On Tuesday, Wordfence posted on their site that they found a massive number of systems owned by Ukrainian universities were compromised. This coincided with the attack of Russia on Ukraine.
Nearly 30 Ukraine-based universities were hacked by a member of the Monday hacker group. Nevertheless, the attacker exposed himself publicly as “theMx0nday” and gave out a statement that he stands by Russia on this issue.
The hacker was based out of Brazil and used “Njalla” an internet service provider that is claimed to be the most notorious Privacy as a service provider of domains, VPSs, and VPNs. Njalla is a Swedish-based hosting provider owned by Peter Sunde. Peter Sunde was also the co-founder of Pirate Bay which is the largest provider of pirated software.
Wordfence stated that they found servers used for routing were owned by Njalla in Finland. However, Njalla has denied this saying their servers were based out of Secret locations in Sweden. Wordfence came up with solid evidence of the facts that they stated as explained below.
Wordfence is responsible for 8000 WordPress websites in Ukraine which made them make a solution for monitoring traffic. They have also said that they will provide a list of IPs to blocklist to all its customers.
This service was previously paid but considering the tensions arising between the two countries and increasing threats, they have decided to provide this service free of cost.
Cyberattack and Russian Attack
Wordfence found a spike in the attack vector graph when Russia started its attack on February 24. An average of a few hundred attacks happen on the educational sites that are protected by Wordfence.
But after the Russian attack, the attacks drastically increased to 104,000 attacks in a single day. The timeline of the attacks was
February 24th – 479
February 25th – 37,974
February 26th – 104,098
February 27th – 67,552
IP’s that Performed the Attack
Wordfence saw a log of nearly 7000 IP addresses during the attack period. However, most of the IPs did not log more than 100 attacks. Except for four IP addresses that were causing almost all of the attacks. The IPs are as follows
|IP||Number of attacks|
185[.]193[.]127[.]179 and Peter Sunde
The IP that logged most of the attacks was owned by Njalla, the hosting provider that was owned by Peter Sunde who was also the co-founder of Pirate Bay. Wordfence allegedly states that Njalla was behind these attacks since they claim themselves as the “most notorious service provider on VPN and VPS” on their homepage.
Wordfence also said that there might be chances that the attacker might be one of their customers, or one of their servers were hacked. It was also described that they targeted educational institutions in Ukraine. The IP 185[.]193[.]127[.]179 A massive amount of 171,000 attacks were conducted on the university sites, few were on government agencies and three individual websites whose name was not revealed.
It seems like the attack was also targeted on companies in Ukraine and some of the attacks were targeted at Brazil.
Wordfence also published various attacks conducted by the “theMx0nday” hacker group. The report also included the duration of time of the attacks and their spike during the Russian Ukraine war.