There may be a link between the organiser of January’s wave of attacks on Ukrainian government websites and the “miner” acting on behalf of the client of the collapsed bitcoin exchange WEX, according to a report by Ukraine’s Cyber Threat Response Team CERT-UA.
Researchers conducted a comparative analysis of the compiler, file extensions, and certain functions of the WhisperKill ransomware used in attacks on a number of Ukrainian ministries and agencies on the night of January 14.
It showed that the malware is more than 80% similar to Encrpt3d, also known as WhiteBlackCrypt, a threat aimed at English-speaking users that was active in March 2021.
“WhiteBlackCrypt is a fake ransomware, because it does not preserve an AES key, which effectively makes the recovery of encrypted files impossible,” CERT-UA noted.
The ransom note distributed by WhiteBlackCrypt operators contains the Ukrainian trident and the wallet address 19B5Bt11oUqYnwSXfBgRpwwDGg5Ajirbjn.
That same Bitcoin wallet, since late 2019, was mentioned in a series of false bomb-threat messages about infrastructure facilities across various regions of Russia, purportedly on behalf of the client of the collapsed WEX exchange.
Nevertheless, the researchers noted that the wallet used by the miner since 2019 could have been used by a third party:
“It is hard to imagine that real criminals would not change the wallet used to receive the ransom for more than two years.”
Experts at CERT-UA added that the attackers deliberately exploited the morphological similarity between WhisperKill and WhiteBlackCrypt to accuse the Ukrainian side of attacks on its own government bodies. Analysts disputed involvement of ССО ВС in the hacker group Encrpt3d.
As reported earlier, the spate of false bombings across Russia began in November 2019, soon after BBC’s investigation into possible involvement of businessman Konstantin Malofeyev and FSB officers in the theft of user funds from the WEX exchange (the predecessor of BTC-e) amounting to $450 million. An unknown “miner” demanded payment of 120 BTC stolen from the exchange.
Since its creation on the miner wallet, 0.11 BTC has been received. The latest transfer date was June 2021.
Subsequently, funds moved to exchange addresses requiring user verification, namely Binance, Kraken and KuCoin.
Recently, unknown attackers sent false bomb-threat messages to various regions of Russia in the name of Indefibank’s CEO Sergey Mendelyev. He linked this to investigations he is conducting into the missing funds from the WEX exchange.
In the night of January 14, 2022, unknown hackers attacked more than 70 Ukrainian government resources, ten of which were subjected to unauthorized interference. According to the Ministry of Digital Transformation, the site content was not altered and there were no personal data leaks.
However, on January 21 a post appeared online about the sale of the state portal Diia’s database containing 2.6 million rows. One of the archives released by the seller contained records of 100,000 users of the service for 2020 and 2021. The database includes email, phone number, full name, taxpayer identification number, passport series, number and issue date, and place of residence.
Representatives of the Ministry of Digital Transformation and the Cyber Police stated that the released archives constitute a compilation of databases leaked in 2019.
Software architect and blogger Vladimir Rozhkov, in a ForkLog interview, said that some members of the DOu programmer community confirmed the data’s authenticity. His colleague contacted people whose documents were issued in 2021, and those who responded also confirmed that the data are genuine.
“Furthermore, the database contains a unique identifier that matches the one issued by the Diia portal when logging into the system. My colleague developed a service where you can compare your user ID with those in the database. Some users confirmed matches. Thus there are grounds to believe the database is genuine and indeed relates to Diia. How access to it was obtained is unknown to me,” he said.
Read ForkLog’s bitcoin news on our Telegram — cryptocurrency news, prices and analysis.