Ukraine Finds 2-Year-Old Russian BackdoorThreat Actor Tracked as UAC-0056 Is Behind the Attacks
Russian hackers breached and modified several Ukrainian state websites on Thursday morning using a backdoor planted nearly two years ago.
The incident did not cause significant disruption, says the State Service of Special Communications and Information Protection of Ukraine. But discovery of an encrypted web shell created no later than Dec. 23, 2021, hiding on the server of an official website led to an investigation revealing several additional backdoors.
"At the moment, it can be stated that the incident did not affect the performance of the functions of the state bodies. The work of most information resources has already been restored and they are working normally," the SSSCIP said on Thursday.
The Computer Emergency Response Team of Ukraine is investigating the attacks in coordination with the SSSCIP, the Security Service of Ukraine and the country's Cyber Police. Their findings identified the hackers as belonging to a group tracked as UAC-0056 and said they activated the web shell late Wednesday night. Hackers used the web shell to create an
index.php file in the root web directory.
UAC-0056 is also known as SaintBear, UNC2589 and TA471. The group has been active since at least March 7, 2021, and has made attacks against Ukrainian and Georgian government organizations and critical infrastructure. Cybersecurity firm Rapid7's assesses that the group's activities are aligned with the Kremlin, but no evidence exists that the group is state-sponsored.
The investigation also revealed the presence of three backdoors: CredPump, HoaxPen and HoaxApe. Hackers installed HoaxPen and HoaxApe in February 2022 in the guise of an Apache web server module.
The initial access vector used by the threat actor is unclear, although CERT-UA did reveal that the group used security tunnels such as the Go Simple Tunnel and Ngrok in the early stages of the attack to deliver the HoaxPen backdoor.
Security researchers spotted the same threat actor in spring 2022 deploying malware variants using a malicious Excel file delivered through phishing mails (see: Cyberespionage Actor Deploying Malware Using Excel).