{ "id": "bc00ebd6-f38e-496a-a929-de2c6205ccd7", "created_at": "2026-04-06T00:14:30.386108Z", "updated_at": "2026-04-10T13:12:14.297678Z", "deleted_at": null, "sha1_hash": "b28d8d9c4a0aac011d28b1267709c0729cd0f10d", "title": "Ukrainian government calls out false flag operation in recent data wiping attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 144226, "plain_text": "Ukrainian government calls out false flag operation in recent data\r\nwiping attack\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-20 ยท Archived: 2026-04-05 15:24:28 UTC\r\nThe Ukrainian government said today that it found evidence meant to connect the data wiping attack that hit its\r\nown systems two weeks ago to a pro-Ukrainian hacking group in what security researchers typically describe as a\r\n\"false flag\" meant to distract investigators from the real culprits of the attack.\r\nTo better understand what the Ukrainian government is saying, a summary of the original attack is required,\r\nrewritten with the malware nomenclature and timeline presented by Ukrainian authorities:\r\nOn the night between January 13 and January 14, unidentified attackers attempted to gain access and\r\ndeface the websites of more than 70 Ukrainian government agencies.\r\nThe attack successfully defaced 22 websites and severely damaged six.\r\nMost of the government sites were managed by a local IT firm named KitSoft and ran on top of the\r\nOctober CMS website builder.\r\nThe attackers used vulnerabilities in the CMS and KitSoft employee accounts to access servers hosting the\r\nsites to carry out the defacements.\r\nBesides altering websites, the attackers also deployed a malware strain named WhisperGate on servers and\r\ngovernment systems they had previously compromised months before.\r\nThis malware downloaded and ran two components.\r\nThe first was named BootPatch and worked by rewriting the master boot record (MBR) of an infected\r\ncomputer, preventing it from booting and showing a ransom demand instead.\r\nThe second component was named WhisperKill and worked by trashing files by rewriting their content\r\nwith a 0xCC character sequence.\r\nBecause the attackers did not include a data recovery mechanism, the attack was deemed to have been\r\nintentionally designed to be destructive and subsequently blamed on hackers tied to the Russian\r\ngovernment.\r\nBut in a report published today by one of the agencies investigating the attacks, Ukraine's State Service for\r\nCommunications and Information Protection (CIP) said that they found that the WhisperKill component contained\r\nmore than 80% of code that was similar to a ransomware strain named WhiteBlackCrypt, suggesting that the\r\nattackers had re-used code from the public domain.\r\nBut while this is a common tactic for nation-state threat actors, CIP doesn't believe the choice to use code from\r\nWhiteBlackCrypt was an accident and was actually chosen on purpose, based on several factors.\r\nFirst, officials said pointed out that the WhiteBlackCrypt is known to use an ASCII depiction of a trident,\r\nUkraine's official coat of arms, in the ransom note it shows to users.\r\nhttps://therecord.media/ukrainian-government-calls-out-false-flag-operation-in-recent-data-wiping-attack/\r\nPage 1 of 3\n\nSecond, officials say the ransomware also reused the same Bitcoin address to gather ransom payments as an\r\naddress that used in email bomb threats sent to Russian organizations in 2019. According to reports in Russian\r\nmedia, some of the funds gathered through this campaign were allegedly sent to a group associated with Ukrainian\r\nspecial services.\r\nThird, CIP says that several Russian Telegram channels have used these two incidents to incorrectly but formally\r\nlink the WhiteBlackCrypt ransomware to Ukraine's Special Services and Armed Forces.\r\nAnd last but not least, CIP says that an individual who posed as the same person who blackmailed Russian\r\norganizations in 2019 came back to life again in January 2022 when it mass-messaged and urged Ukrainian\r\norganizations to mount attacks against Russia.\r\nAll of this has led CIP and the Ukrainian government to believe that all of this is somehow a false flag operation\r\nmeant to blame a \"fake\" pro-Ukrainian group for an attack on their own government, rather than the common\r\nassessment that Russian threat actors are behind the attack.\r\n\"The deliberate use of the WhisperKill malware on January 13-14, 2022, which is morphologically similar to the\r\nWhiteBlackCrypt malware and manipulatively associated with the SSO of the Armed Forces of Ukraine, is an\r\nattempt to provoke and distort reality in order to accuse Ukraine of attacks on January 13-14, 2022 year,\" CIP\r\nofficials said today.\r\nhttps://therecord.media/ukrainian-government-calls-out-false-flag-operation-in-recent-data-wiping-attack/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/ukrainian-government-calls-out-false-flag-operation-in-recent-data-wiping-attack/\r\nhttps://therecord.media/ukrainian-government-calls-out-false-flag-operation-in-recent-data-wiping-attack/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/ukrainian-government-calls-out-false-flag-operation-in-recent-data-wiping-attack/" ], "report_names": [ "ukrainian-government-calls-out-false-flag-operation-in-recent-data-wiping-attack" ], "threat_actors": [], "ts_created_at": 1775434470, "ts_updated_at": 1775826734, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b28d8d9c4a0aac011d28b1267709c0729cd0f10d.pdf", "text": "https://archive.orkl.eu/b28d8d9c4a0aac011d28b1267709c0729cd0f10d.txt", "img": "https://archive.orkl.eu/b28d8d9c4a0aac011d28b1267709c0729cd0f10d.jpg" } }