The news website Babel reports that their editor Hlib Husev was targeted in a hacker attack.
According to the media outlet, Husev received a letter by one james***[email protected], signed “Ihor D****uk”, in his personal inbox on the afternoon of 18 June. The sender said they had gotten Husev’s contact from someone named Serhiy S***r and asked for help in reporting some information.
“It was hard not to suspect a phishing attempt based on the letter’s initial data, especially considering that Hlib Husev knew no one with these names,” the team stressed.
They added that the “information” they were asked to share was as follows:
“I am an infantryman in *** SAR’s Assault Battalion No. 2. The commander of our battalion demands that all infantrymen give up 30% of their combat wages every month…”
The sender then described the hardship faced by the unit and said that they had been “sent screenshots of correspondence, payments, and all this below-board accounting,” and said that he was ready to “share the evidence.”
The unit to which the sender referred is one of the most famous in the UAF assault troops. This unit was featured in a high-profile news story by Hleb Husev, which came out two months ago and has been viewed 130 thousand times.
The Babel team stressed that the attacker had clearly opted for the “social engineering” method, having studied their editor’s history and planned an attack specifically targeted at him. The letter closed with a link to an external resource: a folder on the fex.net service.
The team analysed the malicious software in an isolated environment. The link led to an archive containing two “office” documents with macro programs of 25 MB and 27 MB in size. They were “fresh” – created that morning.
“Using a cryptographic algorithm, we obtained the so-called hash sum of the files: that is, strings of letters and numbers unique for each file. We found no similar ‘hash sums’ in the open database of malicious software. This meant that the attacking script was probably personalised,” the team said.
The news outlet also studied the code of the macro programs (without running the macros themselves). It turned out that the files were of the “dropper” type. They were supposed to “unzip” into a separate program on the computer and run it in the background. The program was supposed to quietly observe and collect information.
The Babel team have reported the targeted hacker attack to CERT-UA, whose experts have confirmed that the files were malicious. The analysis continues.
Babel promised to add a detailed comment from CERT-UA to its news about the attack on Husev when they receive one.
The available data did not allow the Babel team to identify the attacker. However, they recalled that the day before, MP Yaroslav Zhelezniak alleged that Babel did not disclose its real owners. The news outlet’s co-founder and chief editor Kateryna Kobernyk responded by calling his statements pressure on the team and an attempt to smear it.
In a comment to an Institute of Mass Information journalist, Hlib Husev said that the attack had not bee incidental, because the team was working on several news reports on sensitive topics and a leak of information could pose a physical threat to the persons mentioned in them.