Cyber Incident Victim: System of Electronic Interaction of Executive Bodies
Date:
Feb 2021
Location:
Ukraine
Summary
Russian-backed hackers compromised Ukraine’s government document management system to conduct a cyberespionage campaign, deploying malicious documents containing macros that installed malware enabling remote control of infected systems. The attack, classified as a supply chain operation exploiting trusted services, targeted multiple state agencies through their shared electronic interaction platform. The same threat actors were linked to simultaneous DDoS attacks against government websites, reportedly in retaliation for law enforcement actions against a ransomware group.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 24, 2021, the National Security and Defense Council of Ukraine (NSDC) disclosed a cyberattack targeting the System of Electronic Interaction of Executive Bodies (SEI EB), a critical document management platform used by most Ukrainian public authorities for interagency communications. Russian-backed hackers compromised the system to distribute malicious documents containing macros designed to deploy malware payloads silently. Upon execution, these macros enabled remote command-and-control over infected government computers, facilitating unauthorized access to state networks. The NSDC classified the intrusion as a supply chain attack, noting that threat actors exploited vulnerabilities in tools and services relied upon by government entities rather than targeting them directly. While the advisory did not attribute the operation to a specific Russian advanced persistent threat (APT) group, it emphasized forensic links to Russian cyberespionage units based on the attack’s methods and infrastructure. The NSDC released indicators of compromise (IOCs) to assist administrators in detecting and blocking further exploitation attempts using the same malicious infrastructure.
The SEI EB incident coincided with distributed denial-of-service (DDoS) attacks against multiple Ukrainian government websites, including those of the Security Service of Ukraine (SBU) and the NSDC itself. Ukrainian authorities linked these disruptive attacks to Russian-aligned threat actors, suggesting possible retaliation for the arrests of alleged Egregor ransomware operation members two weeks prior. The SBU’s website became inaccessible one day after it published details of the Egregor-related arrests, aligning with the NSDC’s assessment of retaliatory motives. These parallel cyber operations—the SEI EB compromise and the DDoS campaigns—demonstrated a coordinated effort to disrupt Ukrainian government functions and exfiltrate sensitive data through complementary intrusion vectors. The NSDC’s public advisories underscored the systemic risks posed by supply chain attacks against shared administrative platforms while documenting observable adversary tactics for defensive coordination.