CERT-UA Says Russia Backdoored Ukraine

CERT-UA from Ukraine said that Russia-linked threat actors have breached multiple government websites earlier this week, resulting in content modification. The government experts attribute the attack to the UAC-0056 group (DEV-0586, unc2589, Nodaria, or Lorec53).

The SSSCIP’s National Cybersecurity Coordination Center along with the Cyber Police are working together to lock out the threats and investigate the security breaches.

The state-sponsored hackers used a web shell created no later than December 23, 2021, to deploy multiple backdoors. The nation-state actor employed the SSH backdoor CredPump (PAM module) to achieve remote SSH access and logging of logins and passwords when connecting via SSH.

The attackers also used the HoaxPen and HoaxApe backdoors, experts discovered that the malicious codes were in the form of a module for the Apache web server and were installed in February 2022.

The alert states that attackers employed GOST (Go Simple Tunnel) and the Ngrok program in the early stages of the attack.

UAC-0056 to attack 20+ #UA GOV entities using backdoors planted 1-2 years ago, among them: #CredPump (SSH backdoor in a for of PAM module), HoaxPen (#backdoor, ELF), #HoaxApe (Apache module), as well as #GOST (Go Simple Tunnel) and #Ngrok.
Details: https://t.co/veqavCMWGG pic.twitter.com/sS7NTKQCHo
— CERT-UA (@_CERT_UA) February 23, 2023

The UAC-0056 APT group has been active since at least March 2021, it focuses on Ukraine, despite it has been involved in attacks on targets in Kyrgyzstan and Georgia.It has been observed deploying a new information stealer dubbed Graphiron in attacks against Ukraine.

Indicators of Compromise