Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Ukraine Central Bank Detects Massive Attack Preparation

Banks in Ukraine Alerted to Attack Spread via Malicious Word Docs
Ukraine Central Bank Detects Massive Attack Preparation
National Bank of Ukraine in Kiev. (Photo: Musia-97, via Creative Commons)

Ukraine's central bank has warned state-owned and private banks across the country that a new malware campaign targeting financial services firms across the country may be a prelude to another assault of Not-Petya proportions.

See Also: Safeguarding Election Integrity in the Digital Age

"The nature of this malicious code, its mass distribution, and the fact that at the time of its distribution it was not detected by any anti-virus software, suggest that this attack is preparation for a mass cyberattack on the corporate networks of Ukrainian businesses," the central bank warned financial institutions earlier this month, in a letter seen by Reuters.

It added that the attacks have been spreading via malicious Microsoft Word documents attached to emails.

The National Bank of Ukraine - the country's central bank - declined to share a copy of the letter with Information Security Media Group, but confirmed that it had alerted banks to a new, potentially major attack.

"In order to prevent cyber attacks, the National Bank of Ukraine consistently cooperates with banking sector participants, the State Service of Special Communication and Information Protection of Ukraine (SSCIPU), as well as relevant units of the Security Service of Ukraine and the National Police of Ukraine," a spokesman for the National Bank of Ukraine tells ISMG.

"On August 11, the NBU promptly informed banks about new malicious code, its characteristics, indicators of compromise and the need to take preventive measures to prevent the networks from being attacked by malicious codes."

The bank is also spearheading the creation of a new group that would facilitate more real-time sharing of threat intelligence across the financial services sector.

"The NBU is involved in efforts to establish the NBU Computer Security Incident Response Team (CSIRT-NBU) to respond promptly to cyber incidents and share information in real time with all the banking sector participants and law enforcement agencies," the NBU spokesman says.

Malware and ransomware have long been distributed via malicious files attached to spam emails, designed to trick recipients into executing the attachment or otherwise aid the attack (see Hello! Can You Please Enable Macros?). If such attachments do get opened, they typically function as a "dropper," downloading additional malware from an attacker-controlled server onto the by now infected, or "zombie," endpoint.

Ukraine Celebrates Independence

Earlier this month, Ukraine's national computer emergency response team, CERT-UA, warned that there is an elevated risk of attacks from August 20 to 25 as Ukraine celebrates its 1991 independence from the USSR.

Accordingly, CERT-UA advised organizations in Ukraine to take precautions to defend themselves against a potential reprise of the NotPetya - aka Petya-A, SortaPetya, Petna, ExPetr, GoldenEye, Nyetya, Diskcoder.C - campaign launched on June 26. Cyber police in Ukraine, as well as such security firms as Cisco Talos, ESET, Microsoft and Symantec, have said the attacks were facilitated by a "cunning backdoor" that attackers added to widely used accounting software called M.E. Doc (see NotPetya Patient Zero: Ukrainian Accounting Software Vendor).

It's not clear if CERT-UA's independence-celebration alert was based on specific intelligence, or just a general warning. The government-based computer emergency response team did not immediately reply to a request for additional information.

NotPetya's Global Impact

While Ukraine was the epicenter of the NotPetya attacks, they quickly spread to offices and business partners in other countries, including Britain's WPP advertising agency, Russian oil giant Rosneft, French construction materials company Saint-Gobain and the Netherlands-based shipping service TNT Express, among others, with some reporting substantial losses as a result (see Maersk Previews NotPetya Impact: Up to $300 Million).

Ukrainian officials have blamed Russia for launching NotPetya and other attacks. The Russian government has denied those accusations.

NATO, meanwhile, has said the attack "can most likely be attributed to a state actor."

While the timing could be coincidence, the attack was launched on the eve of Ukraine's Constitution Day, commemorating the signing of the country's constitution in 1996, following the country's 1991 independence.

Four Lookalike Attacks

NotPetya was just the latest in a series of attacks that have used malware designed to look like previously seen strains of malware. The four strains are called XData, PSCrypt, NotPetya, as well as a WannaCry lookalike (see Ukraine Power Supplier Hit by WannaCry Lookalike).

There's evidence that the same group of attackers may be behind more than one of those malware campaigns. The anti-malware researchers behind MalwareHunter Team say that backdoored M.E. Doc software was used to distribute not just NotPetya, but also the XData malware, which appeared in mid-May.


August 21: Story updated with comments from the National Bank of Ukraine.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.