# Cloudilax

Ukraine Targeted by DDoS Attacks From Compromised WordPress Websites

Ukraine’s computer emergency response team has published an announcement warning of ongoing distributed denial of service (DDoS) attacks targeting pro-Ukraine sites and the government web portal.

The hackers, who remain unknown, compromise and inject malicious JavaScript code into WordPress sites to perform the attacks.

The scripts are placed in the HTML structure of the website’s main files and are base64-encoded to evade detection.

The code runs on the computers of the website visitors. It directs their available computational resources to generate an abnormal number of requests to attack objects (URLs) defined in the code. This results in some of the target websites being overwhelmed by the requests and, as a result, becomes inaccessible to their regular visitors.

All of these happen without the owners or the visitors of the compromised WordPress sites ever realizing it, except for some barely noticeable performance hiccups for the visitors.

Some of the targeted websites are:

  • secjuice.com (infosec advice for Ukrainians)
  • liqpay.ua (inaccessible)
  • gfis.org.ge (inaccessible)
  • kmu.gov.ua (Ukrainian government portal)
  • callrussia.org (project to raise awareness in Russia)
  • gngforum.ge (inaccessible)
  • playforukraine.org (play-based fundraiser)
  • war.ukraine.ua (news portal)
  • micro.com.ua (inaccessible)
  • fightforua.org (international enlistment portal)
  • edmo.eu (news portal)
  • ntnu.no (Norwegian university site)
  • megmar.pl (Polish logistics firm)

The sites above have taken a strong stance in favor of Ukraine in the ongoing conflict with Russia, so they were not selected randomly. Still, the origins of these attacks are not known.

a similar DDoS campaign was conducted in March against a smaller set of pro-Ukrainian websites and Russian targets.

Ukraine’s computer emergency response team is working closely with the National Bank of Ukraine to implement defensive measures against this DDoS campaign.

The compromised websites’ owners, registrars, and hosting service providers have been informed of the situation. The agency has provided instructions on detecting and removing the malicious JavaScript from their sites.

At least 36 websites are confimed to channel malicious garbage requests to the target URLs at this time, but this list could change or be refreshed. Therefore, CERT-UA has included a detection tool in the report to help all website admins scan their sites now and in the future.

Additionally, it is essential to keep your site’s content management systems up to date, use the latest available version of any active plugins, and restrict access to the website management pages.

Found this article interesting? click here to read more exclusive content we post.

Related blogs