2022 Ukraine cyberattacks



During the prelude to the Russian invasion of Ukraine and the Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

On 24 February, Russia launched a full-scale invasion of Ukraine. Western intelligence officials believed that this would be accompanied by a major cyberattack against Ukrainian infrastructure, but this threat did not materialize. Cyberattacks on Ukraine have continued during the invasion, but with limited success. Independent hacker groups, such as Anonymous, have launched cyberattacks on Russia in retaliation for the invasion.

The Canadian government in an undated white paper published after 22 June 2022 believed "that the scope and severity of cyber operations related to the Russian invasion of Ukraine has almost certainly been more sophisticated and widespread than has been reported in open sources."

Background
At the time of the attack, tensions between Russia and Ukraine were high, with over 100,000 Russian troops stationed near the border with Ukraine and talks between Russia and NATO ongoing. The US government alleged that Russia was preparing for an invasion of Ukraine, including "sabotage activities and information operations". The US also allegedly found evidence of "a false-flag operation" in Eastern Ukraine, which could be used as a pretext for invasion. Russia denies the accusations of an impending invasion, but has threatened "military-technical action" if its demands are not met, especially a request that NATO never admit Ukraine to the alliance. Russia has spoken strongly against the expansion of NATO to its borders.

January attacks
The attacks on 14 January 2022 consisted of the hackers replacing the websites with text in Ukrainian, erroneous Polish, and Russian, which state "be afraid and wait for the worst" and allege that personal information has been leaked to the internet. About 70 government websites were affected, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the Security and Defense Council. The SBU has stated that no data was leaked. Soon after the message appeared, the sites were taken offline. The sites were mostly restored within a few hours. Deputy secretary of the NSDC Serhiy Demedyuk, stated that the Ukrainian investigation of the attack suspects that a third-party company's administration rights were used to carry out the attack. The unnamed company's software had been used since 2016 to develop government sites, most of which were affected in the attack. Demedyuk also blamed UNC1151, a hacker group allegedly linked to Belarusian intelligence, for the attack.

A separate destructive malware attack took place around the same time, first appearing on 13 January. First detected by the Microsoft Threat Intelligence Center (MSTIC), malware was installed on devices belonging to "multiple government, non-profit, and information technology organizations" in Ukraine. Later, this was reported to include the State Emergency Service and the Motor Transport Insurance Bureau. The software, designated DEV-0586 or WhisperGate, was designed to look like ransomware, but lacks a recovery feature, indicating an intent to simply destroy files instead of encrypting them for ransom. The MSTIC reported that the malware was programmed to execute when the targeted device was powered down. The malware would overwrite the master boot record (MBR) with a generic ransom note. Next, the malware downloads a second .exe file, which would overwrite all files with certain extensions from a predetermined list, deleting all data contained in the targeted files. The ransomware payload differs from a standard ransomware attack in several ways, indicating a solely destructive intent. However, later assessments indicate that damage was limited, likely a deliberate choice by the attackers.

On 19 January, the Russian advanced persistent threat (APT) Gamaredon (also known as Primitive Bear) attempted to compromise a Western government entity in Ukraine. Cyber espionage appears to be the main goal of the group, which has been active since 2013; unlike most APTs, Gamaredon broadly targets all users all over the globe (in addition to also focusing on certain victims, especially Ukrainian organizations ) and appears to provide services for other APTs. For example, the InvisiMole threat group has attacked select systems that Gamaredon had earlier compromised and fingerprinted.

Russia
Russia denied allegations by Ukraine that it was linked to the cyberattacks.

Ukraine
Ukrainian government institutions, such as the Center for Strategic Communications and Information Security and the Ministry of Foreign Affairs, suggested that the Russian Federation was the perpetrator of the attack, noting that this would not be the first time that Russia attacked Ukraine.

International organizations
European Union High Representative Josep Borrell said of the source of the attack: “One can very well imagine with a certain probability or with a margin of error, where it can come from.” The Secretary General of NATO Jens Stoltenberg announced that the organization would increase its coordination with Ukraine on cyberdefense in the face of potential additional cyberattacks. NATO later announced that it would sign an agreement granting Ukraine access to its malware information sharing platform.

DDoS attack
On 15 February, a large DDoS attack brought down the websites of the defense ministry, army, and Ukraine's two largest banks, PrivatBank and Oschadbank. Cybersecurity monitor NetBlocks reported that the attack intensified over the course of the day, also affecting the mobile apps and ATMs of the banks. The New York Times described it as "the largest assault of its kind in the country's history". Ukrainian government officials stated that the attack was likely carried out by a foreign government, and suggested that Russia was behind it. Although there were fears that the denial-of-service attack could be cover for more serious attacks, a Ukrainian official said that no such attack had been discovered.

According to UK government and National Security Council of the US, the attack was performed by Russian Main Intelligence Directorate (GRU). American cybersecurity official Anne Neuberger stated that known GRU infrastructure has been noted transmitting high volumes of communications to Ukraine-based IP addresses and domains. Kremlin spokesperson Dmitry Peskov denied that the attack originated from Russia.

On 23 February, a third DDoS attack took down multiple Ukrainian government, military, and bank websites. Although military and banking websites were described as having “a more rapid recovery”, the SBU website was offline for an extended period.

Wiper malware attack
Just before 5pm on 23 February, data wiper malware was detected on hundreds of computers belonging to multiple Ukrainian organizations, including in the financial, defense, aviation, and IT services sectors. ESET Research dubbed the malware HermeticWiper, named for its genuine code signing certificate from Cyprus-based company Hermetica Digital Ltd. The wiper was reportedly compiled on 28 December 2021, while Symantec reported malicious activity as early as November 2021, implying that the attack was planned months ahead of time. Symantec also reported wiper attacks against devices in Lithuania, and that some organizations were compromised months before the wiper attack. Similar to the January WhisperGate attack, ransomware is often deployed simultaneously with the wiper as a decoy, and the wiper damages the master boot record of the device.

A day prior to the attack, the EU had deployed a cyber rapid-response team consisting of about ten cybersecurity experts from Lithuania, Croatia, Poland, Estonia, Romania, and the Netherlands. It is unknown if this team helped mitigate the effects of the cyberattack.

The attack coincided with the Russian recognition of separatist regions in eastern Ukraine and the authorization of Russian troop deployments there. The US and UK blamed the attack on Russia. Russia denied the accusations and called them “Russophobic”.

Viasat hack
The Viasat hack, which occurred between 5am and 9am EEST on 24 February, might have been intended to disrupt Ukrainian military networks, which used Viasat’s network to provide them communications services. The attack might have intended to hit "aspects of military command and control in Ukraine". The attack "rendered inoperable thousands of Viasat KA-SAT satellite broadband modems in Ukraine, including those used by military and other governmental agencies, causing major loss in internet communication."

In a jointly-timed communication on 10 May 2022, many western governments adduced evidence that Russia was responsible for the attack because of their invasion.

Initial Ukrainian response
On February 26, the Minister of Digital Transformation of Ukraine Mykhailo Fedorov announced the creation of an IT army, which will include cyber specialists, copywriters, designers, marketers and targetologists. As a result, numerous Russian government websites and banks were attacked. Dozens of issues of Russian stars and officials have been made public, and Ukrainian songs have been broadcast on some television channels, including "Prayer for Ukraine".

Starlink
In order to defend themselves and to maintain Internet connectivity during the war, Ukrainian officials deemed a Starlink internet access in their country a potential solution.

Unlike conventional satellite internet like Viasat, Starlink internet access works in a network fragmented into individual parts. The internet is beamed down on a specific dish having limited range giving internet access in the limited area of the dish, like a personal Internet hotspot. The entire system prevents Starlink from being able to be taken out a single attack by Russia.

On February 26, the Ukrainian government and Ukrainian minister Mykhailo Fedorov asked Elon Musk on Twitter to provide Starlink assistance to Ukraine. Musk agreed, and SpaceX responded by activating country-wide service, with the first shipment of Starlink terminals arriving two days later on February 28.

March attacks
Beginning on 6 March, Russia began to significantly increase the frequency of its cyber-attacks against Ukrainian civilians.

On 9 March alone, the Quad9 malware-blocking recursive resolver intercepted and mitigated 4.6 million attacks against computers and phones in Ukraine and Poland, at a rate more than ten times higher than the European average. Cybersecurity expert Bill Woodcock of Packet Clearing House noted that the blocked DNS queries coming from Ukraine clearly show an increase in phishing and malware attacks against Ukrainians, and noted that the Polish numbers were also higher than usual because 70%, or 1.4 million, of the Ukrainian refugees were in Poland at the time. Explaining the nature of the attack, Woodcock said "Ukrainians are being targeted by a huge amount of phishing, and a lot of the malware that is getting onto their machines is trying to contact malicious command-and-control infrastructure."

On March 28, RTComm.ru, a Russian Internet service provider, BGP hijacked Twitter's 104.244.42.0/24 IPv4 address block for a period of two hours fifteen minutes.