UKRAINE: Timeline of Cyberattacks

CERT-UA reported a phising campaign using a compromised account of an employee of a state body of Ukraine and distributing the “GraphSteel” and “GrimPlant” malwares.

Ukraine’s national postal service Ukrposhta said it was hit by a DDoS a few days after it issued and started selling stamps associated with the war.

CERT-UA reported a Facebook fraudulent page mimicking “Ukraine 24”. The page invites users to take part in a survey by following a link “financial assistance from EU countries”. Later the users are asked to provide personal data and make a payment compromising their payment card data.

CERT-UA reported mass distribution of malicious XLS-documents among Ukrainian citizens. Once opened they will download and first run the “GzipLoader” and subsequently the “IcedID” malware. “IcedID” is also known as “BankBot” a banking Trojan that can harvest user credentials.

The breach targeted several electrical substations in the country. The attack was scheduled to begin on the evening of April 8 as civilians returned home from work. The deployed malwares were “Industroyer2” (similar to “Industroyer” that was used in 2016 by the Sandworm APT group to cut power in Ukraine) and “CaddyWiper”, “ORCSHRED”, “SOLOSHRED” and “AWFULSHRED”.

Microsoft observed attacks targeting Ukrainian entities from “Strontium” including media organizations. According to Microsoft nearly all of Russia’s nation-state actors are engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure.

A group of government officials from Ukraine got Telegram phishing alerts urging them to look at the security of their accounts as some unlawful login into their accounts was being noticed by Russia. Once clicking on the malicious links the accounts are compromised.

CERT-UA received information on mass distribution of e-mails containing a malicious file classified as the “MarsStealer” information stealer targeting citizens of Ukraine and domestic organizations.

A major internet disruption caused by a cyberattack has been registered across Ukraine on national provider Ukrtelecom. Real-time network data show connectivity collapsing to 13% of pre-war levels. The attack was foiled and the company resumed its services.

The Security Service of Ukraine (SBU) has announced that since Russia invaded the country, it has identified and shut down five bot farms operating 100,000 social media accounts spreading fake news related to the invasion.

Threat actors are compromising WordPress sites to insert a malicious script that uses visitors’ browsers to perform distributed denial-of-service attacks on Ukrainian websites.

CERT-UA published an alert where they shared a quick summary and indicators associated with a recent intrusion attempt through a delivery of a malicous RAR file. No further details available right now.

CERT-UA reported phishing campaigns against Ukrainian organizations that spread the LoadEdge backdoor. The incident was attributed to InvisiMole, a hacking group with allegedly ties to the Russian advanced persistent threat (APT) group Gamaredon.

On March 17, CERT-UA discovered several ZIP archives of a destructive malware dubbed “DoubleZero”. The activity is tracked by the UAC-0088 identifier and is directly related to attempts to violate the regular mode of operation of information systems of Ukrainian enterprises.

The Security Service of Ukraine reported an attempt of a large-scale cyberattack on the websites of popular Ukrainian media on March 17. Hackers also tried to attack the Slovo i Dilo website. Reported via the SBU’s account on Telegram that the websites were defaced using symbols banned in Ukraine.

The Ukranian Ministry of Defense notified CERT-UA about the distribution of e-mails containing malicious files and targeting Ukrainian government and military entities. As a result of the attack, the victim’s computer would be infected with SPECTR malware.

UAC-0082 (a.k.a. Sandworm) conducted an intrusion into the a research institution that had been previously targeted by an unknown threat actor on 10 March.

TV station Ukraine 24 falsely reported Wednesday that the Ukrainian President had urged Ukrainians to stop fighting and give up their weapons in what has been reported as disinformation. The program’s news ticker was hacked to display messages to appear as though they were coming from the president. The TV network confirmed that the news ticker was hacked and the messages were false. On the same day, a Telegram channel reported that hackers published to Ukrainian websites a deepfake video of the president repeating similar messages.

The Ukrainian Red Cross reported a hack of their website on 16 March which was restored the same day. No personal data of beneficiaries was stored on the website. Only the information component of the site was affected.

ESET researchers have uncovered yet another destructive data wiper that was used in attacks against a limited number of organizations in Ukraine. No code similarities to either HermeticWiper or IsaacWiper were identified. There’s evidence to suggest that the threat actors behind CaddyWiper infiltrated the target’s network before executing the wiper.

A suspected Russian nation state actor stole data from a nuclear safety organization. “EnergeticBear” compromised this entity in December 2021 and stole data from it from December through mid-March.

Major internet disruption registered on the Vinasterisk network which serves Vinnytsia Oblast, western Ukraine. The operator reported a massive cyberattack with elements of sabotage.

A suspected Russian threat actor compromised an institution in Ukraine that was featured in false Russian weapons conspiracies in the past.

A malicious spam campaign dropping the Formbook infostealer specifically targeting Ukrainians was discovered by Malwarebytes. The email lure is written in Ukrainian and tricks victims into opening an alleged letter of approval to receive funds from the government.

Reports circulated suggesting telecommunication service provider Triolan was hit by a cyberattack. Three sources within the company and a former co-founder of the business said a cyberattack had occurred, with one claiming some of Triolan’s internal computers had stopped working because the “attackers reset the settings to the factory level.”

A phishing campaign targeting Ukrainian government agencies with the “MicroBackdoor” malware has been confirmed by the country’s Computer Emergency Response Team (CERT-UA). CERT-UA claims that the malware campaign bears similarities to the activities of Belarussian  threat actor UNC1151’. This threat actor has allegedly conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations.

A threat actor has conducted several large credential phishing campaigns targeting ukr.net users; UkrNet is a Ukrainian media company.  In two recent campaigns, the attackers used newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages.

Ukraine’s Computer Emergency Response Team (CERT-UA) warned of new phishing attacks aimed at its citizens by leveraging compromised email accounts belonging to three different Indian entities with the goal of compromising their inboxes and stealing sensitive information.

Amazon reports seeing several situations where malware has been specifically targeted at charities, NGOs, and other aid organizations in order to spread confusion and cause disruption.

A suspected Russian threat actor conducted lateral movement on a communications sector system and expanded focused targeting of media organizations from broadcast organizations to compromise systems belonging to a digital media firm.

Suspected Russian threat actor launched “DesertBlade” malware against a major broadcasting company on March 1, the same day that the Russian military announced its intention to destroy “disinformation” targets in Ukraine and directed a missile strike against a TV tower in Kyiv.

“Zhadnost”, a botnet with more than 3,000 unique IP addresses, across multiple countries and continents was the source of DDoS attacks against Ukrainian government and financial websites on 15, 23 and 28  February. Most bots were routers, the majority of them MikroTik.

(attacks on 15 and 23 Feb were previously reported below)

Meta said it has seen a surge in hacking attempts against Ukrainians in recent days. It identified some hacking attempts from a threat actor that has been trying to hack the accounts of high-profile Ukrainians, including military officials and public figures, although it did not identify any individuals. The threat actor typically targets people through email compromise and then uses that to gain access to their social media accounts and post disinformation as if it’s coming from the legitimate account owners.

Meta took down a network run by people in Russia and Ukraine targeting Ukraine for violating their policy against coordinated inauthentic behavior. The network ran websites posing as independent news entities and created fake personas across social media platforms including Facebook, Instagram, Twitter, YouTube, Telegram, Odnoklassniki and VK.

The Wordfence team has identified a cyberattack on Ukrainian universities that coincided with the invasion of Ukraine by Russia, and resulted in at least 30 compromised Ukrainian university websites.
The threat actor has stated publicly that they support Russia in the conflict.

A Ukraine border control station has been struck with a data wiper cyberattack that has slowed the process of allowing refugees to cross into Romania.

A cyberattack disrupted broadband satellite internet access coinciding with Russia’s invasion of Ukraine. The cyberattack disabled modems that communicate with Viasat Inc’s KA-SAT satellite, which supplies internet access to some customers in Europe, including Ukraine. More than two weeks later some remain offline. “This appears to have initially started with the KA-SAT service in Ukraine and then spread to almost the entire KA-SAT footprint.” SentinelLabs researchers discovered a new wiper malware they named ‘AcidRain’ which was confirmed by Visat as used in the attack on 24th against the modems.

A phishing campaign was observed using a possibly compromised Ukrainian armed service member’s email account, to target European government personnel involved in managing the logistics of refugees fleeing Ukraine. The email included a malicious macro attachment which attempted to download a Lua-based malware dubbed SunSeed.

ESET identified a further wiper in Ukrainian government networks, affecting organizations that had not been attacked by HermeticWiper and does not share any code similarity with it. On February 25, the attackers dropped a new version of IsaacWiper with debug logs, indicating that the attackers were unable to wipe some of the compromised machines. The malware was developed/employed at least since October 19, 2021.

The Kyiv Post reports that its site has been under constant cyberattack during the Russian-Ukrainian armed conflict. The DDoS attack incapacitated their systems and they had to find alternative means to publish the news by posting shortened stories on Facebook, Twitter, and LinkedIn.

UAC-0082 (a.k.a. Sandworm) staged a file encryptor on the network of an agricultural firm, holding this entity at risk for future destruction. Microsoft assesses that this was likely targeting grain production, a major export commodity in Ukraine’s economy.

A number of organizations in Ukraine have been hit by a cyberattack, infecting hundreds of computers. The attack involved new data-wiping malware dubbed HermeticWiper — a destructive malware that can delete or corrupt data on a targeted computer or network. The wiper has been detected in Ukraine, Latvia and Lithuania.

The websites of several Ukrainian banks and government departments, including the Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, Security Service (SBU) and Cabinet of Ministers became inaccessible following a large DDoS attack. Most other sites came online within two hours of the attack but latency and outages continued into the following day for others.

More than 600 websites belonging to the defence ministry in Kyiv and other institutions suffered attacks with the launch of thousands of exploits with attempts pointed to at least 20 distinct vulnerabilities. The campaign started mid-February and peaked on 23 February. The attacks sought to infiltrate targets ranging from border defence forces to the national bank and railway authority. They were designed to steal data and explore ways to shut down or disrupt vital defence and civilian infrastructure. The Times, allegedly quoting a source at the SBU, claimed the campaign was co-ordinated by the Chinese government. The SBU went on to deny The Times report.

Customers of one of the state-owned banks began to receive information via SMS messages about technical malfunctions of ATMs. The Ukrainian Cyber Police confirmed this information to be false.

A DDoS attack described as Ukraine’s largest to date. A number of Ukrainian websites were taken offline and impacted bank, government and military websites. The scale of the attacks was moderate, and the sites recovered within hours; the intention is speculated to have been to create a sense of panic.

CERT-UA reported mass distribution of phishing emails supposedly originating from Ukrainian state bodies and targeting Ukrainian entities.  The lure is a Ukrainian language translation software, leading to the infection of GrimPlant and GraphSteel.

Spear phishing email was sent to an employee of a Ukrainian energy  organization containing malicious files that would download and install a payload known as SaintBot (a downloader) and OutSteel (a document stealer). The same threat actor group targeted a Western government entity in Ukraine, as well as several Ukrainian government organizations back in March 2021.

In this attempted attack, rather than emailing the malware directly to their target, the actors leveraged a job search and employment service within Ukraine. In doing so, the actors searched for an active job posting, uploaded their downloader as a resume and submitted it through the job search platform to a Western government entity. Given the steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Gamaredon to compromise this entity.

On January 14, 2022 Orthodox New Year, over 70 Ukrainian government websites were defaced with political imagery and a statement in Russian, Ukrainian, and Polish before going down temporarily. Most sites were restored within hours. The attack  crippled much of the government’s public-facing digital infrastructure, including the most widely used site for handling government services online, Diia. Diia also has a role in Ukraine’s coronavirus response and in encouraging vaccination. It also crippled the sites of the Cabinet of Ministers, and the ministries of energy, sports, agriculture, veterans’ affairs, and ecology.

Microsoft identified a destructive malware (dubbed WhisperGate)  operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022. The malware is assessed to be designed to look like ransomware but lacking a ransom recovery mechanism and is intended to be destructive rendering targeted devices inoperable rather than to obtain a ransom. Victims span multiple government, non-profit, and information technology organizations.

An attempted cyberattack against the network equipment of the Auly Chlorine Distillation Station which supplies liquid chlorine to water  and wastewater treatment facilities in  23 provinces of Ukraine, as well as Moldova and Belarus. Over the course of several minutes, the company’s technological process control systems and the systems for detecting signs of emergencies were being attacked by the VPNFilter malware. If not foiled, the malware could exfiltrate credentials, monitor equipment, and could render an infected device completely inoperable.

An attack with the NotPetya wiper malware, on the eve of Ukraine’s Constitution Day, targeted public and private sector entities in Ukraine (80% of affected systems) including financial, energy and government institutions. The attack was highly disruptive in nature as it disabled computers by wiping hard drives and spread independently to companies that used a popular tax-filing software (M.E.Doc).  The malware was not designed to be decrypted. This meant that there were no means for victims to recover data once it had been encrypted. The attack spread globally and infected, among others, Chernobyl’s radiation monitoring system and US healthcare organizations.  The attack has been coined as the “most devastating cyberattack in history.”

The EU imposed sanctions (asset freeze and travel ban) via their Diplomacy Toolbox whilst the US imposed sanctions via the Department of the Treasury’s Office of Foreign Assets Control (OFAC).

Nearly one year after the first power grid attack, a cyberattack hit a substation in Kyiv and left a part of the capital and its surrounding area without electricity for more than one hour. Researchers describe the malware used in this attack as only the second-ever known case of malicious code purpose-built to disrupt physical systems and that the malware can automate mass power outages and includes swappable, plug-in components that could allow it to be adapted to different electric utilities and be launched simultaneously across multiple targets.

The attack was linked to the 2015 power grid attack and attacks against Ukraine’s national railway, government ministries, etc.

A cyberattack compromised systems of three energy distribution companies in the Ivano-Frankivsk region of Western Ukraine. The attack marked the first known successful cyberattack against a power grid. Prior to the outage, the threat actors launched a telephone denial-of-service attack against customer call centers.

A cyberattack compromised systems of three energy distribution companies in the Ivano-Frankivsk region of Western Ukraine. The attack marked the first known successful cyberattack against a power grid. Prior to the outage, the threat actors launched a telephone denial-of-service attack against customer call centers.

Wave of cyberattacks to disrupt/manipulate the 2014 Ukrainian Presidential Elections. The attacks were described as “among the most dangerous cyberattacks yet deployed to sabotage a national election.” The campaign consisted of three separate attacks:

Event 3. DDoS attacks against links feeding data to the vote tally system blocked election results and delayed the final tally. The attack was attributed to CyberBerkut.

Wave of cyberattacks to disrupt/manipulate the 2014 Ukrainian Presidential Elections. The attacks were described as “among the most dangerous cyberattacks yet deployed to sabotage a national election.” The campaign consisted of three separate attacks:

Event 2. On election day 40 minutes prior to election results, Ukrainian cybersecurity experts removed malware from Central Election Commission computers. The malware aimed to fake results and portray the far-right candidate as the winner with 37% and Poroschenko at 29%. While the attack failed, Channel 1 Russia displayed these results.

Wave of cyberattacks to disrupt/manipulate the 2014 Ukrainian Presidential Elections. The attacks were described as “among the most dangerous cyberattacks yet deployed to sabotage a national election.” The campaign consisted of three separate attacks:

Event 1. Infiltration of central election networks and deletion of files to render the vote-tallying system inoperable. CyberBerkut later leaked emails and files as proof.