Header Ads Widget


CERT-UA found a potential link between the attack on Ukrainian sites and the "WEX miner"

CERT-UA found a potential link between the attack on Ukrainian sites and the

There may be a connection between the mastermind of a January series of attacks on Ukrainian government websites and a "miner" acting on behalf of a client of the bankrupt bitcoin exchange WEX. This is stated in the report of the Cyber Threat Response Team in Ukraine CERT-UA.

Researchers conducted a comparative analysis of the compiler, file extensions and some functions of the encryption tool WhisperKill, which was used in the attacks on several ministries and departments in Ukraine on the night of January 14;

It showed that the malware is more than 80% similar to the English-oriented Encrpt3d malware, also known as WhiteBlackCrypt, which was active in March 2021. 

"WhiteBlackCrypt is a fake encryption malware because it does not retain the AES key, effectively making it impossible to restore encrypted files," CERT-UA noted.

The ransom message distributed by WhiteBlackCrypt operators contains the Ukrainian trident and wallet address 19B5Bt11oUqYnqYnwSXfBgRpwwDGg5Ajirbjn. 

Data: CERT-UA.

The same bitcoin wallet has also been mentioned in a series of false reports of mined infrastructure in various regions of Russia since late 2019, allegedly on behalf of a client of the bankrupt bitcoin exchange WEX.

Data: CERT-UA.

At the same time, the researchers admitted that the "miner's" wallet, which had been in the public domain since 2019, could have been used by a third party: 

"It's hard to imagine real attackers not changing the wallet for ransom more than two years."

CERT-UA experts added that the attackers deliberately used the morphological similarity of WhisperKill and WhiteBlackCrypt to accuse the Ukrainian side of attacking its own state structures. Analysts denied the involvement of the Ukrainian Armed Forces SDF in the Encrpt3d hacker group.

Recall, a series of false miners in Russia began in November 2019, shortly after the publication of the BBC investigation on the possible involvement of businessman Konstantin Malofeev and FSB officers in the theft of funds of users of the exchange WEX (the successor of BTC-e) totaling $450 million. unknown "miner" demanded to pay him 120 BTC, stolen from the exchange.

Since its creation, the "miner" purse has received 0.11 BTC. The last receipt was made in June 2021.

Subsequently, the funds went to the addresses of exchanges with mandatory user verification, in particular, Binance, Kraken and Kucoin.

The other day, unknown attackers sent out false messages about mines in various regions of Russia on behalf of Indefibank CEO Sergei Mendeleev. He linked it to his ongoing investigations into the disappearance of funds from the WEX exchange.

On the night of January 14, 2022 unknown hackers attacked more than 70 state resources of Ukraine, ten of which were subjected to unauthorized interference. According to the Ministry of Finance, the content of the sites was not changed and there was no leak of personal data.

However, January 21, an announcement about the sale of the database of the state portal "Dia" with 2.6 million lines appeared online. One of the archives, uploaded by the seller, contained the records of 100,000 users of the service for the year 2020 and 2021. The database includes e-mail, phone number, full name, TIN, passport series, number and date of issue, as well as place of residence;

Data: DOU.

Officials from the DOU and cyber police said the posted archives represent a compilation of databases leaked in 2019.

Software architect and blogger Vladimir Rozhkov told ForkLog in a comment that some users of the DOU's online programming community confirmed the accuracy of the data. His colleague contacted people whose credentials were issued in 2021, and those who responded to him also confirmed that the data is real.

"In addition, the database contains a unique identifier that matches the one issued by the DOU portal when logging into the system. My colleague developed a service where you can compare your user ID with the ones in the database. Some of the users confirmed the matches. So there is every reason to believe that the database is real and belongs to "Dia". I don't know how it was accessed," he said.

Post a Comment