New Petya virus and four major cyber attacks against Ukraine

Author : News Agency

Ukraine has faced the largest hacker attack in the country's history – virus-extortionist has struck dozens of state institutions, banks, airport systems, energy companies, and the railway
13:15, 28 June 2017

Read the original text at

Getty Images

June 27, Ukraine was struck by a virus-extortionist. Thousands of computers across the country are infected. Large companies and individuals have suffered from it. Experts say that the virus-ransomware (which calls itself Petya) is a modified analogue of other extortion viruses (for example, the famous WannaCry virus, which became actively spread around the world on May 12, 2017). First, it hit the network of healthcare institutions in the UK, and then spread to organizations in other countries, including Ukraine.

Judging by the screenshots of the screens of the infected computers, the virus blocks access to files on the computer, encrypts them and requires a ransom of $ 300 to the address of Bitcoin-purse for their decryption. WannaCry did the same, and according to estimates, it caused damage of more than $ 1 billion, although it brought the creators only 120 thousand dollars.

Related: Cyber attack performed via M.E.doc

The virus works only in the Windows operating system. IT experts explain that the authors of the insidious WannaCry code used the vulnerability of Microsoft's operating system. This information was confirmed by Microsoft President Brad Smith. The minimum length of time between the detection of a vulnerable computer and its full infection is about 3 minutes.

As a result, systems of about 30 banks, Ukrzaliznytsia, Boryspil airport, Ukrposhta, Kyiv Metro, Epicenter, Nova Poshta, DTEK, Ukrenergo, and even the Cabinet are under attack.

According to the NBU, the affected banks experience difficulties with servicing clients and carrying out banking operations. Ukrtelecom is assured that the company continues to provide Internet and phone access services, but the computer systems that accompany the call center and customer service centers do not work. Boryspil airport warns that "in connection with an extraordinary situation, flight delays are possible." Kyiv Metro says that as a result of the attack, the function of payment by bank cards was blocked. Nova Poshta offices and contact center temporarily cannot serve customers. Due to technical failures, the information systems of the Lviv City Council have been suspended for an indefinite period; document circulation and the work of the local centers for providing administrative services have been suspended. All the computers are disabled in Ukraine’s Cabinet.

In 2014, hackers destroyed Ukrainian artillery in Donbas

In December of this year, analysts at CrowdStrike (an American company specializing in cyber security) released a report describing how the application for the Android operating system, widely used by Ukraine’s Armed Forces, developed by an officer of Ukrainian artillery to simplify calculations in conducting fire, could be used by the Russian government as a means of intelligence. For example, it could get information on the whereabouts of Ukrainian government forces.

In 2014, Fancy Bear has created a malicious version of the application and posted it on Ukrainian military forums. CrowdStrike has found that the variant of the Fancy Bear malicious program was used to hack into an Android application designed to help artillery troops more to effectively target their obsolete howitzers. As a rule, several minutes are necessary to guide the Ukrainian towed D-30 howitzer of the Soviet era, the data for guidance are entered manually. With an Android application, it took 15 seconds, CrowdStrike found. The Fancy Bear team apparently hacked the application, allowing Russian Main Intelligence Directorate to use the GPS coordinates of the phones to track the positions of the Ukrainian troops. Thus, the Russian army could direct other artillery and other weapons to the Ukrainian military. Ukrainian units, involved in the east of Ukraine, were in advanced conflict with the Russian-backed separatist forces on its early stages at the end of 2014, CrowdStrike noted.

Related: Main investigation version towards car blast In Kyiv is Russian trace, - Matios

By the end of 2014, the number of Russian troops in the region reached about 10,000. The Android application helped Russian troops determine the positions of Ukrainian artillery. According to the International Institute for Strategic Studies, during two years of the conflict, Ukrainian artillery troops lost more than 50% of their weapons and more than 80% of their D-30 howitzers, and this is the highest percentage of artillery weapon losses in the arsenal, the report says. The application was not available in the Android store and was distributed only through its developer’s account in the social network, Ukrainian artillery officer Yaroslav Sherstyuk, CrowdStrike experts report. Activation of the application was possible only after communication with the developer and sending the code for the individual download of the application.

Co-founder and leading expert on technologies CrowdStrike Dmytro Alperovych stresses that the Ukrainian example is indicative of how strong is the connection between hackers Fancy Bear and Russian military. "In order to use the data obtained as a result of hacking into the battlefield, close integration is needed," said Alperovich. "Such tasks are in the competence of the GRU ... In our opinion, this is a very convincing proof of the connection between these two (Fancy Bear and GRU) organizations."

Related: Extreme hacker attack hits Ukraine

Meanwhile, one of the most significant and dangerous attacks was committed in December 2015. Then the hackers managed to disconnect from the electricity grid a separate region - the Carpathian region, intervening in the work of Prykarpattyaoblenergo. More than 700 thousand inhabitants of the region were left without electricity for several hours. The IT-system of the enterprise suffered so much that each of the substations had to be turned on manually.

International companies and organizations, such as SANS ICS, ESET and Symantec, have investigated this situation and found out that electricity was disconnected through a hacker attack using the malicious Black Energy virus. According to Symantec, a group Sandworm, which operates against industrial sites in Ukraine, other countries in Europe, and even against NATO, stands behind the family of viruses Black Energy.

Related: Cyber attack: police received over 200 claims

BlackEnergy rootkit, which has opened access to the internal network of energy companies, has got on computers six months before the destructive function was included.

According to the statement of the Security Service of Ukraine (SBU), this hacker attack was an attempt by Russian special services to attack computer networks of the Ukrainian energy complex. American company iSight Partners, specializing in cyber intelligence, claims that Sandworm is a Russian hacker group, involved in the unprecedented power outage in Ukraine. Even Central Intelligence Agency became interested in it, as well as the National Security Agency and the US Department of Homeland Security, who agreed to investigate it.

Later, State Service of Ukraine's special communication has found the Black Energy virus in Boryspil airport network.

In 2015, the version with Russian hackers was not very popular yet. Moreover, authorities accused their own hacker groups in the subsequent attacks.

The peak of hacker attacks occurred at the end of 2016. December 6, hackers broke into the network of the State Treasury, the Ministry of Finance of Ukraine, and the Pension Fund. When logged into the site of the service, a person was redirected to "We lit the wick of the revolution, and now we decide whether it will twinkle and die or really ignite. Our real work is just beginning." This message was posted on the main resource page. Treasury Service is the central executive body that implements the state policy in the sphere of treasury services of budgetary funds, accounting for the execution of budgets.

As a result of the attack on December 7, 2016, mandatory payments for hundreds of millions of hryvnas by the State Treasury and the Pension Fund were blocked. Payments passed with delays or did not pass at all, the websites of the Ministry of Finance and State Treasury did not work.

Related: Websites of National Police and Ministry of Internal Affairs disabled due to cyber attack

The attack on the websites of these departments was stopped two days later, on December 8. According to a message on the official website of the Ministry of Finance on Facebook, the State Treasury resumed payments, internal networks, and databases began to operate in a regular mode, all information was preserved. As a result of the attack there were corrupted servers of state structures. The Ministry of Finance noted that the aim of the hackers was to disrupt the budget process, reform the Finance Ministry, and undermine confidence in the government's cybersecurity system.

Then the employee of the state enterprise "National Information Systems", which is escorting state registries, wrote on Facebook that "the virus that stashed the treasury is called killdisk". This is a popular program, which has many varieties. It is available in the source code, so attackers can always modify it beyond recognition so that anti-virus programs cannot detect this program.

On the night of December 14, 2016, a cyber attack was carried out on six servers of Prydnistrovska Railway (PJSC Ukrzaliznytsya), and on the morning of December 15, the system of distribution of empty freight cars was attacked. "We issue paper documents for the drivers. All traffic safety issues are monitored. Radio and telegraph communication operate, tickets are sold at the ticket offices," the head of Ukrzaliznytsia, Wojciech Balchun, said. He also noted that there were problems with the dispatching system of power supply.

Top management of the US did not see the trace of the Russian Federation in this attack, but accused Ukrainian corrupt officials. According to the top manager, the hacker attack is "a sharp reaction of the current corruption system at the state enterprise." Balchun said that pressure and threats against members of his team are connected with the launch of an automated system for the distribution of empty freight cars, the launch of which was scheduled for December 28. However, Minister of Infrastructure Volodymyr Omelyan said that Ukrzaliznytsia was attacked by Ukrainian hacker groups on the orders of an "unidentified person from St. Petersburg." It was a diversionary maneuver to steal passenger traffic data. According to Omelyan, attacks on the Ministry of Finance and The state treasury were carried out in a similar way, and it should be noted that the attack on the website of the Ministry of Infrastructure itself occurred on December 16.

Related: Cyber attack on Ukraine was prepared at least during month

Despite the fact that hackers began actively attacking Ukraine in 2015, Ukrainian state bodies were absolutely not ready for new cyber threats. Experts assure that in connection with the development of technology hacker attacks will only increase, and in the current situation, this is not difficult to carry out attacks on the outdated equipment of the government agencies.

It cannot be said that only the state bodies face hacker attacks. This happens to everyone. A common user who does not suspect anything can become a victim of cyberterror. To hide the traces of their activities, intruders use a cascade of victim computers to redirect the signal (malicious virus) and thus hide, so that they cannot find the trace. Today's attack were directed not only against the large companies, but ordinary people.

Therefore, cybersecurity concerns not only the ordinary person, state bodies or a private company. This applies to all participants who are on the Internet, experts say.

It should be noted that the draft law on cybersecurity was adopted by the Verkhovna Rada only in the first reading. A special coordinating center, which earned last summer, has not shown its effectiveness. The effectiveness of state structures responsible for the cybersecurity of state companies also raises questions.

Related: Cyber security expert: Part of virus attacking Ukraine could be used in WannaCry malware

Система Orphus

If you find an error, highlight the desired text and press Ctrl + Enter, to tell about it

see more