CERT-UA reported a phising campaign using a compromised account of an employee of a state body of Ukraine and distributing the “GraphSteel” and “GrimPlant” malwares.
Last updated on May 12, 2022
Against the backdrop of the military invasion of Ukraine, the CyberPeace Institute is tracking how cyberattacks and operations are, and have been, targeting critical infrastructure and civilian objects.
In recent weeks there has been a significant escalation in the number of reported cyberattacks against Ukrainian institutions, organizations, including humanitarian NGOs, and the wider population. Ukraine is no stranger to being on the receiving-end of cyberattacks and the timeline below tracks the most significant incidents to date.
The tracking of cyberattacks and incidents as they become public is important in order to record these attacks and identify – where possible – the harm and risks for civilian populations. Cyberattacks affect people and risk lives. In the future, it will be important to use the information on cyberattacks to identify developments or clarifications of the law in relation to the use of cyber operations in armed conflicts, and for accountability including in any future judicial proceedings.
The targeting of critical infrastructure raises particular concern as this infrastructure is essential for the survival of the civilian population. Attacks on infrastructure such as energy, water, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population. NGOs responding to the humanitarian needs of the population in Ukraine and neighboring countries are targeted by cyberattacks in order to disrupt their activities.
Beyond the risks to critical infrastructure and civilian objects, cyberattacks sow distrust and limit access to accurate information or spread false information. They can also be highly disruptive and create a sense of fear and uncertainty and even lead to the eventual displacement of people.
The important legal principles of distinction (distinguish at all times between military objectives and civilian objects) and proportionality (prohibit attacks expected to cause excessive civilian harm) have a direct bearing on cyber operations during armed conflicts in order to protect the civilian population against the effects of such operations.
Frequently Asked Questions on the laws of armed conflict with a focus on cyber.
The CyberPeace Institute’s mission is to reduce the scale and frequency of cyberattacks against vulnerable communities, provide assistance and advocate for respect of laws and norms. Thus, documenting cyberattacks is important to understand the harm caused to people. The CyberPeace Builders program is a trustworthy volunteer network designed to help humanitarian NGOs strengthen their cybersecurity.
Factsheet on Ukraine conflict and the work of the CyberPeace Institute.
Crucial to the work of the Institute are open source research by our small team of experts. Can you support the Institute’s data collection?
26 Apr
CERT-UA reported a phising campaign using a compromised account of an employee of a state body of Ukraine and distributing the “GraphSteel” and “GrimPlant” malwares.
Cyber Espionage Cluster – UAC-0056*
[Technical Attribution by CERT-UA]
* UAC-0056’s targets are aligned with the interests of the Russian government. Also known as SaintBear, UNC2589, TA471, Lorec53
22 Apr
Ukraine’s national postal service Ukrposhta said it was hit by a DDoS a few days after it issued and started selling stamps associated with the war.
Not yet known
19 Apr
CERT-UA reported a Facebook fraudulent page mimicking “Ukraine 24”. The page invites users to take part in a survey by following a link “financial assistance from EU countries”. Later the users are asked to provide personal data and make a payment compromising their payment card data.
Not yet known
14 Apr
CERT-UA reported mass distribution of malicious XLS-documents among Ukrainian citizens. Once opened they will download and first run the “GzipLoader” and subsequently the “IcedID” malware. “IcedID” is also known as “BankBot” a banking Trojan that can harvest user credentials.
UAC-0098
[Technical Attribution by CERT-UA]
8 Apr
The breach targeted several electrical substations in the country. The attack was scheduled to begin on the evening of April 8 as civilians returned home from work. The deployed malwares were “Industroyer2” (similar to “Industroyer” that was used in 2016 by the Sandworm APT group to cut power in Ukraine) and “CaddyWiper”, “ORCSHRED”, “SOLOSHRED” and “AWFULSHRED”.
7 Apr
Microsoft observed attacks targeting Ukrainian entities from “Strontium” including media organizations. According to Microsoft nearly all of Russia’s nation-state actors are engaged in the ongoing full-scale offensive against Ukraine’s government and critical infrastructure.
2 Apr
A group of government officials from Ukraine got Telegram phishing alerts urging them to look at the security of their accounts as some unlawful login into their accounts was being noticed by Russia. Once clicking on the malicious links the accounts are compromised.
UAC-0094
[Technical Attribution by CERT-UA]
30 Mar
CERT-UA received information on mass distribution of e-mails containing a malicious file classified as the “MarsStealer” information stealer targeting citizens of Ukraine and domestic organizations.
28 Mar
A major internet disruption caused by a cyberattack has been registered across Ukraine on national provider Ukrtelecom. Real-time network data show connectivity collapsing to 13% of pre-war levels. The attack was foiled and the company resumed its services.
Not yet known
28 Mar
The Security Service of Ukraine (SBU) has announced that since Russia invaded the country, it has identified and shut down five bot farms operating 100,000 social media accounts spreading fake news related to the invasion.
Nation State – Russia
[Political attribution by SBU-UA]
28 Mar
Threat actors are compromising WordPress sites to insert a malicious script that uses visitors’ browsers to perform distributed denial-of-service attacks on Ukrainian websites.
Not yet known
22 Mar
CERT-UA published an alert where they shared a quick summary and indicators associated with a recent intrusion attempt through a delivery of a malicous RAR file. No further details available right now.
China APT – Scarab / UAC-0026*
[Technical attribution by Sentinelone]
18 Mar
CERT-UA reported phishing campaigns against Ukrainian organizations that spread the LoadEdge backdoor. The incident was attributed to InvisiMole, a hacking group with allegedly ties to the Russian advanced persistent threat (APT) group Gamaredon.
Russia APT – InvisiMole / UAC-0035
[Technical attribution by CERT-UA]
17 Mar
On March 17, CERT-UA discovered several ZIP archives of a destructive malware dubbed “DoubleZero”. The activity is tracked by the UAC-0088 identifier and is directly related to attempts to violate the regular mode of operation of information systems of Ukrainian enterprises.
17 Mar
The Security Service of Ukraine reported an attempt of a large-scale cyberattack on the websites of popular Ukrainian media on March 17. Hackers also tried to attack the Slovo i Dilo website. Reported via the SBU’s account on Telegram that the websites were defaced using symbols banned in Ukraine.
Not yet known
17 Mar
The Ukranian Ministry of Defense notified CERT-UA about the distribution of e-mails containing malicious files and targeting Ukrainian government and military entities. As a result of the attack, the victim’s computer would be infected with SPECTR malware.
Ukraine Hacking Collective – VERMIN / UAC-0020
[Technical attribution by CERT-UA]
16 Mar
UAC-0082 (a.k.a. Sandworm) conducted an intrusion into the a research institution that had been previously targeted by an unknown threat actor on 10 March.
Nation State APT – UAC-0082/ Sandworm
[Technical Attribution by Microsoft]
16 Mar
TV station Ukraine 24 falsely reported Wednesday that the Ukrainian President had urged Ukrainians to stop fighting and give up their weapons in what has been reported as disinformation. The program’s news ticker was hacked to display messages to appear as though they were coming from the president. The TV network confirmed that the news ticker was hacked and the messages were false. On the same day, a Telegram channel reported that hackers published to Ukrainian websites a deepfake video of the president repeating similar messages.
Not yet known
16 Mar
The Ukrainian Red Cross reported a hack of their website on 16 March which was restored the same day. No personal data of beneficiaries was stored on the website. Only the information component of the site was affected.
Not yet known
14 Mar
ESET researchers have uncovered yet another destructive data wiper that was used in attacks against a limited number of organizations in Ukraine. No code similarities to either HermeticWiper or IsaacWiper were identified. There’s evidence to suggest that the threat actors behind CaddyWiper infiltrated the target’s network before executing the wiper.
Not yet known
13 Mar
A suspected Russian nation state actor stole data from a nuclear safety organization. “EnergeticBear” compromised this entity in December 2021 and stole data from it from December through mid-March.
Nation State APT – Bromine / EnergeticBear*
[Technical Attribution by Microsoft]
* FSB (Unit 71330) also known as Bromine
13 Mar
Major internet disruption registered on the Vinasterisk network which serves Vinnytsia Oblast, western Ukraine. The operator reported a massive cyberattack with elements of sabotage.
Not yet known
10 Mar
A suspected Russian threat actor compromised an institution in Ukraine that was featured in false Russian weapons conspiracies in the past.
Nation State – Russia
[Technical Attribution by Microsoft]
9 Mar
A malicious spam campaign dropping the Formbook infostealer specifically targeting Ukrainians was discovered by Malwarebytes. The email lure is written in Ukrainian and tricks victims into opening an alleged letter of approval to receive funds from the government.
Not yet known
9 Mar
Reports circulated suggesting telecommunication service provider Triolan was hit by a cyberattack. Three sources within the company and a former co-founder of the business said a cyberattack had occurred, with one claiming some of Triolan’s internal computers had stopped working because the “attackers reset the settings to the factory level.”
Not yet known
7 Mar
A phishing campaign targeting Ukrainian government agencies with the “MicroBackdoor” malware has been confirmed by the country’s Computer Emergency Response Team (CERT-UA). CERT-UA claims that the malware campaign bears similarities to the activities of Belarussian threat actor UNC1151’. This threat actor has allegedly conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations.
Belarus APT Group – GHOSTWRITER / UNC1151*
[Technical Attribution by CERT-UA]
* attribution is tentative
7 Mar
A threat actor has conducted several large credential phishing campaigns targeting ukr.net users; UkrNet is a Ukrainian media company. In two recent campaigns, the attackers used newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages.
Russia APT Group – FancyBear/APT28
[Technical Attribution by Google TAG]
5 Mar
Ukraine’s Computer Emergency Response Team (CERT-UA) warned of new phishing attacks aimed at its citizens by leveraging compromised email accounts belonging to three different Indian entities with the goal of compromising their inboxes and stealing sensitive information.
Not yet known
4 Mar
Amazon reports seeing several situations where malware has been specifically targeted at charities, NGOs, and other aid organizations in order to spread confusion and cause disruption.
Not yet known
3 Mar
A suspected Russian threat actor conducted lateral movement on a communications sector system and expanded focused targeting of media organizations from broadcast organizations to compromise systems belonging to a digital media firm.
Nation State – Russia
[Technical Attribution by Microsoft]
1 Mar
Suspected Russian threat actor launched “DesertBlade” malware against a major broadcasting company on March 1, the same day that the Russian military announced its intention to destroy “disinformation” targets in Ukraine and directed a missile strike against a TV tower in Kyiv.
Nation State – Russia
[Technical Attribution by Microsoft]
15, 23
& 28 Feb
“Zhadnost”, a botnet with more than 3,000 unique IP addresses, across multiple countries and continents was the source of DDoS attacks against Ukrainian government and financial websites on 15, 23 and 28 February. Most bots were routers, the majority of them MikroTik.
Nation state – Russia*
[Technica attribution by Securityscorecard]
*Attribution is tentative, reference made to Russian-aligned actors
27 Feb
Meta said it has seen a surge in hacking attempts against Ukrainians in recent days. It identified some hacking attempts from a threat actor that has been trying to hack the accounts of high-profile Ukrainians, including military officials and public figures, although it did not identify any individuals. The threat actor typically targets people through email compromise and then uses that to gain access to their social media accounts and post disinformation as if it’s coming from the legitimate account owners.
Belarus APT Group – UNC1151
[Technical Attribution by Meta]
25 Feb
Meta took down a network run by people in Russia and Ukraine targeting Ukraine for violating their policy against coordinated inauthentic behavior. The network ran websites posing as independent news entities and created fake personas across social media platforms including Facebook, Instagram, Twitter, YouTube, Telegram, Odnoklassniki and VK.
Tentative links found to a 2020 operation connected to individuals in Russia, the Donbass region in Ukraine and two media organizations in Crimea
[Technical Attribution by Meta]
25 Feb
The Wordfence team has identified a cyberattack on Ukrainian universities that coincided with the invasion of Ukraine by Russia, and resulted in at least 30 compromised Ukrainian university websites.
The threat actor has stated publicly that they support Russia in the conflict.
Brazil Threat Actor Group – theMx0nday
[Technical Attribution by Wordfence]
25 Feb
A Ukraine border control station has been struck with a data wiper cyberattack that has slowed the process of allowing refugees to cross into Romania.
Not yet known
24 Feb
A cyberattack disrupted broadband satellite internet access coinciding with Russia’s invasion of Ukraine. The cyberattack disabled modems that communicate with Viasat Inc’s KA-SAT satellite, which supplies internet access to some customers in Europe, including Ukraine. More than two weeks later some remain offline. “This appears to have initially started with the KA-SAT service in Ukraine and then spread to almost the entire KA-SAT footprint.” SentinelLabs researchers discovered a new wiper malware they named ‘AcidRain’ which was confirmed by Visat as used in the attack on 24th against the modems.
Nation State – Russia
[Political Attribution by U.S. intelligence and Council of the EU]
[Technical Attribution by SentinelLabs]
24 Feb
A phishing campaign was observed using a possibly compromised Ukrainian armed service member’s email account, to target European government personnel involved in managing the logistics of refugees fleeing Ukraine. The email included a malicious macro attachment which attempted to download a Lua-based malware dubbed SunSeed.
24 Feb
ESET identified a further wiper in Ukrainian government networks, affecting organizations that had not been attacked by HermeticWiper and does not share any code similarity with it. On February 25, the attackers dropped a new version of IsaacWiper with debug logs, indicating that the attackers were unable to wipe some of the compromised machines. The malware was developed/employed at least since October 19, 2021.
Not yet known
24 Feb
The Kyiv Post reports that its site has been under constant cyberattack during the Russian-Ukrainian armed conflict. The DDoS attack incapacitated their systems and they had to find alternative means to publish the news by posting shortened stories on Facebook, Twitter, and LinkedIn.
Not yet known
23 Feb
UAC-0082 (a.k.a. Sandworm) staged a file encryptor on the network of an agricultural firm, holding this entity at risk for future destruction. Microsoft assesses that this was likely targeting grain production, a major export commodity in Ukraine’s economy.
23-24 Feb
A number of organizations in Ukraine have been hit by a cyberattack, infecting hundreds of computers. The attack involved new data-wiping malware dubbed HermeticWiper — a destructive malware that can delete or corrupt data on a targeted computer or network. The wiper has been detected in Ukraine, Latvia and Lithuania.
Not yet known
23 Feb
The websites of several Ukrainian banks and government departments, including the Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, Security Service (SBU) and Cabinet of Ministers became inaccessible following a large DDoS attack. Most other sites came online within two hours of the attack but latency and outages continued into the following day for others.
Nation State – Russia
[Technical Attribution by Bellingcat]
23 Feb
More than 600 websites belonging to the defence ministry in Kyiv and other institutions suffered attacks with the launch of thousands of exploits with attempts pointed to at least 20 distinct vulnerabilities. The campaign started mid-February and peaked on 23 February. The attacks sought to infiltrate targets ranging from border defence forces to the national bank and railway authority. They were designed to steal data and explore ways to shut down or disrupt vital defence and civilian infrastructure. The Times, allegedly quoting a source at the SBU, claimed the campaign was co-ordinated by the Chinese government. The SBU went on to deny The Times report.
Nation State – China*
* unconfirmed and refuted by SBU-UA
15 Feb
Customers of one of the state-owned banks began to receive information via SMS messages about technical malfunctions of ATMs. The Ukrainian Cyber Police confirmed this information to be false.
Not yet known
15-16 Feb
A DDoS attack described as Ukraine’s largest to date. A number of Ukrainian websites were taken offline and impacted bank, government and military websites. The scale of the attacks was moderate, and the sites recovered within hours; the intention is speculated to have been to create a sense of panic.
11 Feb
CERT-UA reported mass distribution of phishing emails supposedly originating from Ukrainian state bodies and targeting Ukrainian entities. The lure is a Ukrainian language translation software, leading to the infection of GrimPlant and GraphSteel.
Cyber Espionage Cluster – UAC-0056*
[Technical by CERT-UA, Sentinelone]
1 Feb
Spear phishing email was sent to an employee of a Ukrainian energy organization containing malicious files that would download and install a payload known as SaintBot (a downloader) and OutSteel (a document stealer). The same threat actor group targeted a Western government entity in Ukraine, as well as several Ukrainian government organizations back in March 2021.
Cyber Espionage Cluster – UAC-0056*
[Technical by CERT-UA, Paloaltonetworks]
* UAC-0056’s targets are aligned with the interests of the Russian government. Also known as SaintBear, UNC2589, TA471, Lorec53
19 Jan
In this attempted attack, rather than emailing the malware directly to their target, the actors leveraged a job search and employment service within Ukraine. In doing so, the actors searched for an active job posting, uploaded their downloader as a resume and submitted it through the job search platform to a Western government entity. Given the steps and precision delivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Gamaredon to compromise this entity.
Russia Nation State APT – Gamaredon*
[Technical attribution by Paloaltonetworks]
[Legal attribution by Ukrainian authorities]
*also known as Primitive Bear. Nov 2021 the Security Service of Ukraine (SSU) publicly attributed the leadership of the group to five Russian Federal Security Service (FSB) officers assigned to posts in Crimea.
14-15 Jan
On January 14, 2022 Orthodox New Year, over 70 Ukrainian government websites were defaced with political imagery and a statement in Russian, Ukrainian, and Polish before going down temporarily. Most sites were restored within hours. The attack crippled much of the government’s public-facing digital infrastructure, including the most widely used site for handling government services online, Diia. Diia also has a role in Ukraine’s coronavirus response and in encouraging vaccination. It also crippled the sites of the Cabinet of Ministers, and the ministries of energy, sports, agriculture, veterans’ affairs, and ecology.
Belarus APT Group – UNC1151
[Political Attribution by Ukraine]
The purpose of such attacks is reportedly:
13 Jan
Microsoft identified a destructive malware (dubbed WhisperGate) operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022. The malware is assessed to be designed to look like ransomware but lacking a ransom recovery mechanism and is intended to be destructive rendering targeted devices inoperable rather than to obtain a ransom. Victims span multiple government, non-profit, and information technology organizations.
11 July
An attempted cyberattack against the network equipment of the Auly Chlorine Distillation Station which supplies liquid chlorine to water and wastewater treatment facilities in 23 provinces of Ukraine, as well as Moldova and Belarus. Over the course of several minutes, the company’s technological process control systems and the systems for detecting signs of emergencies were being attacked by the VPNFilter malware. If not foiled, the malware could exfiltrate credentials, monitor equipment, and could render an infected device completely inoperable.
Nation State – Russia
[Political Attribution by Ukraine]
27 Jul
An attack with the NotPetya wiper malware, on the eve of Ukraine’s Constitution Day, targeted public and private sector entities in Ukraine (80% of affected systems) including financial, energy and government institutions. The attack was highly disruptive in nature as it disabled computers by wiping hard drives and spread independently to companies that used a popular tax-filing software (M.E.Doc). The malware was not designed to be decrypted. This meant that there were no means for victims to recover data once it had been encrypted. The attack spread globally and infected, among others, Chernobyl’s radiation monitoring system and US healthcare organizations. The attack has been coined as the “most devastating cyberattack in history.”
The EU imposed sanctions (asset freeze and travel ban) via their Diplomacy Toolbox whilst the US imposed sanctions via the Department of the Treasury’s Office of Foreign Assets Control (OFAC).
17 Dec
Nearly one year after the first power grid attack, a cyberattack hit a substation in Kyiv and left a part of the capital and its surrounding area without electricity for more than one hour. Researchers describe the malware used in this attack as only the second-ever known case of malicious code purpose-built to disrupt physical systems and that the malware can automate mass power outages and includes swappable, plug-in components that could allow it to be adapted to different electric utilities and be launched simultaneously across multiple targets.
The attack was linked to the 2015 power grid attack and attacks against Ukraine’s national railway, government ministries, etc.
Threat Actor Group – Electrum*
[Technical attribution by Dragos]
* alleged direct ties to the Sandworm Team
23 Dec
A cyberattack compromised systems of three energy distribution companies in the Ivano-Frankivsk region of Western Ukraine. The attack marked the first known successful cyberattack against a power grid. Prior to the outage, the threat actors launched a telephone denial-of-service attack against customer call centers.
23 Dec
A cyberattack compromised systems of three energy distribution companies in the Ivano-Frankivsk region of Western Ukraine. The attack marked the first known successful cyberattack against a power grid. Prior to the outage, the threat actors launched a telephone denial-of-service attack against customer call centers.
26 May
Wave of cyberattacks to disrupt/manipulate the 2014 Ukrainian Presidential Elections. The attacks were described as “among the most dangerous cyberattacks yet deployed to sabotage a national election.” The campaign consisted of three separate attacks:
Event 3. DDoS attacks against links feeding data to the vote tally system blocked election results and delayed the final tally. The attack was attributed to CyberBerkut.
Pro-Russian Hacktivist Group – CyberBerkut*
[Technical attribution by Arbor Networks] – DDoS attacks
* overall attribution disputed
25 May
Wave of cyberattacks to disrupt/manipulate the 2014 Ukrainian Presidential Elections. The attacks were described as “among the most dangerous cyberattacks yet deployed to sabotage a national election.” The campaign consisted of three separate attacks:
Event 2. On election day 40 minutes prior to election results, Ukrainian cybersecurity experts removed malware from Central Election Commission computers. The malware aimed to fake results and portray the far-right candidate as the winner with 37% and Poroschenko at 29%. While the attack failed, Channel 1 Russia displayed these results.
Pro-Russian Hacktivist Group – CyberBerkut*
[Technical attribution by Arbor Networks] – DDoS attacks
* overall attribution disputed
22 May
Wave of cyberattacks to disrupt/manipulate the 2014 Ukrainian Presidential Elections. The attacks were described as “among the most dangerous cyberattacks yet deployed to sabotage a national election.” The campaign consisted of three separate attacks:
Event 1. Infiltration of central election networks and deletion of files to render the vote-tallying system inoperable. CyberBerkut later leaked emails and files as proof.
Pro-Russian Hacktivist Group – CyberBerkut*
[Technical attribution by Arbor Networks] – DDoS attacks
* overall attribution disputed
The CyberPeace Institute has concentrated its data collection efforts on the harm caused by cyberattacks and operations in Ukraine and calls upon all actors to spare civilians and infrastructure which are ensuring the delivery of essential services.
To better understand the harm and impact of cyber incidents and who is responsible, directly or indirectly, we collect publicly available information (see Data Sources section below). We carefully select the scope of cyber incidents collected and the indicators required for future analysis. In this section we shed light on our data collection criteria.
Types of Cyberattacks
Based on the Institute’s definition of cyberattacks we collect any attack conducted by a threat actor using a computer network or system with the intention to disrupt, disable, destroy, control, manipulate, or surveil a computing environment/infrastructure and/or data.
To date we have documented the following types of cyberattacks defined in the Institute’s Glossary: malware (including wiper malware), distributed denial of service (DDoS), malspam, disinformation campaigns, phishing campaigns and website defacements.
Categories of Targets and Victims
We concentrate data collection on cyberattacks targeting and / or impacting civilians, civilian objects and infrastructure which are ensuring the delivery of essential services in Ukraine. As far as it is possible to differentiate these from civilian objects, we do not collect cyber incidents on military objects. In relation to the international armed conflict in Ukraine, we have used the following definitions in line with the rules of International Humanitarian Law (IHL):
Societal Harm
Analyzing the harm and impact of cyberattacks is at the heart of the Institute’s work. We are in the process of developing indicators and a methodology to document and measure the harm and impact of cyberattacks on people, organizations and society. As a first step, we collect information on the harm and impact of cyberattacks as they are reported by the source of the information. Insofar as it is possible we document quantitative data such as the duration of a given impact or the number of individuals affected.
Listed below are core categories of harm / impact we document when the information is available: geographical, operational, temporal, communication, informational / data, financial, societal, psychological, digital, physical (on people such as injury / death) and re-victimization.
Attribution
The Institute does not conduct its own attribution of incidents but documents the attribution efforts of others. The challenges and complexity in the attribution of cyberattacks can be summarized by a three-tiered approach to categorizing the attribution of a cyberattack to an actor or actors: technical, political and legal attribution.
When recording the attribution of incidents we do so in the following format:
Type of threat actor (and their national allegiance if relevant) – Threat Actor Name*
[Type attribution by Attributing Entity with a link to the source]
* any indication of uncertainty relating to the attribution
For example:
Belarus APT Group – GHOSTWRITER / UNC1151*
[Technical Attribution by Proofpoint]
* attribution is tentative
Data Sources
For the purpose of this timeline, the Institute collects publicly available (open source) information on cyberattacks through the monitoring of:
Every identified incident, and the associated content, is reviewed by at least two internal analysts and, wherever possible, the incident is linked to at least two separate sources of information. We continuously scan for information on previous incidents to update the timeline on societal harm and attribution which is often reported significantly after the actual incident.
The Institute is looking to expand its data collection stream and to integrate closed sources in order to gain a more comprehensive understanding of the threats and harms posed by cyberattacks related to the conflict in Ukraine. More specifically we seek to learn about or from humanitarian non-governmental organizations targeted by cyberattacks in order to understand the impact on operations and responses to the civilian population and other protected persons.
If you are interested in contributing to this project please reach out to us at [email protected] .
Firstly, it is important to recognize the extreme suffering of the civilian population in Ukraine who are subject to military attack. The consequences for people are devastating as they have to make the choice to stay and risk their lives as the hostilities increasingly affect civilian areas, or flee the fighting for an uncertain future of displacement and separation from family members, their homes and livelihoods.
Ukraine is currently subject to attacks from traditional weapons as well as cyberattacks and operations.
Through the Ukraine: Timeline of Cyberattacks, the CyberPeace Institute is tracking how cyberattacks and operations are, and have been, targeting critical infrastructure and civilian objects. This is important in order to identify harm and risks to civilian populations.
In recent weeks there has been a significant escalation in the number of reported cyberattacks against Ukrainian institutions, organizations and the wider civilian population. It is important to document such attacks as they pose real threats to people, critical infrastructure and the functioning of society.
The targeting of critical infrastructure raises particular concern as this infrastructure is essential for the survival of the civilian population. Attacks on infrastructure such as energy, water and sanitation facilities, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population.
Beyond the risks to critical infrastructure and civilian objects, cyberattacks sow distrust and limit access to accurate information or spread false information. They can also be highly disruptive and create a sense of fear and uncertainty and even lead to the displacement of people.
Collecting information about cyberattacks and operations is important to call for people to be spared from attack, to recall the applicable legal obligations that parties to conflict must adhere to, e.g. the rules of international humanitarian law, and to document the harm to people. In the future, it will be important to use the information to call for important developments or clarifications in relation to the use of cyber operations in armed conflicts, and for accountability.
Cyberattacks and operations have important risks beyond the actual conflict in Ukraine due to the interconnectedness of cyberspace. Because of the indiscriminate nature of cyberattacks, a cyberattack in Ukraine could affect other countries, for example, the use of malware which can spread to other countries. It is also highly likely that cyberattacks may originate from individuals or groups that are not direct parties to the hostilities – currently Ukraine and the Russian Federation. Such attacks may be considered as direct participation in the hostilities, and thus subject to the rules of international humanitarian law.
As we can all see from the media reporting from Ukraine, the main harm for the civilian population is coming from the hostilities using more traditional military weapons. However, there has been an escalation of cyberattacks in recent days.
Cyberattacks have taken the form of attacks which aim to disrupt institutions, digital infrastructure, and to limit access to information and/or spread disinformation.
Recent history has shown that cyberattacks have harmed Ukraine’s civilian population and critical infrastructure.
Civilians, civilian objects and infrastructure ensuring the delivery of essential services must be spared from attack. The targeting of critical infrastructure raises particular concern as this infrastructure is essential for the survival of the civilian population. Attacks on infrastructure such as energy, water, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population. Beyond the risks to critical infrastructure and civilian objects, cyberattacks sow distrust and limit access to accurate information or spread false information. On their own, and/or combined with kinetic attacks, cyberattacks can also be highly disruptive and create a sense of fear and uncertainty and accelerate violence and/or the displacement of people.
Some states have developed offensive cyber capabilities, and thus cyber operations are a reality of armed conflicts today. Like any other weapon used in armed conflict, the use of cyber tools is subject to restrictions. International Humanitarian Law (IHL) applies to cyber operations during armed conflicts.
International Humanitarian Law has been formulated in a way it applies to all forms of warfare and to all kinds of weapons. The basic rules are clear and apply to any weapons, including cyber operations, in armed conflict: targeting civilians and civilian objects is forbidden, indiscriminate weapons and attacks must not be used, attacks which are disproportionate (i.e. expected to cause excessive harm) are prohibited, medical services must be respected and protected. This law aims to save lives and reduce suffering.
To give an example, this means that a party to an armed conflict is prohibited from using a missile or other weapon to attack a hospital, and it is prohibited from cyberattacks against a hospital e.g. to destroy its computers, disable medical equipment and networks, destroy or steal data, etc.
We are seeing that cyber operations are a reality of armed conflicts today, as States have offensive cyber capabilities. In the aftermath of Russia’s recent invasion of the territory of Ukraine, Ukraine’s Minister of Digital Transformation announced the creation of a government-led volunteer cyber army.
International humanitarian law makes a clear distinction between civilians and military armed forces and provides modalities on what it means for a person to participate directly or indirectly in an armed conflict.
According to the International Committee of the Red Cross (ICRC) 2009 Interpretative Guidance on Direct Participation in Hostilities, “Persons take a direct part in hostilities when they commit acts aimed at supporting one party to the conflict by directly causing harm to another party, either by directly inflicting death, injury or destruction, or by directly harming the enemy’s military operations or capabilities. If and for as long as civilians commit such acts, they take a direct part in hostilities and lose their protection against attack.”
The CyberPeace Institute calls upon all actors to spare civilians, civilian objects and infrastructure which are ensuring the delivery of essential services in line with commitments, norms and international humanitarian law.
Parties to the armed conflict in Ukraine have a responsibility under international humanitarian law to respect the civilian population and other protected persons, civilian objects and infrastructure essential to survival. (This means parties to the armed conflict must respect the four Geneva Conventions of 1949 and the first Additional Protocol of 1977.)
The important legal principles of distinction (distinguish at all times between military objectives and civilian objects) and proportionality (prohibit attacks expected to cause excessive civilian harm) must be respected. These principles also have a direct bearing on cyber operations during armed conflicts in order to protect the civilian population against the effects of such operations.
In addition, the CyberPeace Institute is calling for restraint in the use of cyber, as well as in other attacks.
During armed conflict harm to civilians, during military cyber operations, must be avoided. With the use of cyber, the challenge is that because of the interconnected nature of infrastructure, the inherently dual nature of infrastructure, and the difficulty to assess the impact (and unintended consequences of attacks using cyber tools) it is extremely difficult to assess potential harm to civilians and hence to do the calculation as to whether the harm caused to civilians is proportionate or excessive to the military objective.
Keep up to date with the latest at the CyberPeace Institute
The CyberPeace Institute’s staff and experts generate their own work and ideas consistent with the Institute’s mission. The Institute maintains strict intellectual independence for all its projects, events, and publications. The Institute maintains independent control of the content and conclusions of any products resulting from sponsored projects.