At least 30 Ukrainian university websites have been hacked in a targeted attack allegedly launched in support of Russia’s invasion of the European country.
In a report released last night (March 1), researchers from Wordfence said the company had witnessed a “massive attack” on Ukrainian education institutions by threat actors identified as the ‘Monday Group’, which it says has publicly supported Russia’s recent actions.
The group, whose members refer to themselves as ‘the Mx0nday’, have targeted the WordPress-hosted sites more than 100,000 times since February 24, when Russian troops officially invaded Ukraine.
Cyber assaults
A blog post from Wordfence founder and CEO Mark Maunder explains that the company protects over 8,000 websites in Ukraine, including those belonging to more than 300 university institutions. It also provides support to government, military, and police websites.
The security firm said it witnessed a peak of 144,000 web attacks on February 25, one day after the kinetic attack started, Maunder explains.
“The peak is roughly three times the number of daily attacks from earlier in the month across the Ukrainian websites that we protect,” he wrote.
Maunder added: “An attacker was making a concerted effort to attack universities in Ukraine, and they started immediately after the Russian invasion started.”
An investigation into the attacks has identified four IP addresses behind the campaign, which are routed through a VPN service based in Sweden.
The hacking group also appears to have links to Brazil, where Wordfence has claimed it is based.
However, the individuals behind the incident have not yet been publicly identified.
Destructive campaign
The report comes on the heels of new research from ESET, which said several malware families are now being used in targeted attacks against Ukrainian organizations.
A blog post from ESET detailed that on February 23, a “destructive campaign” using HermeticWiper targeted multiple organizations.
The attack used at least three components; HermeticWiper, which makes a system inoperable by corrupting its data; HermeticWizard, which spreads HermeticWiper across a local network via WMI and SMB; and HermeticRansom, ransomware written in Go.
“This cyber-attack preceded, by a few hours, the start of the invasion of Ukraine by Russian Federation forces,” the blog states.
“Malware artifacts suggest that the attacks had been planned for several months.”
HermeticWiper was observed “on hundreds of systems in at least five Ukrainian organizations”, claims ESET, which noted that it has not found any tangible connection with a known threat actor.
