Our deception environments detected a recent attack, dating back to early February 2022, involving threat actors attempting to attack Ukrainian government infrastructure. These actors exploited the CVE-2021-4034 vulnerability in an attempt to run commands as privileged users. Find out more about the attack at our previous blogpost.

These were the topics discussed in our recent webinar:

Technical Evidence of Attacks on Ukrainian Government Infrastructure
Uncovering Threat Actor Techniques

If you missed the webinar, you can register to watch it on-demand here:


In this webinar, we discussed an in-depth analysis of this attack with Nicole Carignan, CounterCraft Customer Success Manager, and David Barroso, CEO. Watch it and stay tuned for any updates on the intel gathered by the deception environment.

The IoCs from the attack were the following:

привет.py23c17ac3e7acb1db22e8498b6ffcaed74e6beba8d2dc0ab5ac2d4fe9ae5a82c5Hello.py script
информация.py83050f289b33f9301497968ab9aac4948e98fdd3defacbe5870fa981fca1efb8Info.py script
Stealth_ShellBot.plb9e059e282500571ffec2442fcd3c04071ee7a08f7bc43757bd5346fc52e1571Perl IRC script IT Customers Network – Kimon S. – 28 Cork Street, Roseau, DominicaIRC Server Solutions – Francisco Dias – 1621 Central Ave, Cheyenne, WYCompromised host used for staging

If you register for the webinar, you will automatically receive any new intel we pick up regarding this situation. You can also follow our LinkedIn for updates.

Learn more what we can do for Federal and government agencies.