Ukraine’s security service claims to have thwarted mass cyberattack by Russian special forces

The following is a machine translation of a press release by  Служба безпеки України, the Security Service of Ukraine:


The SBU blocked a mass cyberattack by Russian special services on the computer networks of the Ukrainian authorities

Cyber ​​experts of the Security Service of Ukraine revealed the facts of purposeful distribution of malicious software by the special services of the Russian Federation. Customers planned to hit the computer networks of public authorities, local governments and critical infrastructure.

Specialists of the Security Service of Ukraine established that in early June this year, mass e-mails were sent with a change of address of the sender. In particular, reports from the Kyiv Patrol Police Department allegedly contained malicious attachments and were sent to a number of government agencies.

Malicious software initiates the installation of the client part of the program (remote administration tool) on the affected computer. This allows the foreign intelligence service to remotely exercise full control over the PC. Control and command servers have been installed, which are located on the territory of the Russian Federation.

Cyber ​​experts of the Security Service of Ukraine recommend an urgent inspection of information and telecommunications systems, in particular using indicators published in the platform “MISP-UA” to identify their possible compromise and take prompt precautions.

Compromise indicators:

File name sha1 sha256
Electronic request.rar ce4bf04087f7a011ef020fce81d00a393e37f679 ad15d2d402b03d0dc0fb55842c8159 b868448b8459b4c468b325c225393cfcf4
Electronic request.pdf.rar 2ed6b02df189dbb1d07d76886957d5f7cdcd1463 23388220f257056878c17c5f4f44d1b1a8 478328bbbd14a450ea9bd141021763
Access code 030621.txt e285193b27d5ea1c644973993415bbf9baad86a0 bf135c2003dee739fa69e7f2ee7d460d61 edddfff3747920ee0dbeb1c9f311b2
Electronic request.pdf.exe 9480842a7a94c378ed27771c724bada5bdb758c4 e065fb7712e0c7a8ba1db464bd8d97443 b10d7162c9930fc5a9576c7871e4c78

Command and control servers:

  • 178.210.76.171 (Ru-Center, RF),
  • 176.9.64.70 (Hetzner, Germany)
  • 185.231.68.230 (Zomro, Netherlands)

Domain name:

  • «Rmssrv.ru»

The connection is made to ports 5651, 8080 and 81

To clean the affected computers from the specified SPZ requires:

  • stop a service named Remote Utilities – Host
  • remove directory C: \ Program Files (x86) \ Remote Utilities – Host \

Original Source: Служба безпеки України.

About the author: chum1ng0

Comments are closed.