Ukraine is losing a cyberwar: Hackers attacked public treasury

Author : Vsevolod Nekrasov

Source : 112 Ukraine

An organized group of hackers attacked the Ministry of Finance, State Treasury, and Pension Fund, brought down computers and destroyed important databases
14:30, 12 December 2016
Getty Images

Read the original text at

Experts in the field of cybersecurity believe that the government conceals the real scale of the consequences of the attack.

An organized group of hackers broke into the internal telecommunications network of the Ministry of Finance, the State Treasury Service, the Pension Fund, and put out of action a number of computers, as well as destroyed critical databases of the State Treasury and the Pension Fund.

As a result, December 7, 2016 for mandatory payments of State Treasury and the Pension Fund to hundreds of millions UAH have been blocked. Payments were delayed or not held at all, websites Ministry of Finance and Treasury did not work.

Cybersecurity experts believe that the officials of the State Treasury and the Pension Fund ignore the real extent of the hacking stroke consequences.

Handwriting of the intruders are similar to last year's attack on the power companies and the airport "Borispol". Currently, not only the network of regional offices of the State Treasury, but the network infrastructure of other critical facilities of Ukraine could be under attack.

Related: Wanted worldwide organizer of cybercrime group Avalanche escaped in Ukraine, - police

Experts in the field of cyber security to prevent or reflect future hacker attacks urged officials to disclose more details about the perfect hacker attack.


December 6, 2016 sites of the Ministry of Finance of the State Treasury and the Pension Fund ceased to work. Ministry of Finance on the government portal reported that as a result of the attack network equipment has been damaged.

This was followed by the news from Treasury, "cyber attack on information and telecommunication system of the Treasury was carried out December 6, 2016".

The next day, the Ministry of Finance said: "As a result of a professional hacker attack against the Ministry of Finance authorities, the State Treasury has certain problems with the full implementation of payments."

Related: Ukrainian company ready to check clients on cyber-attack preparation on Russia

Then, the state enterprise employee of "National Information System", which was engaged in accompanying the State Register, wrote to Facebook, that "the virus, placing treasury is called killdisk. The file is called smss.exe virus in root of Windows (not to be confused with the file in System32). There is evidence, it should also be caught by ESET v.5 with databases from 06-07.12.2016. Pay attention to the "service" Plug-and-Play (not to be confused with the Plug and Play). To remove it boot the LiveCD only."

The same day, the Cabinet has allocated the Ministry of Finance and the State Treasury of 80 million USD to be protected from hackers. In particular, 40 million UAH Ministry of Finance for the purchase of a system to preserve the network equipment and backup data storage systems. Another 40 million UAH were allocated to the State Treasury to upgrade server hardware territorial bodies and the purchase of equipment for remote backup system.

According to Oleg Sych, technical director of the Kyiv lab Zillya, rapid release of large amounts of on the IT-equipment may indicate a panic among the technicians who support the IT-infrastructure departments.

Related: More than 3 000 cyber attacks spotted daily ahead of the e-declarations filing date

Technicians finally explained to the officials that they were not enough servers for backup, that existing equipment is lacking or outdated. This is a good sign. Typically, the purchase of such equipment from government agencies take months.

A possible way of breaking and consequences

"This attack is just the tip of the iceberg, - says Sych. - Cyber-attacks on a huge number of institutions, industry, energy, finance and transport facilities take place constantly". However, the attack on the State Treasury and Pension Fund distinguished by the fact that it took place a year after the hacking attacks on the energy infrastructure of Ukraine. Now we are seeing the consequences of an attack on the state budget sphere.

Related: Kremlin promises to react to possible US cyber attacks

"Networks of other government agencies might be hacked too, but the operation of these break-ins is not timely for the attacking side, however, these break-ins cannot take place," Sych said.

If the Ministry of Finance and Treasury websites were not hacked, the information about the successful attacks against the internal informational network of state agencies could not reach society. Officials could try to silence the incident.

Hackers have the same goal, to expose their success in public. Hacking sites is best way to do it.

Oleg Sych has doubts that hacking led to the physical failure of the equipment. This is stated in one of the posts of Ministry of Finance. Most likely, it was talking about damage to the configuration of network equipment, reconfigure elements of communication network, deleting data.

Related: Biden: U.S. to reply to Russian cyber attacks

The question is whether the backup hardware configuration, servers, and databases were preserved. If yes, the information will be quickly restored. State Treasury is recovering its activity, it means that the copies are backed up.

Tool of the attack

According to the available information, the data on the servers and computers on the internal network, at least, the State Treasury, could be destroyed by Trojan killdisk. This is a popular program. It has many varieties. Moreover, it is available in source code, so attackers can always modify it beyond recognition, so that anti-virus programs this program is not found.

Related: Cyber attacks in US, Turkey, Germany and Ukraine conducted from one IP-address, - media

Killdisk program was used, including in attacks using BlackEnergy, against the power company in Ukraine. There was another modification of killdisk. This Trojan deletes information by overwriting, which makes it impossible to recover.

"Applying killdisk we see as a common style. The program is popular, it is used by many hacking groups, so there are two options. To attack on the infrastructure of its Ukraine uses the same grouping or someone using handwriting attacks authors on energy companies to cover their tracks and give the current attack after attack that group," said Sych.

Related: Ukraine offers NATO to create new trust fund to prevent cyber war

Speaking about the perpetrators of the attacks on the Ministry of Finance, the State Treasury and the Pension Fund, the expert suggested that it was a group of people with clear objectives. These goals were not financial, was the specific purpose to conduct sabotage.

"This is not a private commercial group, whose mission is to make money, - Sych notes. - This is a private group, which is paid for the application of financial damage to Ukraine. The aim of the attack is to doubt the country's stability."

Related: Ukrainians created cyber glove to "feel" the virtual reality

Система Orphus

If you find an error, highlight the desired text and press Ctrl + Enter, to tell about it

see more