BLOG: Suspected state front FreeCivilian publishes Ukrainian government data after DDoS and wiper attacks
Executive Summary
On 24 February, our research uncovered that several Ukrainian government websites that were targeted on 23 February by DDoS attacks also subsequently displayed defacement messages in Russian, Ukrainian and Polish.[1] These claimed that material stolen from the victims was being published, linking to a dark web (.onion) domain hosting the data. The defaced websites contained nearly identical graphics to the ones displayed on the Ukrainian government websites that were defaced on 15 January, with the new addition of FreeCivilian’s leak website as “proof” of the leaked data.[2] This wave of defacements comes as Russia escalates its ground invasion of Ukraine, shortly after recognizing the independence of separatist states in the Donbas region.[3]
Despite FreeCivilian’s claim to be an independent cybercriminal, we assess that this has likely[4] operation has been conducted or supported by a nation-state actor, because:
Messages left on defaced websites on 23 February strongly resemble those left on defaced websites on 15 February, which were attributed to UNC1151 and the GRU by the Ukrainian and UK governments respectively.
The lack of extortion tactics and the publishing of significant amounts of free data suggests that the actor’s objective is to disrupt Ukrainian government websites regardless of monetisation.
Metadata from the platform on which the stolen data is hosted demonstrates that files were uploaded as early as 20 February, placing FreeCivilian’s intrusion before the DDoS, and wiper malware attacks on 23 February. This may indicate a level of coordination with the actors behind the latter.
Figure 1: Defaced Cabinet Ministers website on 23 February
Figure 2: Dark web portal for FreeCivilian leaks[5]
New leaks
The onion domain leads to the website of Free Civilian, who is actively selling and uploading new databases obtained from over 45 government websites. Some of the individual databases are up to 3 TB in size.
According to Free Civilian, the data includes:
Data from the government’s digital services
Scans of passports, driver’s licenses
Correspondence of government employees
Data from the health and interior ministries
Digital services, identification and ticketing documents from the city of Kiev
Figure 3: List of Ukrainian government websites[6]
While attempting to download and verify the data, FreeCivilian’s account on the hosting platform was suspended, hindering our verification process. We will update this post with further details if the data is re-uploaded.
FreeCivilian
FreeCivilian has previously attempted to sell leaked data obtained from Ukrainian government departments on dark web forums. On January 21, they claimed to have gained access to over 15 million records.[7] This included personal data obtained from Diia, a digital services app launched in March 2021 by the Ukrainian government.
According to a statement on their website, FreeCivilian tried to sell the stolen data on RaidForums (a popular forum for selling stolen data), though were subsequently banned after forum users claimed the data FreeCivilian offered was fake. This prompted FreeCivilian to establish their own leak website, which we have observed using unusually professional animations, unlike typical information-broker or ransomware leak websites on the dark web.
Figure 4: FreeCivilian’s first thread on RaidForums[8]
Figure 5: Statement on FreeCivilian’s leak website[9]
Figure 6: FreeCivilian’s account remains banned from the dark web forum
FreeCivilian claims that it is publishing the stolen Ukrainian government data to “earning [sic] some reputation as a data seller”, which, in addition to the attempted monetization of the stolen data, potentially paints the threat actor as a cybercriminal.
Despite this purported intent, several aspects suggest FreeCivilian is disguising their true intent.
Firstly, the defaced Cabinet Ministers website (kmu[.]gov[.]ua) containing a link to their leak website strongly resembles the defaced websites observed in the 15 January wave of DDoS attacks and defacements targeting Ukrainian government networks. The 15 January attacks were subsequently attributed by the Ukrainian government to UNC1511, a group with alleged ties to the Belarusian state according to Mandiant.[10][11] The UK government attributed the 15 January attacks to Russia’s GRU on 18 February.[12] It is unclear whether FreeCivilian were behind the 23 February defacements themselves and re-used similar graphics as the 15 January attacks, or whether the same actors behind the first attacks simply added a link to a cybercriminal leak website as a false flag.
Figure 7: Defaced government Ukrainian government websites- 14 January (Above), 23 February (Below)[13][14]
Secondly, whilst FreeCivilian’s leak website resembles that of Ransomware-as-a-Service (RaaS) groups operating in the region, the lack of extortion tactics and the publishing of 69.27 GB of data for free indicate that this threat actor is determined to damage Ukrainian government departments without providing opportunities to negotiate.
Third, metadata from the platform hosting the leaked data demonstrates that the threat actor uploaded the data as early as 20 February, indicating that these government department’s networks had been compromised for some time prior to the DDoS and wiper malware attacks reported by ESET on 23 February.[15]
Figure 8: Metadata on the file hosting platform shows that leaked data was uploaded as early as 20 February[16]
Appendix I: Timeline of events
13 January 2022:
First detection of WhisperGate wiper malware on Ukrainian government networks (MSTIC)[17]
14 January 2022:
70 Ukrainian government websites suffer from DDoS attacks, with the Ministry of Foreign Affairs’ website defaced to display a message addressing Ukrainian citizens[18]
15 January 2022:
Microsoft publishes technical details on WhisperGate wiper malware. Ukrainian government attributes the intrusions to UNC1151, a group previously attributed to the Belarusian state.[19][20]
21 January 2022:
FreeCivilian advertises data obtained from Diya on the dark web. Diya is the Ukrainian government’s digital services app.
Late January / Early February:
Following doubts expressed by forum users, FreeCivilian deletes the thread and sets up a dedicated leak website
18 February 2022:
The UK Government officially attributes the January DDoS attacks to the GRU[21]
23 February 2022:
Ukrainian government websites suffer from new wave of DDoS attacks. The Cabinet of Minister’s website is defaced.
FreeCivilian
ESET reveals that it detected the use of wiper malware on Ukranian networks, dubbing the malware “HermeticGate”.[22]
Appendix II: Full list of websites displayed on FreeCivilian
https://anti-violence-map[.]msp[.]gov[.]ua/
https://bdr[.]mvs[.]gov[.]ua/
https://cg[.]mvs[.]gov[.]ua/
https://ch-tmo[.]mvs[.]gov[.]ua/
https://comin[.]gov[.]ua/
https://cp[.]mvs[.]gov[.]ua/
https://cpd[.]mvs[.]gov[.]ua/
https://dabi[.]gov[.]ua/
https://dndekc[.]mvs[.]gov[.]ua/
https://dopomoga[.]msp[.]gov[.]ua/
https://dp[.]dpss[.]gov[.]ua/
https://dpvs[.]hsc[.]gov[.]ua/
https://dsbt[.]gov[.]ua/
https://dsns[.]gov[.]ua/
https://e-services[.]msp[.]gov[.]ua/
https://edu[.]msp[.]gov[.]ua/
https://education[.]msp[.]gov[.]ua/
https://ek-cbi[.]msp[.]gov[.]ua/
https://esbu[.]gov[.]ua/
https://forest[.]gov[.]ua/
https://hutirvilnij-mrc[.]mvs[.]gov[.]ua/
https://kmu[.]gov[.]ua/
https://mail[.]msp[.]gov[.]ua/
https://mepr[.]gov[.]ua/
https://mfa[.]gov[.]ua/
https://minagro[.]gov[.]ua/
https://mms[.]gov[.]ua/
https://mon[.]gov[.]ua/
https://mova[.]gov[.]ua/
https://mtu[.]gov[.]ua/
https://mva[.]gov[.]ua/
https://mvs[.]gov[.]ua/
https://nads[.]gov[.]ua/
https://nkrzi[.]gov[.]ua/
https://odk[.]mvs[.]gov[.]ua/
https://portal-gromady[.]msp[.]gov[.]ua/
https://reintegration[.]gov[.]ua/
https://sies[.]gov[.]ua/
https://sport[.]gov[.]ua/
https://ticket[.]kyivcity[.]gov[.]ua/
https://visnyk[.]dndekc[.]mvs[.]gov[.]ua/
https://wanted[.]mvs[.]gov[.]ua/
https://wcs-wim[.]dsbt[.]gov[.]ua/
https://web-minsoc[.]msp[.]gov[.]ua/
https://zt[.]gov[.]ua/
Probability Yardstick
To ensure consistency when assessing the probability of a potential threat, we use the ‘probability yardstick’ developed by the National Crime Agency’s Professional Head of Intelligence Assessment. The diagram below defines the probability ranges considered when this language is used. This terminology is consistent with that used by the UK National Cyber Security Centre.
Figure 9: Probability Yardstick used by Orpheus Analysts
[4] Assessments in this report were made using the probability yardstick, a framework for words of estimative probability (WEP) adopted by Orpheus Cyber. The probability yardstick is included at the end of this report.
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.