Report: Digital incidents in the Ukrainian public sector in the first quarter of 2023

From January to March 2023, civil society organizations and activists were regularly targeted by digital attacks — from phishing attempts to hacking of accounts and websites. During this period, Digital Security Lab recorded 24 such incidents. Some of these attacks were successful.

We will share some real examples of such attacks and provide recommendations how to avoid the danger.

The incidents included: 8 phishing attacks, 7 account hacking attempts (3 of them successful), 6 social media account restrictions and 2 successful website hacks.

Phishing with malware

In the first quarter, DSL recorded 8 cases of phishing: 5 of them contained a link to a phishing site, and 3 contained malicious software (hereinafter referred to as malware). All attempts were unsuccessful.

Civil society organizations working with DSL have received phishing letters with malware. In one case, the email came allegedly from the Pecherskyi District Court. In this email, an assistant judge asked to provide certain information urgently, threatening a fine in case of non-compliance. Another example was a notification of debt, allegedly from Ukrtelecom.

Attached to the letters was a password-protected archive, infected with malware. If you run the file from the archive, a program for remote control and surveillance will be installed on the device.

CERT-UA observed the same attack on government structures and reports that the detected activity has been tracked under the identifier UAC-0050 at least since 2020.

Recommendations: Be vigilant about emails with attachments, especially password-protected archives. They are used to bypass antivirus systems. 

Account hacking

From January to March, DSL also recorded 7 attempts to hack accounts, 3 of which were successful.

On February 24, attackers hacked the Meta Business Suite of a Ukrainian media outlet. At first, the owners noticed suspicious activity in the account (new administrators appeared, pages began to be renamed, some posts were deleted), and later they lost access to the business account. This is probably a case of commercial hacking. The attack vector is unknown. It is suspected that the account was hacked using phishing.

By contacting Meta support with the help of partners, the media was able to regain access to the business account.

Recommendations:

  • check who has access to your public page and business manager;
  • configure additional protection for personal accounts of administrators and editors of your Facebook pages.

Account restriction

As Russia’s full-scale invasion into Ukraine began, Ukrainian users began to face frequent social media bans for war-related posts.

Some companies have changed the rules and relaxed the restrictions after appeals to them by Ukrainian government structures, civil society organizations and international partners.

However, despite these concessions, DSL continues to encounter restrictions on the accounts of media and civil society organizations that write about the war. In particular, they may be prohibited from collaborating, their reach may be reduced, or their ads may be blocked from running.

For example, the Instagram account of one media outlet was restricted for using the word Azov and illustrations calling for a boycott of Russia’s participation in the Olympics.

Recommendations:

  • avoid hate speech and obvious violations of the rules;
  • make sure to file appeals;
  • ask DSL for help (we work only with media, social activists, human rights defenders and volunteers).

Blackouts

Since the beginning of the quarter, Ukrainians have continued to experience blackouts and disruptions in communications due to Russia shelling our critical infrastructure. In the second half of February, the situation stabilized; however, this problem remains relevant in the occupied and front-line territories.

According to NetBlocks reports, the March 9 indicators show a significant drop in Internet connectivity in many regions of Ukraine following Russia’s massive shelling, mainly due to emergency power cuts.

 

Disclaimer: The material contains only incidents that the Digital Security Lab worked on or encountered from January to March 2023.