Cyber Incident Victim: Government of Ukraine
Date:
Dec 2021
Location:
Ukraine
Summary
Russian state-linked hackers compromised Ukrainian government websites by deploying backdoors through web shells, later installing additional malware including CredPump, HoaxPen, and HoaxApe. The attackers leveraged tools like GOST and Ngrok during initial intrusion phases, with evidence suggesting persistent access established over a year prior. While the breach led to webpage defacements, it did not cause critical operational disruptions to public services. The threat actor, identified as Ember Bear, has historically targeted Ukrainian entities with phishing campaigns and fake ransomware, while also expanding operations to North American, Western European, and Georgian organizations aligned with Russian strategic interests. Separate but related cyber activities involved failed data-wiping attacks by another Russian-linked group using CaddyWiper malware against Ukrainian critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2021, Russian state-sponsored hackers tracked as UAC-0056 (also known as Ember Bear or Lorec53) compromised multiple Ukrainian government websites by planting web shells. These backdoors remained undetected for over a year until February 23, 2023, when Ukraine's Computer Emergency Response Team (CERT-UA) discovered active exploitation during an attack on central and local authority websites. The threat actors used the dormant web shell to deploy three backdoors—CredPump, HoaxPen, and HoaxApe—in February 2022, leveraging tunneling tools GOST and Ngrok during initial intrusion phases to establish command-and-control channels. The attackers modified website content during the 2023 incident but did not achieve persistent operational disruption. Forensic analysis revealed the group had maintained access since late 2021, with heightened phishing campaigns and network compromise efforts against Ukrainian targets beginning that December.
Ukrainian cybersecurity agencies including SSSCIP, the Security Service of Ukraine, and Cyber Police formed a joint response team under the National Cybersecurity Coordination Center to isolate and investigate the breach. The SSSCIP confirmed no critical system failures occurred, preserving government operational continuity. Ember Bear's activities align with Russian state interests, with historical targeting of Ukrainian entities through phishing emails delivering backdoors, information stealers, and fake ransomware since at least March 2021. The group expanded operations to North American and Western European organizations and conducted coordinated attacks against Georgian government agencies. This incident followed another Russian state-sponsored attack in January 2023, where Sandworm hackers unsuccessfully deployed CaddyWiper malware against Ukraine's national news agency, mirroring a failed April 2022 attack on a Ukrainian energy provider.