The 29th of March, Cyber Digest


A cyber attack on Ukrtelecom has disabled 70% of users

On March 28, a powerful enemy cyber attack was carried out on Ukrtelecom IT infrastructure. It has already been neutralized and services are being resumed. In order to preserve the network infrastructure and continue providing services to the Armed Forces, other military formations and users of critical infrastructure, Ukrtelecom has temporarily restricted the provision of services to most private users and business clients. The cyberattack has disabled the Internet for more than 70% of users. The State Special Communications Service says that they promptly responded to the situation, thanks to which the attack was repulsed. So now Ukrtelecom has the opportunity to resume providing services to customers, which it has already begun to do. See the source

Cyber ​​attacks against Ukraine are carried out by Russian military hackers

Among russian hackers who attack Ukrainian state information resources and critical information infrastructure are two groups: politically motivated ordinary cybercriminals and military hackers. The first group includes cybercriminals who unite with other groups to attack Ukraine. “We see that some of them are refusing to attack Ukraine, which is a very important sign,” said Deputy Chairman of the State Special Communications Service, Viktor Zhora. The second group consists of hackers sponsored by the russian government. Most of them are military. “These are people who serve or work for the GRU, the General Staff of the Armed Forces, the FSB and other institutions. They have military ranks and use russian intelligence data and are more likely to share that data with ordinary cybercriminals. These hackers are attacking and will continue attacking. ” See the source

UAC-0056 cyberattack on Ukrainian authorities using GraphSteel and GrimPlant malware (CERT-UA # 4293)

The Governmental Computer Emergency Response Team of Ukraine CERT-UA received information on the distribution of e-mails on the topic “Wage arrears” among government agencies in Ukraine. Attached to the letter is the document “Wage arrears.xls”, which contains legitimate statistics and macros. At the same time, hex-coded data has been added to the mentioned document as an attachment. The macro, after activation, will decode the data, create an EXE-file “Base-Update.exe” on the computer and run it. This file is a downloader developed using the GoLang programming language. The program will download and run another bootloader, which, in turn, will download and run malware GraphSteel and GrimPlant on your computer. The detected activity is associated with the activities of the UAC-0056 group. See the source


Hackers have attack Rosaviatsia system, all documents turn into paper format

All documents from 1.5 years old, plus the register of aircraft, which has been hastily formed recently from vessels seized from foreign owners, have been deleted from the servers of the russian aviation regulator. In total, approximately 65 terabytes of data were destroyed. This was reported by the profile russian aviation Telegram channel “Aviatorshchina”, citing sources in Rosaviatsia. “All documents, e-mails, files on servers have been lost, the search for the register of aircraft and aviation personnel is underway, and the system of public services has been removed. All incoming and outgoing letters were lost for 1.5 year. We don’t know how to work, ” – said the source. According to it, there are no backups, as the Ministry of Finance did not allocate money for it. The attack occurred due to poor performance of contractual obligations by the company LLC “InfAvia”, which operates the IT infrastructure of Rosaviatsia. The prosecutor’s office and the FSB have been sitting in Rosaviatsia since Saturday. See the source

Russian hackers attack charities and volunteer organizations

russian hackers carry out complex attacks against charities and volunteer organizations for various purposes. “They carry out intelligence, data collection, phishing campaigns, try to get contact information, bank accounts, goods that they buy to help Ukrainians. We see a comprehensive activity, “said Deputy Chairman of the State Special Communications Service, Viktor Zhora. See the source


Russian propaganda TV has been hacked by Anonymous

The Anonymous hackers said they had hacked the All-russian State Television and Radio Company (VDTRK), which owns a number of propaganda channels. The hackers say they are already preparing to release 870 GB of data. The structure of VDTRK includes, in particular, Rossiya-1, Rossiya-24 TV channels, Russkoye Radio, Radio Rossii, and others. The company also has regional branches throughout russia. See the source

Hackers Anonymous published an order of Acting Minister of Defense of the russian Federation on the organization of fakes

Hackers Anonymous published an order of Acting russian Defense Minister Dmitry Bulgakov on the preparation of fake videos in which “Ukrainian military” allegedly mocks “russian prisoners of war.” The reason for such measures in the order was that videos of normal treatment of Ukrainian soldiers with russian prisoners were spread on social networks. They say that soldiers of the russian occupation forces may be more inclined to surrender after watching such videos. Bulgakov also orders to attach baseless allegations to these fakes about the Ukrainian military’s violation of the Geneva Convention relative to the Treatment of Prisoners of War. The order was issued and signed on March 21. See the source

Anonymous attack on Burger King, which is still working in russia

Hackers Anonymous have attacked the russian Burger King. After several days of such attacks, representatives of fast food published their reaction to the actions of hackers on VKontakte. “Dear Anonymous! We are not politicians – if BK russia will be out, it is unlikely that anyone will get better… If you really wanted to salt us, you would figure out how to return Mack to russia. Unfortunately, you can’t do that. So please calm down and go do your homework, ”Burger King russia said. See the source

The 29th of March, Cyber Digest