Major leak of Ukrainians’ personal data

21 Jan 2022

Ministryhack (#attack13) attack on Ukrainian resources continued – personal data of citizens published on a hacker forum

Last week, we wrote about the Ministryhack attack also known as #attack13 on websites and other resources of Ukrainian state institutions. Many Ukrainians immediately felt this cyberattack, because electronic documents stopped working, the convenience of which everyone is accustomed to. Despite the fact that many resources have been restored over the past week, on the night of January 21-22, a new blow was dealt to the Ukrainians. On the hacker resource RaidForums, an announcement was published about the sale, for $15 000, of roughly 20 gigabytes of archives containing the personal data of Ukrainian and foreign citizens.

In total, three archives have been published with data, respectively, of 2.6, 13.5, and 4.1 million citizens. The archives contain passport data, phone numbers, photographs, data on individual entrepreneurs, and so on.

According to preliminary data, the archives contain information from various public and private sources. Presumably, the data was obtained using Diya services, by compromising eHealth (Ministry of Healthcare, National Healthcare Service), resources of fiscal authorities, Kitsoft, some banks, and so on. Some data is as recent as the end of December 2021, although there is also some outdated data.

The authors of the announcement are also advertising the sale of data from such resources as health.mia.software (Infotech state enterprise), minregion.gov.ua (Ministry of Communities and Territories Development of Ukraine), wanted.mvs.gov.ua (search resource of the Ministry of Internal Affairs of Ukraine), e-driver.hsc.gov.ua (electronic driver’s office), and court.gov.ua (resource of Ukrainian judiciary).

We continue to report on the versions of the attack’s origin and share security recommendations you can rely on.

Microsoft’s version

Microsoft revealed that on January 13, 2022, the company’s experts first discovered the malware, WhisperGate.

It is disguised as ransomware but is designed not to ransom target devices but to render them unusable by wiping or overwriting important files on infected systems.

It has also come to light that the aforementioned wiper software has worked at several institutions affected by the attack. Experts speculate that WhisperGate may have been part of the Ministryhack cyberattack.

Belarusian trail

The deputy secretary of Ukraine’s National Security and Defence Council, Serhiy Demedyuk, told Reuters that Ukraine suspects that the defaces were carried out by a hacking group known as UNC1151 and GhostWriter, an information operation agent linked to Belarusian intelligence.

However, the experts who are involved in this investigation report that until evidence is found, it is too early to draw conclusions. The investigation into this attack continues.

Cybersecurity recommendations

We recommended that the residents of Ukraine take the following actions:

  • install a mobile application for credit status and credit history monitoring, for example, UBCH;
  • subscribe to monitoring services for state registries, such as Opendatabot;
  • change passwords used for authentication on public resources;
  • regenerate electronic digital signature certificates;
  • regularly change the mentioned passwords and regenerate certificates, especially until the end of winter 2022.

In response to the malicious cyber incidents in Ukraine, including the defacement of government websites and the presence of destructive malware in Ukrainian systems, eminent cybersecurity agency CISA has published recommendations on cybersecurity measures to protect against potential critical threats. The CISA Insights Report urges executives and network defenders to be wary of malicious cyber activity and provides a checklist of specific actions that every organisation, regardless of sector or size, can take immediately to:

  • reduce the likelihood of a destructive cyber intrusion,
  • detect a potential intrusion,
  • ensure that the organisation is prepared to respond in case of an intrusion, and
  • maximise the organisation’s resilience to disruptive cyber incidents.

We recommend that senior executives and information security professionals read the CISA Insights bulletin and implement the cybersecurity measures outlined in the checklist.

Seek our help if you lack the resources or expertise to implement these recommendations on your own.

Other news

14/05/2022
Our work is your success in Web3
10/04/2022
Spring4Shell critical vulnerability