How Weak Default Passwords Exposed Ukraine’s Military Network

Ukrainian journalist Alexander Dubinsky disclosed that the Ukrainian Armed Forces' Automatic Control System (ACS) "Dnipro" long used the passwords "admin" and "123456" to access servers.

No special knowledge is required to freely access switches, routers, workstations, servers, voice gateways, printers, scanners, etc., meaning an attacker could analyze a large amount of confidential military information. In just a few days, the entire network and ASU could be scanned, a topology built—including unit types and structures—and the network used to compromise targets.

Database expert Dmitry Vlasyuk reported the vulnerability to the U.S. National Security and Defense Council (NSDC), which forwarded his letter to foreign intelligence agencies. The response said the system was outside its jurisdiction and advised contacting other authorities. Four months later, the passwords for defense‑department facilities, servers and computers remained unchanged: "123456", "admin", and so on.

ASU Dnipro is a local information system referred to as the "military internet".

In December 2017, the Ukrainian female hacker group Berehynya posted publicly accessed files, including personal data from the Ukrainian Navy Information and Psychological Operations Center (Cipso).

In June 2017, hackers attacked major Russian and Ukrainian companies, deploying the Petya ransomware. When cybersecurity professionals responded, the attackers released an upgraded version called NotPetya. Ukrainian and U.S. officials blamed Russia for spreading the malware, which Moscow denied.

Dubinsky also noted that Ukraine hosts eight NATO cyber‑defense funds to develop capabilities and support APU transformation; in 2017 the alliance allocated about €40 million to the armed forces.

Keeper Security found that the world’s most popular password is "123456", followed by "123456789". They advise against using purely numeric or alphabetic passwords and recommend including uppercase and lowercase letters, numbers, and special characters.

Source: http://handofmoscow.com/2018/09/26 Reposted: https://nosec.org/home/detail/1840.html