CERT-UA explained

The Computer Emergency Response Team of Ukraine (CERT-UA) is a specialized structural unit of the State Center for Cyber Defense of the State Service for Special Communications and Information Protection of Ukraine.

History

The unit was founded in 2007. In 2009, the unit was accredited by the Forum of Information Security Incident Response Teams (FIRST). Since 2012, it has been a member of IMPACT. Since 2014, work has been underway to integrate into the HoneyNet Project.^[1]

Legal status

The activities of CERT-UA are envisaged by the Law of Ukraine "On the State Service for Special Communications and Information Protection", the Law of Ukraine "On Telecommunications", the Law of Ukraine "On the Basic Principles of Cybersecurity of Ukraine" and relevant bylaws.^{[2] [3] [4]}

Known operations

In 2014, during the early presidential elections in Ukraine, CERT-UA specialists neutralized hacker attacks on the automated system "Elections".^[5]

In June 2017, the CERT-UA team, together with specialists from the Cyber Police, the Security Service of Ukraine, together with specialists from private companies and foreign partners, participated in countering and eliminating the consequences of large-scale hacker attacks against Ukraine.

In early 2023, the government's Computer Emergency Response Team (CERT-UA) investigated a cyberattack allegedly associated with the Sandworm group.^[6] To disable server hardware, automated user workstations and data storage systems, the attackers used legitimate software, namely the WinRAR file archiver. Having gained unauthorized access to the information and communication system of the attacked object, RoarBat, a BAT script, was used to disable PCs running the Windows operating system. The script performed a recursive search for files by a specific list of extensions for their subsequent archiving using a legitimate WinRAR program with the "-df" option. This option involves deleting the original file and then deleting the created archives. The above script was launched using a scheduled task, which, according to preliminary information, was created and centrally distributed by means of group policy (GPO).^[7]

Notes and References

1. Web site: CERT-UA: скорая киберпомощь. PC WEEK/Ukrainian Edition. ru. 16 October 2014. https://www.webcitation.org/6TNJEKUnr?url=http://www.pcweek.ua/themes/detail_print.php?ID=147850. 16 October 2014. live.
2. Web site: Про Державну службу спеціального зв'язку та захисту інформації. Закон України. 2014-05-26. 30 December 2016. https://web.archive.org/web/20161230003621/http://zakon4.rada.gov.ua/laws/show/3475-15.
3. Web site: Про телекомунікації. Закон України. 2014-05-26. 27 May 2014. https://web.archive.org/web/20140527215820/http://zakon4.rada.gov.ua/laws/show/1280-15/.
4. Web site: Закон України «Про основні засади забезпечення кібербезпеки України» від 05.10.2017 р. № 2163-VIII (Набрання чинності відбудеться 09.05.2018). 19 November 2017. 13 November 2017. https://web.archive.org/web/20171113185425/http://zakon3.rada.gov.ua/laws/show/2163-19.
5. Web site: Коментар Держспецзв’язку щодо інциденту в ЦВК. Прес-служба Держспецзв’язку. 23 May 2014. https://archive.today/20240527012314/https://www.webcitation.org/6Q0jjsfiE?url=http://www.dstszi.gov.ua/dstszi/control/uk/publish/article%3Fart_id=114116. 27 May 2024. live. 26 May 2014.
6. https://www.eset.com/ua/about/newsroom/press-releases/malware/istoriya-dlinoy-v-8-let-ukraina-kak-pole-kiberatak-gruppy-khakerov-sandworm/ Історія довжиною у 8 років: Україна як поле кібератак групи хакерів Sandworm. 22.03.2022
7. https://expert.com.ua/159743-hakery-vykorystaly-winrar-dlya-atak-na-ukrainski-derzhorgany.html Хакери використали WinRAR для атак на українські держоргани. // Кость Могилевський. 02.05.2023