CERT-UA

Computer Emergency Response Team of Ukraine (CERT-UA)

Agency overview
Headquarters	Kyiv, Ukraine
Motto	Handling Cyber Security Incidents
Agency executive	Yevheniia Volibynk
Parent department	State Special Communications Service of Ukraine
Website	cert.gov.ua

The Computer Emergency Response Team of Ukraine (CERT-UA) is a specialized structural unit of the State Center for Cyber Defense of the State Service for Special Communications and Information Protection of Ukraine.

History

The unit was founded in 2007. In 2009, the unit was accredited by the Forum of Information Security Incident Response Teams (FIRST). Since 2012, it has been a member of IMPACT. Since 2014, work has been underway to integrate into the HoneyNet Project.^[1]

Legal status

The activities of CERT-UA are envisaged by the Law of Ukraine "On the State Service for Special Communications and Information Protection", the Law of Ukraine "On Telecommunications", the Law of Ukraine "On the Basic Principles of Cybersecurity of Ukraine" and relevant bylaws.^[2][3][4]

Known operations

In 2014, during the early presidential elections in Ukraine, CERT-UA specialists neutralized hacker attacks on the automated system "Elections".^[5]

In June 2017, the CERT-UA team, together with specialists from the Cyber Police, the Security Service of Ukraine, together with specialists from private companies and foreign partners, participated in countering and eliminating the consequences of large-scale hacker attacks against Ukraine.

In early 2023, the government's Computer Emergency Response Team (CERT-UA) investigated a cyberattack allegedly associated with the Sandworm group.^[6] To disable server hardware, automated user workstations and data storage systems, the attackers used legitimate software, namely the WinRAR file archiver. Having gained unauthorized access to the information and communication system of the attacked object, RoarBat, a BAT script, was used to disable PCs running the Windows operating system. The script performed a recursive search for files by a specific list of extensions for their subsequent archiving using a legitimate WinRAR program with the "-df" option. This option involves deleting the original file and then deleting the created archives. The above script was launched using a scheduled task, which, according to preliminary information, was created and centrally distributed by means of group policy (GPO).^[7]

References

1. "CERT-UA: скорая киберпомощь". PC WEEK/Ukrainian Edition (in Russian). Archived from the original on 16 October 2014. Retrieved 16 October 2014.
2. "Про Державну службу спеціального зв'язку та захисту інформації". Archived from the original (Закон України) on 30 December 2016. Retrieved 26 May 2014.
3. "Про телекомунікації". Archived from the original (Закон України) on 27 May 2014. Retrieved 26 May 2014.
4. "Закон України «Про основні засади забезпечення кібербезпеки України» від 05.10.2017 р. № 2163-VIII (Набрання чинності відбудеться 09.05.2018)". Archived from the original on 13 November 2017. Retrieved 19 November 2017.
5. Прес-служба Держспецзв’язку (23 May 2014). "Коментар Держспецзв'язку щодо інциденту в ЦВК". Archived from the original on 1 June 2014. Retrieved 26 May 2014.
6. Історія довжиною у 8 років: Україна як поле кібератак групи хакерів Sandworm. 22.03.2022
7. Хакери використали WinRAR для атак на українські держоргани. // Кость Могилевський. 02.05.2023

External links

• Official website