CERT-UA

The Computer Emergency Response Team of Ukraine (CERT-UA) is a specialized structural unit of the State Center for Cyber Defense of the State Service for Special Communications and Information Protection of Ukraine.

History
The unit was founded in 2007. In 2009, the unit was accredited by the Forum of Information Security Incident Response Teams (FIRST). Since 2012, it has been a member of IMPACT. Since 2014, work has been underway to integrate into the HoneyNet Project.

Legal status
The activities of CERT-UA are envisaged by the Law of Ukraine "On the State Service for Special Communications and Information Protection", the Law of Ukraine "On Telecommunications", the Law of Ukraine "On the Basic Principles of Cybersecurity of Ukraine" and relevant bylaws.

Known operations
In 2014, during the early presidential elections in Ukraine, CERT-UA specialists neutralized hacker attacks on the automated system "Elections".

In June 2017, the CERT-UA team, together with specialists from the Cyber Police, the Security Service of Ukraine, together with specialists from private companies and foreign partners, participated in countering and eliminating the consequences of large-scale hacker attacks against Ukraine.

In early 2023, the government's Computer Emergency Response Team (CERT-UA) investigated a cyberattack allegedly associated with the Sandworm group. To disable server hardware, automated user workstations and data storage systems, the attackers used legitimate software, namely the WinRAR file archiver. Having gained unauthorized access to the information and communication system of the attacked object, RoarBat, a BAT script, was used to disable PCs running the Windows operating system. The script performed a recursive search for files by a specific list of extensions for their subsequent archiving using a legitimate WinRAR program with the "-df" option. This option involves deleting the original file and then deleting the created archives. The above script was launched using a scheduled task, which, according to preliminary information, was created and centrally distributed by means of group policy (GPO).