CERT-UA has discovered a potential link between the attack on Ukrainian websites and the “miner from the WEX exchange”

CERT-UA has discovered a potential link between the attack on Ukrainian websites and the “miner from the WEX exchange”

There may be a connection between the organizer of the January series of attacks on Ukrainian government websites and a “miner” acting on behalf of a client of the bankrupt bitcoin exchange WEX. This is stated in the report of the Cyber Threat Response Team in Ukraine CERT-UA.

The researchers conducted a comparative analysis of the compiler, file extensions and some functions of the WhisperKill cryptographer used during the attacks on a number of ministries and departments of Ukraine on the night of January 14.

He showed that the malware is more than 80% similar to the Encrpt3d malware aimed at English-speaking users, also known as WhiteBlackCrypt, whose activity occurred in March 2021.

“WhiteBlackCrypt is a fake cryptographer because it does not save the AES key, which actually makes recovery of encrypted files impossible,” CERT-UA noted.

The same bitcoin wallet, starting from the end of 2019, was mentioned in a series of false reports about mining infrastructure facilities in various regions of the Russian Federation allegedly on behalf of a client of the bankrupt bitcoin exchange WEX.

At the same time, the researchers admitted that the miner’s wallet, which had been in open access since 2019, could have been used by a third party:

“It’s hard to imagine that real attackers have not changed their wallet for ransom for more than two years.”

CERT-UA experts added that the attackers deliberately used the morphological similarity of WhisperKill and WhiteBlackCrypt to accuse the Ukrainian side of attacks on its own state structures. Analysts have denied the involvement of the SSO of the Armed Forces of Ukraine in the hacker group Encrpt3d.

Recall that a series of false mining operations on the territory of the Russian Federation began in November 2019, shortly after the publication of the BBC investigation into the possible involvement of businessman Konstantin Malofeev and FSB employees in the theft of funds from users of the WEX exchange (the successor of BTC-e) totaling $ 450 million. An unknown “miner” demanded to pay him 120 BTC stolen from the exchange.

Since its creation, 0.11 BTC has been received to the miner’s wallet. The last receipt is dated June 2021.

In the future, the funds went to the addresses of exchanges with mandatory verification of users, in particular, Binance, Kraken and Kucoin.

The other day, unknown attackers sent false messages about mining to various regions of the Russian Federation on behalf of Indefibank CEO Sergey Mendeleev. He linked this to his investigations into the missing funds from the WEX exchange.

On the night of January 14, 2022, unknown hackers attacked more than 70 state resources of Ukraine, ten of which were subjected to unauthorized interference. According to the Ministry of Finance, the content of the sites was not changed and there was no leakage of personal data.

However, on January 21, an announcement appeared on the network about the sale of the database of the state portal “Dia” for 2.6 million lines. One of the archives posted by the seller contained records of 100,000 users of the service for 2020 and 2021. The database includes e-mail, phone number, full name, TIN, series, passport number and date of issue, as well as place of residence.

Representatives of the Ministry of Finance and Cyber Police said that the uploaded archives represent a compilation of databases merged in 2019.

Software architect and blogger Vladimir Rozhkov, in a ForkLog comment, said that some users of the DOU Internet community of programmers confirmed the accuracy of the data. His colleague contacted people whose documents were issued in 2021, and those who answered him also confirmed that the data were real.

“In addition, the database contains a unique identifier that matches the one issued by the portal “Dia” when logging into the system. My colleague has developed a service where you can compare your user ID with those available in the database. Some users confirmed the matches. Thus, there is every reason to believe that the database is real and refers specifically to “Di”. I don’t know how they got access to it,” he said.