Search This Blog

Showing posts with label Ukraine. Show all posts

Ukraine legalized cryptocurrency

The Verkhovna Rada of Ukraine adopted the bill "On virtual assets", which will legalize cryptocurrency and virtual hryvnia.

The bill on its legal use for settlement operations was supported by 276 deputies, six voted against, 71 deputies abstained. The document regulates the circulation of virtual assets in the country, which allows market participants to use banking services, pay taxes on income from "crypto", as well as receive legal protection in courts in case of violation of rights.

According to the Telegram channel of the Rada, the purpose of the law is a comprehensive regulation of relations arising during the circulation and conclusion of transactions with digital currency, as well as ensuring a unified approach to the organization of cryptocurrency trading.

Owners of cryptocurrencies will receive a number of benefits. Due to the fact that there will be a legislative regulation of this area, they will at least be able to protect their fortune in virtual assets if something happens.

They will also be able to legally exchange crypto assets, declare them. This process will be absolutely legal. In addition, it is expected that a whole market of intermediary services will appear for paying for goods with cryptoassets, their storage, exchange. This will expand the possibilities of their use.

The new law will make virtual assets an absolutely legal and familiar phenomenon for the authorities and society.

It should be noted that in September last year, the government of Ukraine stated that the country has the highest level of use of virtual assets by the population in the world.

Earlier, E Hacking News reported that, according to the First Deputy Chairman of the Bank of Russia, Blockchain is not a panacea, and cryptocurrency is not money. So, the Central Bank of Russia is not going to change its negative attitude to these assets.

El Salvador was the first country in the world to recognize bitcoin. The relevant law entered into force there on September 7. Now it will be possible to pay with cryptocurrency along with dollars.


Eastern Europe is a Hotspot for Illegal Cryptocurrency Trading

 

According to a new study, Eastern Europe is a hub for illicit cryptocurrency operations. According to Chainalysis data published on Wednesday, Eastern European cryptocurrency addresses contributed $815 million to investment ponzi scams that attract customers with false promises of large returns between June 2020 and July 2021. Ukraine, in particular, provided a large amount of traffic to fraud websites in the region, outnumbering the United States by about 20 million visits.

Eastern Europe is the region that sends the most cryptocurrency to darknet markets. This is attributable in great part to activities at Hydra Market. Hydra is the largest darknet market in the world, although it mainly serves Russian-speaking users in Eastern Europe. 

Finiko, a scam, received half of the money sent to the region. Finiko was a Ponzi scheme established in Russia that collapsed in July 2021, shortly after participants reported being unable to withdraw payments from their accounts. Finiko encouraged customers to invest with Bitcoin or Tether, promising monthly profits of up to 30%, and then established its own cryptocurrency that was sold on various platforms. 

Finiko was led by Kirill Doronin, a popular Instagram influencer who has been linked to numerous Ponzi scams, according to the Moscow Times. Finiko received approximately $1.5 billion in Bitcoin in over 800,000 distinct donations between December 2019 and August 2021.

While Eastern Europe is primarily thought of as a recipient of illicit cryptocurrency funds, the research points out that due to the region's economic instability, it is also home to an increasing number of victims. Scam payments outperformed all kinds of crime in Eastern Europe, as well as every other region analyzed by Chainalysis, despite the constant rise in ransomware assaults. 

Eastern Europe came in second place in terms of ransomware funds received, at $46 million. However, due to overlap in services, some of the $51 million in activity attributed to Western Europe could be credited to Eastern Europe, according to researchers. 

Cryptocurrency scams have also grown in popularity in the United States, which came in third in terms of scam payments after Eastern and Western Europe. Despite this, the firm discovered that fraudsters have amassed tens of millions of dollars in cryptocurrency ransomware payments.

Security Researchers Discovered Crimea Manifesto Buried in VBA Rat

 

On Thursday, Hossein Jazi and the Threat Intelligence team at Malwarebytes released a report revealing a new threat actor that may be targeting Russian and pro-Russian individuals. A manifesto regarding Crimea was included by the assailants, implying that the attack was politically motivated. A suspicious document called "Manifest.docx" is used in the attacks, and it downloads and runs two attack vectors: remote template injection and CVE-2021-26411, an Internet Explorer exploit. Malwarebytes' Threat Intelligence team discovered the "Манифест.docx" ("Manifest.docx") on July 21.

"Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading, and executing files," Jazi said. 

The second template is imported into the document and is included in Document.xml.rels. According to the threat research teams at Google and Microsoft, the loaded code contains an IE Exploit (CVE-2021-26411) that was previously utilized by Lazarus APT to target security researchers working on vulnerability disclosure. The shell code used in this vulnerability loads the same VBA Rat as the remote template injection exploit. 

The attack, according to Jazi, was motivated by the ongoing conflict between Russia and Ukraine, which includes Crimea. Cyberattacks on both sides have been on the rise, according to the report. The manifesto and Crimea information, however, might be utilized as a false flag by threat actors, according to Jazi. 

The attackers used a combination of social engineering and the exploit, according to the report, to boost their chances of infecting victims. Malwarebytes was unable to pin the assault on a single actor but said that victims were shown a decoy document with a statement from a group linked to a figure named Andrey Sergeevich Portyko, who supposedly opposes Russian President Vladimir Putin's Crimean Peninsula policies. 

The decoy document is loaded after the remote templates, according to Jazi. The document is written in Russian but also has an English translation. A VBA Rat is also included in the attack, which collects victim information, identifies the AV product installed on the victim's workstation, runs shell-codes, deletes files, uploads and downloads files, and reads disc and file system information. Instead of using well-known API calls for shell code execution, which can easily be flagged by AV products, the threat actor employed the unique EnumWindows to run its shell-code, according to Jazi.

Ukraine Seized Gaming Consoles used for Illegal Crypto Mining

 

The Security Service of Ukraine (SBU), Ukraine's top law enforcement agency, reported last week that it had discovered a large-scale electricity theft in Vinnytsia, in west-central Ukraine. The stolen power was used to mint digital currency in the country's largest illegal crypto farm discovered to date, according to officials. Residents of Vinnytsia and Kyiv established the mining facility in a former warehouse of JSC Vinnytsiaoblenerho, according to a press release on the agency's website. Using electrical metres that did not indicate the true energy consumption, they were able to hide the theft from the distribution firm. 

Law enforcement seized around 5,000 items of mining hardware, including 3,800 gaming consoles, over 500 video cards, and 50 processors, during searches at the crypto farm and its owners' homes. Agents seized electricity consumption records, as well as notebooks, phones, and flash drives, according to the announcement.

Under the direction of Ukraine's Prosecutor General's Office, the SBU Department for Counterintelligence Protection of State Economic Interests, in collaboration with the regional SBU Office in Vinnytsia and the Main National Police Investigation Department, conducted the operation. 

According to preliminary estimates published by Ukrainian officials, the illegal mining activity is responsible for electrical losses in the range of 5 to 7 million hryvnia, or $183,000 to $256,000 at the time of writing. Officials added that the heavy usage could have caused power surges and disruptions in the neighboring communities. For unauthorized usage of electricity, the SBU has filed a criminal complaint. Investigators are now seeking to figure out who is behind the illegal crypto mining and if any JSC Vinnytsiaoblenerho employees are involved as well. 

The report from Vinnytsia follows the closure of an illegal mining farm in Chernihiv Oblast by Ukrainian law enforcement last week. The facility was run off of stolen electricity from the local power grid. Authorities confiscated 150 mining equipment that had burned electricity worth $110,000 during a raid on rented facilities. In early June, the SBU discovered a crypto farm in Dnipropetrovsk Oblast with 350 mining rigs that were illegally linked to the power system and had consumed over $70,000 in electricity. 

Last year, Ukraine was ranked first in the world in Chainalysis' Global Crypto Adoption Index. The Eastern European country is attempting to lead the region with crypto-friendly efforts such as the introduction of a bill to determine the legal status of crypto assets in the country, as well as guidelines for their circulation and issuance.

Cl0p Ransomware Group Announces New Victim After Police Arrest

 

The renowned Cl0p ransomware operation appears to be back in business, just days after Ukrainian police arrested six alleged members of the gang. The arrests were recognized as a win against a hacker group that has targeted dozens of victims in recent months, including Flagstar Bank, Jonesday Law Firm, Shell, and a number of US universities. 

Numerous suspects believed to be affiliated with the Cl0p ransomware group were arrested last week in a law enforcement operation led by the National Police of Ukraine and officials from South Korea and the United States. It's considered to have been the first time a national law enforcement agency has made mass arrests in connection with a ransomware attack. 

The Ukrainian authorities said at the time that they had successfully shut down the gang's server infrastructure. However, it does not appear that the operation was entirely successful as less than a week later, the gang's hackers posted information on their dark website that they claimed was obtained from a new victim. This new breach, intended to put pressure on the corporation to pay the money demanded by the hackers, indicates that the arrests in Ukraine have had no effect on the hackers. 

It's unknown when the new company was hacked, and whether the data was hacked before the arrests but hadn't been made public until now, or whether it was a whole new hack. In any case, it shows that the group is still operational in some capacity. 

In an email, Brett Callow, a security researcher at Emsisoft, who specializes in tracking ransomware, said, "The fact that data has been posted suggests that the action by the Ukrainian police may not have involved core members of the threat group or completely disrupted their operations." 

Though the hackers did not respond to an email sent to the address listed on their website right away. In an email to Motherboard last week, the Cyber-Police Department of Ukraine's National Police stated it had "identified six perpetrators," but refused to address any specific questions regarding the people arrested "so as not to jeopardize the investigation." 

The police said they searched the houses and automobiles of the alleged hackers in and around Kiev 21 times. The cops reported that they have seized 500 million Ukrainian hryvnia (approximately $180,000), as well as computers and automobiles. On Tuesday, the police did not immediately respond to an email seeking comment.

Cl0p ransomware was identified in early 2019, and it has since been tied to a number of high-profile attacks. These include the April 2020 data breach at ExecuPharm in the United States, as well as the data breach at Accellion, in which hackers exploited vulnerabilities in the IT provider's software to steal data from dozens of customers, including the University of Colorado and cloud security firm Qualys.

Suspects Linked to the Clop Ransomware Gang Detained in Ukraine

 

Following a joint operation by law enforcement agencies from Ukraine, South Korea, and the United States, multiple persons alleged to be affiliated with the Clop ransomware gang have been arrested in Ukraine. Six arrests were made during searches at 21 locations in Kyiv and the surrounding regions, according to the National Police of Ukraine's Cyber Police Department. 

While it's unclear if the defendants are ransomware affiliates or core developers, they're accused of a "double extortion" technique in which victims who fail to pay the ransom are threatened with the leak of data stolen from their networks before their files are encrypted. “It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies,” alleged Ukraine’s national police force in a statement. 

The police also seized equipment from the alleged Clop ransomware gang, which is accused of causing $500 million in financial losses. This includes computer equipment, a Tesla and a Mercedes, as well as 5 million Ukrainian Hryvnia (about $185,000) in cash. 

Authorities also claim to have successfully shut down the server infrastructure used by gang members to launch prior operations. “Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the statement added. 

“The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology,” said John Hultquist, vice president of analysis at Mandiant’s threat intelligence unit. 

In February 2019, the gang launched an attack on four Korean organizations, encrypting 810 internal services and personal PCs. Clop has since been connected to a slew of high-profile ransomware attacks. These include the attack on ExecuPharm, a US pharmaceutical company, in April 2020, and the attack on E-Land, a South Korean e-commerce company, in November, which prompted the retailer to close over half of its outlets.

Clop is also related to the Accellion ransomware attack and data theft, in which hackers exploited flaws in the IT firm's File Transfer Appliance (FTA) software to steal data from dozens of its clients. Singaporean telecom Singtel, law firm Jones Day, supermarket retail chain Kroger, and cybersecurity firm Qualys are among the victims of this breach.

Ukraine Suspects Russia Behind a Spear Phishing Campaign

 

Three of the many Ukrainian cybersecurity organizations – the Ukrainian Secret Service, Ukrainian Cyber Police, and CERT Ukraine - cautioned last week that Russia-linked cybercriminals were conducting "massive" spear-phishing campaigns against the Ukrainian government and private sector businesses. 

Also, one of the three agencies, the Ukrainian Secret Service has ascribed the attack to the Russian Federation's 'Special Service,' attributing this year's third cyber attack by Russian hackers. 

The spear-phishing campaign occurred at the beginning of June last week, following the Ukrainian Secret Service, Cyber Police, and CERT Ukraine warnings. 

The attackers sent out emails to the Police Department in Kyiv Patrol Police Department, cautioning recipients for the failure to pay local taxes. 

“Specialists of the Security Service of Ukraine established that in early June this year, mass e-mails were sent with the sender’s address changed. Messages, in particular, allegedly from the Kyiv Patrol Police Department contained malicious attachments and were sent to the addresses of several government agencies.” reads the alert published by the Ukrainian Secret Service. 

Recipients of the email were encouraged to install a RAR archive included within the E-mail, that would drop a double extension EXE file (filename.pdf.exe) to appear as a PDF file. 

Victims using the suspicious program would download a modified remote access software, RemoteUtilities, which would revert to remote command servers in Russia, Germany, and the Netherlands. “This allows the foreign intelligence service to remotely exercise full control over the PC,” the Ukrainian Secret Service said on Friday. 

Officials of CERT also noted that the operation last week used tactics similar to other attacks that happened in January and March this year. 

In February, the Government of Ukraine blamed an APT organization, a Russia - based gang, for the attacks on a government document management system, the System of Electronic Interaction of Executive Bodies (SEI EB). The hackers were designed to disseminate malicious documents to government authorities, according to Ukrainian officials. The SEI EB servers are used to communicate documents with Ukrainian government entities. 

The Ukrainian Security and Defense National Council reported that the attackers were conducting “the mass contamination of information resources of public authorities.” 

At the very same time, Ukraine accused Russia of significant offenses targeting Ukrainian security and defense sites on unspecified Russian Internet networks. However, the Ukrainian authorities have not provided any information regarding the attacks or the damage inflicted.

Poisoned Installers Found in SolarWinds Hackers Toolkit

 

The ongoing multi-vendor investigations into the SolarWinds mega-hack took a new turn this week when additional malware artifacts were discovered that could be leveraged in future supply chain operations. 

The current session of attacks linked to the APT29/Nobelium threat actor contains a custom downloader that is part of a "poisoned update installer" for electronic keys used by the Ukrainian government, according to a recent study from anti-malware firm SentinelOne. 

Juan Andrés Guerrero-Saade, SentinelOne's principal threat researcher, detailed the latest discovery in a blog post that extends on prior Microsoft and Volexity investigations. “At this time, the means of distribution [for the poisoned update installer] are unknown. It’s possible that these update archives are being used as part of a regionally-specific supply chain attack,” Guerrero-Saade stated. 

According to Guerrero-Saade, the most recent iteration of malware related to Nobelium uses a convoluted multi-stage infection chain with five to six layers. This involves the usage of NativeZone, a booby-trapped update installer for a Ukrainian cryptographic smartkey used in government operations, which uses ‘DLL stageless' downloaders. 

The Cobalt Strike Beacon payload, according to Guerrero-Saade's analysis of the campaign, serves as an "early scout" that allows for the targeted dissemination of unique payloads directly into memory. “After years of burned iterations on custom toolkits, [this APT] has opted for maximizing return on investment by simply lowering their upfront investment.” 

Furthermore, he added, because they don't have visibility into its distribution channels, they won't call it a supply chain attack. The poisoned installer might be supplied to victims who rely on this regional solution directly. Alternatively, the attackers may have found a way to disseminate their malicious ‘update' by abusing an internal resource. 

Background 

A Russia-linked threat group was suspected of being behind the SolarWinds hack seen initiating a new campaign. The attacks involved a genuine bulk mailing service and impersonation of a government entity, and they targeted the United States and other countries.

Microsoft tracked the threat actor as Nobelium, and incident response firm Volexity, which discovered some similarities to APT29, a prominent cyberspy outfit previously linked to Russia, evaluated the recent assault. 

Government agencies, think tanks, NGOs, and consultants were among the target groups. Microsoft stated at least a quarter of the targets are involved in human rights and international development work.

The National Security and Defense Council of Ukraine announced the imminent creation of cyber forces in the country

Secretary of the National Security and Defense Council (NSDC) Alexey Danilov said that in the near future, President of Ukraine Vladimir Zelensky may sign a decree on the creation of cyber forces in the country.

According to Danilov, this issue was discussed earlier on Friday at a closed meeting of the NSDC.

"I can say that this decision was unanimously supported by all 21 members who attended the meeting. I think there will be a presidential decree about it in the near future. You will hear from the president," he said.

Alexey Podberezkin, Director of the Center for Military and Political Studies of Moscow State Institute of International Relations (MGIMO), and political scientist Ivan Mezyuho commented on the possibility of creating national cyber forces in Ukraine.

"Programmers who were at a high level have now turned into semi-hackers, and the remnants of this potential, including military-technical, are in fact looted. Therefore, I do not really understand how this can be done in Ukraine. Moreover, Ukraine does not produce its own software,” Podberezkin explained.

In turn, Ivan Mezyuho expressed the opinion that the creation of cyber forces in Ukraine is likely to be funded or supervised by the United States.

He also added that such forces will be financed with the help of Ukrainian taxpayers.

In addition, a similar opinion was expressed by the Russian political scientist Bogdan Bezpalko. According to him, the appearance of special units for actions in cyberspace as part of the Armed Forces of Ukraine (AFU) is due to the anti-Russian course of Kiev.

"This kind of troops will be directed primarily against Russia, the Donbas and the Crimea, based on the political course pursued by the President of Ukraine, Vladimir Zelensky," Mr. Bezpalko said.

In his opinion, the organization of cyber troops will require significant financial resources, which can be partially allocated by Western "curators of Ukraine and Zelensky personally".

Recall that in February 2019, the Verkhovna Rada announced the actual creation of cyber forces. The NSDC of Ukraine noted that the cyber forces will become part of the Armed Forces of Ukraine (AFU).

Russia Accused by Ukraine for Major Cyber Attacks

 

Ukraine on Monday alleged major attacks against the Ukrainian security and defense website by unidentified Russian Internet networks but did not provide specifics of any losses or mention who it felt was responsible for the attack. Kyiv, Ukraine's capital, previously described Moscow with major cyberattacks against Ukraine as part of the "hybrid war," which Russia opposes. 

“Kyiv has previously accused Moscow of orchestrating large cyber attacks as part of a “hybrid war” against Ukraine, which Russia denies. However, a statement from Ukraine’s National Security and Defense Council did not disclose who it believed organized the attacks or give any details about the effect the intrusions may have had on Ukrainian cybersecurity.” reported The Reuters agency. 

The Ukrainian National Security and Defense Council however has not released a statement that states that the Ukrainian Cyber Security is believed to coordinated or provides specifics about the consequences that intruders may have had. According to a contact, the attacks began on Feb. 18 and threatened web pages belonging to Ukrainian Security Service, the Council itself, and several other state agencies and strategic businesses. 

“It was revealed that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks,” the Council said. 

“The council added the attacks attempted to infect vulnerable government web servers with a virus that covertly made them part of a botnet used for so-called distributed-denial-of-service (DDoS) attacks on other resources,” concludes Reuters. 

The Council reported that these attacks are intended to infect compromised state web servers with malware that has transformed them into part of a DDoS network. A DDoS attack is a cyber attack in which hackers aim to inundate a network with an extraordinary amount of information traffic so as to paralyze it. 

"It is obvious that it's connected with the latest pro-active efforts by the Service toward protecting national interests and countering Russia, which has been waging its hybrid war against Ukraine, including in the information domain," the official reported. Since Russia annexed Crimea from Ukraine in 2014 and participated in a continuing war in the eastern Donbass region of Ukraine, Russia and Ukraine have been at the loggerhead.

Ukrainian police arrested members of a well-known cyber ransomware group

Members of the Egregor group, which provides the service using the Ransomware-as-a-Service (RaaS) model, have been arrested by the Ukrainian police.

The arrest is the result of a joint operation of the French and Ukrainian law enforcement systems. The names of the arrested citizens were not disclosed, but it is known that they provided logistical and financial support for the service.

It is worth noting that this ransomware has been active since the fall of 2020 and works according to the Ransomware-as-a-Service (RaaS) model. That is, the authors of the malware rent it out to other criminals, who are already hacking companies, stealing data, encrypting files, and then demanding a “double ransom” from victims (for decrypting files, as well as for not disclosing the data stolen in the process of hacking).

If the victims pay a ransom, the group that organized the hack keeps most of the funds, and the developers of Egregor receive only a small share. The attackers laundered funds through the Bitcoin cryptocurrency.

Those arrested are suspected, among other things, of providing such financial schemes.

According to Allan Liska, a cybersecurity researcher at Recorded Future, Recorded Future has discovered that the Egregor infrastructure, including the site and the management and control infrastructure, has been offline since at least Friday (February 12).

The French side joined the investigation after the Egregor software was used in attacks on the computer game developer Ubisoft and the logistics organization Gefco in 2020.

Although the Egregor system based on the RaaS model was launched in September 2020, a number of cybersecurity experts believe that the service operators are the well-known cyber ransomware group Maze.

US court sentenced Ukrainian to seven years in prison for electronic fraud

A court in the United States has sentenced Ukrainian citizen Alexander Musienko to more than seven years in prison for participating in an online money-laundering scheme that legalized millions of dollars.

The suspect admitted his guilt in electronic fraud. On February 11, the court sentenced him to 87 months in prison (more than seven years). In addition, a citizen of Ukraine is obliged to pay more than $98.7 thousand in compensation.

As follows from the materials of the case, from 2009 to 2012, the 38-year-old Alexander Musienko from Odessa collaborated with computer hackers from Eastern Europe in order to get more than $3 million from the bank accounts of American companies. These funds were eventually stolen and legalized using bank accounts abroad.

According to the U.S. Department of Justice, he legalized funds stolen by hackers in the United States. This task was entrusted to private individuals whom Musienko hired by fraud to perform the duties of financial assistants. They transferred the stolen funds to their bank accounts at the agreed time and immediately transferred them to third-party accounts registered outside the United States.

So, in September 2011, Musienko's financial assistants, who were sure that they were working for a legitimate business, hacked the online accounts of the North Carolina company and transferred a total of almost $296.3 thousand to two bank accounts controlled by Musienko.

The Department added that Musienko was arrested in South Korea in 2018 and extradited to the United States in 2019. Around April 2019, the FBI investigated the information on Musienko's laptop. As a result, files containing about 120 thousand payment card numbers and associated identification information were found.

Ukraine’s PrivatBank Database for Sale on a Hacking Forum

 

PrivatBank is the biggest commercial bank in Ukraine, as far as the number of customers, assets value, loan portfolio, and taxes paid to the national budget are considered. Headquartered in Dnipro, in central Ukraine, the bank was nationalized by the government of Ukraine to ensure its 20 million clients and to preserve "financial stability in the country", on 18 December 2016. 

As per their site, PrivatBank's net profit for 2020 was 25.3 billion UAH, which is around $910 million. The database is said to contain 40 million records of customers such as full name, DOB, taxpayer identification number, place of birth, passport details, family status, etc. 

Ukraine has a population of 44 million, and the database’s 40 million records would cover 93% of the population. In any case, it isn't evident whether these are unique records, and it would be improbable that PrivatBank has records of 93% of Ukraine's population, considering ages that wouldn't have bank accounts. 

The threat actor is asking $3,400 in bitcoin for the release of the database. At the point when CyberNews took a gander at the bitcoin address provided, it gives the idea that nobody has purchased the database yet from that specific wallet. However, it is additionally conceivable that the threat actor is generating another wallet for each sale, a process that can be done automatically.

In 2016, hackers allegedly took $10 million from the bank through a loophole in the SWIFT international banking system. Before then, in 2014, the pro-Russian hacker group CyberBerkut asserted credit for hacking into the bank and mining client information, and afterward publishing the information on the Russian social media platform VKontakte. This was obvious retaliation for a PrivatBank accomplice who offered a $10,000 bounty for capturing Russian-backed militants in Ukraine. Earlier in 2014, another group named Green Dragon asserted credit for a DDoS assault on PrivatBank and guaranteed it got to client information during the assault. 

A 2018 report by a US corporate investigations company stated that “PrivatBank was subjected to a large scale and coordinated fraud over at least a ten-year period ending December 2016, which resulted in the Bank suffering a loss of at least USD 5.5 billion.”

The largest international phishing center has been blocked in Ukraine

As a result of an international special operation, the Office of the Prosecutor General of Ukraine has stopped the activity of one of the world's largest phishing services for attacks on financial institutions in different countries.

The Prosecutor's Office said that as a result of the work of the phishing center, banks in 11 countries - Australia, Spain, the United States, Italy, Chile, the Netherlands, Mexico, France, Switzerland, Germany and the United Kingdom - were affected. According to preliminary data, the losses reach tens of millions of dollars.

It is reported that a hacker from Ternopil developed a phishing package and a special administrative panel aimed at the web resources of banks and their clients.

"The admin panel allowed to control the accounts of users who registered on compromised resources and entered their payment data, which were later received by the fraudsters. He created his own online store on the DarkNet network to demonstrate the functionality and sell his developments," the Prosecutor's Office explained the algorithm of the center's functioning.

More than 200 active buyers of malicious software were found.

According to the investigation, the hacker did not only sell their products but also provide technical support in the implementation of phishing attacks.

"According to the results of the analysis of foreign law enforcement agencies, more than 50% of all phishing attacks in 2019 in Australia were carried out with the help of the development of the Ternopil hacker," said the Department.

A criminal case has been opened on this fact under the article on unauthorized interference in the operation of computers, automated systems, computer networks, or telecommunications networks, as well as the creation of harmful software products for the purpose of using, distributing, or selling them.

Earlier, the deputy director of the National Coordination Center for Computer Incidents (NCCI), Nikolai Murashov, said that the United States had placed hackers in Montenegro and Ukraine. This was done allegedly under the pretext of protecting the elections.


Pavel Durov's team advised the Ministry of Finance of Ukraine on cryptocurrencies.

 The Minister of Digital Transformation Mikhail Fedorov said that his department is in contact with the team of the developer of the Telegram messenger Pavel Durov.

According to Fedorov, he is familiar with Durov's team. Employees of the Ministry of Digital Transformation received advice on bills related to virtual assets and cryptocurrency

"I know Durov's team. I know all its management, we communicate, consult even on bills related to cryptocurrency, virtual assets, and so on."

The Minister said that he actively uses the Telegram messenger for fast communications. However, the information exchanged by officials is protected as much as possible, and all documents pass through electronic document management.

"Of course, questions of national importance do not need to be sent in messengers, this is understandable," added Mikhail Fedorov.

Answering the question about which of the messengers is the safest for him, the head of the Ministry of Digital Transformation noted that he most often uses Telegram and WhatsApp.

Recall that on December 2, the Verkhovna Rada of Ukraine in the first reading adopted as a basis the draft law "On virtual assets" regulating operations with cryptocurrencies in the country. The bill classifies virtual assets (VA) as an intangible good.

The function of the market regulator is assigned to the Ministry of Digital Transformation, and in some cases to the National Bank and the National Commission on Securities and Stock Market.

According to experts, the daily volume of cryptocurrency transactions in Ukraine is about $150-200 million. One of the authors of the document, Deputy Oleksiy Zhmerenetsky, noted that the bill will allow cryptocurrency companies to pay taxes and allow specialized foreign firms to cooperate with Ukrainian banks and invest in the industry.

Ukraine did not follow the Russian path of banning virtual assets, because this market is a growth point for Ukraine's GDP and an opportunity to become one of the world's technology leaders. In addition, it makes no sense to prohibit something that is technically impossible to control, as we have already seen in the case of blocking Telegram in Russia.

Recall that Roskomnadzor has added the site of the Binance crypto exchange to the list of banned sites in Russia.

A major Ukrainian IT company has revealed details of the hacker attack

Ukrainian IT company SoftServe has issued an official statement about the recent hacker attack, in which it gave details of the incident and said that its investigation is still ongoing.

As a reminder, in early September SoftServe underwent a hacker attack during which client data, including the source code of a number of developments, were stolen. Later, another confidential data appeared on the network, including scanned copies of internal and foreign passports of company employees.

"As we reported earlier, SoftServe experienced a cybersecurity incident on Tuesday, September 1. It was a complex, multi-step and targeted attack against our company. As a result of the attack, the company's mail server was damaged, a number of corporate services were disabled, and the internal file server was compromised,” noted SoftServe.

The attackers managed to download fragments of various information, and in order to put pressure on the company, they made them publicly available.  SoftServe expects new incidents and declares its readiness for them.

"We expect that new data can be published again and are ready for it. Such actions of attackers, as well as various kinds of provocations and the spread of fakes to escalate the situation are a common tactic in hacker attacks. As noted earlier, SoftServe managed to localize the attack within a few hours after the attack and our team quickly restored the operation of corporate systems that function normally,” noted the company on its Facebook page.

The company also said that SoftServe is currently operating normally and has a "clear plan to deal with the consequences" of the incident. The company promises technical, legal, financial, and other assistance to anyone who suffered from the attack.

SoftServe has engaged one of the world's cybersecurity experts to independently investigate the incident.

The National Security and Defense Council of Ukraine reported a leak of IP addresses of government websites


The leaked list of hidden government IP addresses of government websites occurred in Ukraine. This is stated in the statement of the National Security and Defense Council (NSDC).

It is noted that specialists of the National Cyber Security Coordination Center under the National Security and Defense Council of Ukraine have found in the DarkNet a list of almost 3 million sites using the Cloudflare service to protect against DDoS and a number of other cyberattacks. The list contains real IP-addresses of sites that are under threat of attacks on them.

"The list contains real IP addresses of sites, which creates threats to direct attacks on them. Among these addresses are 45 with the domain" gov.ua" and more than 6,500 with the domain "ua", in particular, resources belonging to critical infrastructure objects",  specified in the message on the official website of the NSDC.

According to Ukrainian experts, some data on Ukrainian sites are outdated, and some are still relevant. In this regard, according to the NSDC, there is a threat to the main subjects of cybersecurity.

It was found that Cloudflare provides network services to hide real IP addresses to mitigate DDoS attacks.

In January of this year, the national police of Ukraine opened criminal proceedings due to a hacker attack on the website of Burisma Holdings. According to Assistant to the Interior Minister Artem Minyailo, the attack "was most likely carried out in cooperation with the Russian special services." To conduct an investigation, Ukraine turned to the US Federal Bureau of Investigation.

In May 2020, representatives of the state service for special communications and information protection of Ukraine announced hacker attacks on the websites of state bodies of Ukraine, including the portal of the office of President Vladimir Zelensky. In the period from 6 to 12 may, more than 10.9 thousand suspicious actions were recorded on state information resources.

Provider Volia reported to the cyber police about the intense cyberattacks on the server


Cable provider Volia appealed to the Cyber Police on the fact of fixing a DDoS attack on the Kharkov servers of the company, which has been ongoing since May 31.

"For three days, from May 31 to today, the Volia infrastructure in Kharkov is subjected to cyberattacks. At first, they were carried out only on subscriber subsystems, later they switched to telecommunications infrastructure. As a result, more than 100,000 subscribers experienced problems using the Internet, IPTV, multi-screen platform, and digital TV," said the company.

In total, the complete lack of access to Volia's services, according to the provider, lasted 12 minutes on May 31, 45 minutes on June 1. There was also an attack on the website volia.com, but it was managed to neutralize.

"DDoS attacks were massive and well-organized. The type of attack is UDP flood and channel capacity overflow with the traffic of more than 200 GB. UDP is a protocol used for online streaming services - streaming, telephony, video conferencing, etc. The attack occurred from tens of thousands of different IP addresses around the world: the United States, Malaysia, Taiwan, Vietnam, etc.", emphasized the press service of the provider.

According to representatives of the company, attacks of this volume are followed by extortion and other attempts to influence the company. Therefore, Volia appealed to the cyber police with a statement about a massive DDoS attack on the infrastructure.

At the same time, Volia stated that they cannot be sure that the attacks will not happen again, but they are doing everything possible to avoid it.
It should be noted that Volia company serves about 2 million cable TV and Internet subscribers in 35 cities of Ukraine.

In Ukraine, a world-famous hacker has been detained


The press center of the Security Service of Ukraine announced the arrest of a world-famous hacker who operated under the nickname Sanix. Last January, Forbes, The Guardian, and Newsweek wrote about the cybercriminal. TV channel Italia 1 dedicated a separate story to it since the database put up for sale by an unknown person was the largest in the history of the stolen database.

The hacker Sanix turned out to be a 20-year-old resident of the small town of Burshtyn. The guy graduated from high school and college, has no higher education.

At the beginning of last year, Sanix attracted the attention of the world's leading cybersecurity experts. On one of the forums, a hacker posted an ad for the sale of a database with 773 million email addresses and 21 million unique passwords. According to the portal Wired, this event should be considered the largest theft of personal data in history.

SBU experts claim that the hacker also sold pin codes for bank cards, electronic wallets with cryptocurrency and PayPal accounts.

During the searches, computer equipment with two terabytes of stolen information, phones with evidence of illegal activity and cash from illegal operations in the amount of $7,000, and more than $3,000 were seized from a hacker.

The National Police of Ukraine added that the 87 GB database proposed by the hacker makes up only a small part of the total amount of data that he possessed. More than 3 TB of such databases, uploaded and broken passwords were found at the hacker. This includes the personal and financial data of EU citizens and the United States.

Sanix himself in private correspondence with a BBC journalist noted that he was only a salesman. Sanix said that poverty in the country and an urgent need for money motivated him to become a cybercriminal.

The Security Service of Ukraine (SBU) counted more than 100 cyberattacks on government websites


The SBU has neutralized 103 cyberattacks on information resources of state authorities since the beginning of the year.

According to the Agency, since March, a significant number of attacks take place against agencies that ensure the fight against coronavirus. The SBU reported that hackers send emails with malicious software code to the mailboxes of state institutions.

“Hacker attacks come from Russian intelligence agencies, which are trying to gain remote access to the computers of Ukrainian government agencies. Then they plan to distort or destroy data, distribute fakes allegedly on behalf of government agencies, as well as discredit the actions of the Ukrainian authorities,” the SBU said, accusing Russia of carrying out coronavirus cyberattacks.

The Department stressed that in January-March, the work of almost two thousand sites that the hackers used to carry out the attacks was stopped. 117 criminal cases were opened. The SBU also sent recommendations to state agencies on compliance with information security.

Earlier, the head of the SBU, Ivan Bakanov, made a proposal to the Council of National Security and Defense of Ukraine to extend sanctions against Odnoklassniki and Vkontakte social networks, as well as other Russian services and programs for another three years.

It is noted that cyber specialists of the SBU analyzed that during the period of sanctions, the number of Ukrainian users in these social networks has decreased by 3 times. And this significantly narrowed down the target audience, to which the information operations of the Russian special services are directed.

“Fakes in countries of established democracy are equated to weapons of mass destruction. A hybrid war continues against Ukraine, and we continue to resist information attacks from the Russian Federation. Therefore, it makes sense to continue the sanctions: this will protect our citizens from fakes and manipulations, and, accordingly, we will preserve the security of the state," said Mr. Bakanov.

It is worth noting that the sites of the Russian antivirus companies Kaspersky Lab and Doctor Web were among the sanctions list.