Skip to content

IOCs from the Attacks on Ukrainian Government Infrastructure

Home News & Blogs IOCs from the Attacks on Ukrainian Government Infrastructure

Our deception environments detected a recent attack, dating back to early February 2022, involving threat actors attempting to attack Ukrainian government infrastructure. These actors exploited the CVE-2021-4034 vulnerability in an attempt to run commands as privileged users. Find out more about the attack at our previous blogpost.

These were the topics discussed in our recent webinar:

Technical Evidence of Attacks on Ukrainian Government Infrastructure
Uncovering Threat Actor Techniques

If you missed the webinar, you can register to watch it on-demand here:

https://bit.ly/3ttCUp8

In this webinar, we discussed an in-depth analysis of this attack with Nicole Carignan, CounterCraft Customer Success Manager, and David Barroso, CEO. Watch it and stay tuned for any updates on the intel gathered by the deception environment.

The IoCs from the attack were the following:

ValueSHA-256Description
CVE-2021-4034a3c982eff2948f3dfbe97bdf3d631f8bb82c78e231b5f5978e4ef370fdc52174https://github.com/berdav/CVE-2021-4034
PwnKit4dcae1bddfc3e2cb98eae84e86fb58ec14ea6ef00778ac5974c4ec526d3da31fhttps://github.com/ly4k/PwnKit
привет.py23c17ac3e7acb1db22e8498b6ffcaed74e6beba8d2dc0ab5ac2d4fe9ae5a82c5Hello.py script
информация.py83050f289b33f9301497968ab9aac4948e98fdd3defacbe5870fa981fca1efb8Info.py script
Stealth_ShellBot.plb9e059e282500571ffec2442fcd3c04071ee7a08f7bc43757bd5346fc52e1571Perl IRC script
45.9.148.99Nice IT Customers Network – Kimon S. – 28 Cork Street, Roseau, DominicaIRC Server
209.141.32.204FranTech Solutions – Francisco Dias – 1621 Central Ave, Cheyenne, WYCompromised host used for staging

If you register for the webinar, you will automatically receive any new intel we pick up regarding this situation. You can also follow our LinkedIn for updates.

Learn more what we can do for Federal and government agencies.