

Law enforcement officers raided the offices of fraudsters and seized system units, servers, and mobile phones. During an inspection of this technique, it was found that the attackers also sold illegal drugs. Their sale was carried out in Ukraine and abroad via the Internet. Attackers face up to 12 years in prison and confiscation of property.

It is worth noting that fraud with Bank cards is gaining popularity in Ukraine. A fraudster who stole more than $42 thousand from his victims was detained last month. The man duplicated Bank cards of citizens. Imitating an ATM operation error, he used special manipulations to duplicate the card of the next user of the Bank.

Cyber police in Ukraine caught hackers who hacked tens of thousands of servers around the world


Cyber police in the Kharkiv region exposed members of a criminal hacker group who purposefully carried out attacks on private organizations and individuals to illegally gain access to their remote servers. It is established that in this way they managed to hack more than 20 thousand servers around the world.

According to employees of the Department for Combating Cybercrime, the attackers sold the hacked accesses to customers. In addition, law enforcement identified all members of this group. So, it included three Ukrainian and one foreigner. All of them were well-known participants of hacker forums and carried out orders hacking remote servers located in the territory of Ukraine, Europe and the USA.

Cyber police found that the criminal group had been operating since 2014. Its participants carried out bruteforce attacks on private enterprises and individuals. They used for attacks specialized software that exploited vulnerabilities of Windows-based servers.

It is known that attackers sold some hacked servers to other hackers who used the acquired information for their own purposes, for example, they demanded money from a victim or threatened to debit money from bank cards.

They also used part of the servers for their own purposes: creating botnets for mining, DDoS attacks, installing software command centers for viruses like Stealer, turning them into tools for conducting brute-force attacks on new network nodes.

Cybercriminals received income from their illegal activities on e-wallets. Almost $80,000 was found in some accounts.

To coordinate the actions of all members of the international hacker group, communication between them took place through hidden messengers.

Cyber police together with investigators of the Kharkiv region police conducted searches of the places of residence of the persons involved in the international hacker group. Computer equipment, additional media, draft records, mobile phones and bank cards that were used to commit crimes were seized.