Author: Andrew Mikhaliuk, CEO of CoreWin
On the night of January 13-14, while Ukrainians traditionally go caroling, a coordinated cyberattack was launched against government websites and portals, already dubbed #attack13. The majority of government websites, the “Diia” portal (in Ukrainian: “Дія” is a state mobile application, web portal, and the digital state brand in Ukraine, developed by the Ministry of Digital Transformation of Ukraine.), and some non-governmental organization websites were targeted. A multilingual image appeared on the websites, seemingly expressing the anger of Poles over historical events. By morning, the message had disappeared from the sites, and all services were functioning normally again.
According to an interview with NSDC (National Security and Defense Council of Ukraine) Deputy Secretary Serhii Demediuk, the attack was carried out by the hacker group UNC1151, which is linked to the KGB of the Republic of Belarus.
At the same time, CERT-UA reported that the attack was carried out using the October CMS vulnerability and provided recommendations for its correction. In fact, this allows us to qualify this attack as a supply chain attack, i.e. an attack that exploited a vulnerability of a component or system supplier.
October CMS’ statement on this event is rather simple. Keep your systems up to date and this will not happen.
The public space also draws attention to the KitSoft company, which is a contractor for web development of some of the affected government agencies.
KitSoft reports that the situation is not as straightforward, and the attack cannot be solely attributed to a CMS vulnerability. They draw attention to a Microsoft report describing a possible cyber operation targeting Ukrainian organizations.
According to Microsoft’s report, the attacks are united by a common scenario:
Stage 1: Rewrite the Master Boot Record (MBR) to show the infection message. The commonly executable file is called stage1.exe
Stage 2: malware that compromises the integrity of files, making them unreadable. File name stage2.exe
In the rest of the article, we will refer to this software as a ransomware, understanding that files are not actually encrypted, but rather “broken” and cannot be restored.
Currently, KitSoft’s website is not working, as the company claims that their site was also attacked, and they do not have time to treat their own site, as the team is helping government agencies.
It is interesting to note that the company separately pointed out that their site does not use October CMS.
The incident is currently under investigation: The SSU, the State Service for Special Communications and the Cyber Police. According to the SSU, there was no leakage of personal data, based on preliminary information.
Given that the investigation is already being conducted by government services and the SSU, we can assume that the case files have been assigned a certain level of secrecy, which means that we, the general audience, can summarize the events and analyze everything that happened.
So, take a deep breath… Let’s break it down step by step.
UNC1151
This is a group of Belarusian hackers best known for a series of attacks called Ghostwriter.
Ghostwriter is a cyber influence campaign that primarily targets audiences in Lithuania, Latvia, and Poland, and promotes narratives critical of the North Atlantic Treaty Organization (NATO) presence in Eastern Europe.
In addition to the obvious common political motives of Belarus and Russia, Serhii Demediuk also noted: “The malicious software used to encrypt some state servers is very similar in its characteristics to the software of the ATP-29 group.”
ATP-29 (also known as CozyBear) is a well-known Russian hacker group. For example, they are responsible for SolariGate, which we wrote about in December 2020.
October CMS
October CMS is essentially a system for developing and managing a website. More famous “colleagues” of October are WordPress and Joomla. Due to the specifics and type of activity in this section of software, players who have a free version of their software usually survive.
The situation is similar with October CMS. Although this platform does not have a free license (perhaps that is why it is not as widespread as others in our region), the code is open source. That is, it is not encrypted or hidden. This means that:
- The license agreement is easy enough to violate.
- The code is easier to analyze for vulnerabilities.
- It is difficult to catch those who have copied part of the code for their own project.
The vulnerability we are talking about now can be classified as an Account Takeover. An attacker can request an account password reset and then gain access to the account using a specially crafted request. To exploit this vulnerability, the attacker must know the administrator’s username and have access to the password reset form.
This vulnerability has long been closed, it is enough to update the platform to the latest version and the hole will be patched.
If the attack really happened on a massive scale because of such an ancient vulnerability by cybersecurity standards, how could it have happened? There are two possible options:
- systems were running without a license and/or were not updated
- the systems were not actually running on the platform, but parts of the platform code were used by the contractor and not updated in time
There is no evidence for either of them. However, we tend to believe that our colleagues in the IT department are acting responsibly, and it is unlikely that these are the real reasons.
KitSoft
First, we would like to take this moment to point out that having Acunetix or Netsparker in the arsenal, it was possible to check the project for web vulnerabilities and avoid the October CMS exploit if it was present.
We have an unequivocal statement on the company’s Facebook page that their infrastructure was damaged and partially shut down on purpose. In other words, we can state that the infrastructure is either partially down or partially compromised. This does not look like a CMS vulnerability.
Attack vectors
At least two separate attack vectors have been voiced by government agencies and their employees. Some facts speak in favor of the reality of each of them:
- A component vulnerability that led to further actions.
The argument supporting this claim is that the sites only suffered a defacement (replacement of the homepage), and the registry and database records remained intact. In other words, the servers are not down. The data hasn’t been lost or encrypted. If the servers had been infected with ransomware, the situation would have been entirely different and much more severe. On the other hand, if the issue lies specifically with a vulnerability in October CMS, it’s unclear why the hackers didn’t go further, as they potentially had access to the site’s admin panel. Or did they go further and leave only the defacement on the surface as a distraction? - Ransomware infection.
As Microsoft describes it, there is a surge in ransomware attacks that has unique characteristics, indicating a new coordinated attack.
On one hand:
- The KitSoft website is down, which does resemble the aftermath of ransomware.
- Serhii Demediuk mentioned ransomware in his interview, specifically targeting government servers for encryption.
However:
- Why did government agencies provide recommendations for addressing a vulnerability in October CMS?
- Why wasn’t any data lost, and how was defacement achieved? Ransomware typically doesn’t allow such manipulations.
Conclusions
It is most likely that a series of vulnerabilities were exploited to penetrate the servers, possibly through suppliers. However, it seems certain that the issue isn’t limited to the CMS alone. There are also reports of a new ransomware variant, but it’s likely that it wasn’t the only tool used – a full arsenal of tools was deployed to “spin” the compromised systems.
And the most significant conclusion: unless something extraordinary happens, this story will be buried under the label “classified,” and we won’t learn the details. Too many open questions remain, and we are unlikely to receive the answers.
Co-author: Maksym Kopytsko, Brand Manager at CoreWin
