Statistics widget hacked in attempt to breach Russian government agency websites

The software was allegedly used in a short-lived software supply chain attack

Russian authorities say they quickly foiled a cyberattack aimed at compromising government websites via a hacked statistics widget.

The software, developed by Russia’s Economic Development Ministry and embedded in the websites of several state agencies, was hacked on Tuesday, March 8, allowing unidentified hackers to ‘post incorrect content on website pages’ , a representative of the Russian communications agency Recount official Interfax news agency.

Although the incident was “quickly localized”, it nevertheless caused the affected websites to be out of operation for a short period of time before services were restored to normal “within an hour”, according to Interfax.

The widget used to collect visitor statistics was allegedly hacked by unidentified parties as part of a software supply chain attack.

popular plugin

Interfax reports that the compromised websites included those run by the “Russian Federal Prison Service, the Federal Bailiff Service, the Federal Antimonopoly Service, the Ministry of Culture, the Ministry of Energy, the Federal Statistical Service and a number number of other agencies.

Russian authorities play down the incident.

Keep up to date with the latest cyber warfare news

While it is difficult to obtain an independent assessment of the severity of the apparent disfigurement campaign, the incident can nevertheless be seen as an example of the conflict that accompanied Russia’s invasion of Ukraine and s is widespread in cyberspace.

Similarly, earlier this month, at least 30 Ukrainian university websites were hacked as part of a larger operation by pro-Russian attackers against WordPress-hosted sites.

A few days after Russia invaded Ukraine, a strain of destructive malware dubbed “HermeticWiper” was unleashed. This then infected “hundreds of systems in at least five Ukrainian organizations”, according to security software vendor ESET.

Counter attack

Meanwhile, in an attack on Russian targets, the attackers launched the so-called “RURansom” malware.

Despite its name, RURansom is better considered a data eraser than ransomware in the purest sense, as it removes the separate and individual encryption key used to encrypt each file as it spreads, as explained in a writing the threat by Trend Micro.

“This is a windshield wiper, so encrypted files are lost and recovery is only possible from a backup, if [they] exists,” Trend Micro said. The daily sip.

The malware – first spotted by independent security researchers MalwareHunterTeam beginning of March, is written in the .NET programming language and spreads like a worm by copying itself under the filename ‘Россия-Украина_Война-Обновление.doc[dot]exe’ (‘Russia-Ukraine_War-Update.doc[dot]EXE’).

Several versions of the malware attempt to verify if the target machine is in Russia before beginning its infection and file destruction routine, indicating a degree of targeting.

A note left on the compromised machines explicitly states that the malware is designed to harm Russia.

The note was originally written in Bengali. These and other factors led Trend Micro to speculate that the author is from West India and developed other strains of malware previously linked to cryptocurrency mining. .

“We believe it was created by an individual, likely based in India, as noted in the ‘note,'” according to Trend Micro.

It is not known how many machines the Windows-specific RURansom malware has infected. “Based on our telemetry, we haven’t seen any targets in our user base,” Trend Micro said. The daily sip.

YOU MIGHT ALSO LIKE Ukrainian government agencies targeted by cyberattacks deploying MicroBackdoor malware