Digital attacks in Ukraine: A Timeline

Microsoft issued a report containing details about Russian cyberattacks observed during the war between Russia and Ukraine. Since the Russian invasion, Microsoft has observed over 200 cyberattacks against Ukrainian organisations and individuals. A number of these attacks appeared to be coordinated with kinetic military operations, according to Microsoft. The report, which includes a detailed timeline of the Russian cyberattacks, was released in order to help boost the resilience of organisations including critical providers and central government.

After introducing a new postage stamp, Ukraine’s national postal service, Ukrposhta, was hit by a DDoS attack. The stamp shows a Ukrainian soldier making an offensive gesture to the Russian warship Moskva, which has since sunk.

On the CISA website, the United States, Australia, New Zealand, Canada and the United Kingdom posted a joint warning regarding cyber activity by Russian criminal and state actors aimed at critical infrastructure. This activity may be a form of retaliation for the sanctions imposed on Russia and the material support provided to Ukraine by the Western allies and partners.

Shuckworm (aka Gamaredon and Armageddon), a malicious actor linked to Russia, continues to target organisations in Ukraine. For this purpose it uses various versions of the malware Backdoor.Pterodo. The frequency of the attacks means that it remains one of the main cyber threats facing organisations in the region.

CERT-UA issued a warning about phishing emails that claim to originate from them, with the subject heading ‘Srochno!’ (urgent). The emails, which target Ukrainian organisations, include an .xls attachment which contains a macro. When the macro is activated, it downloads and runs a file that infects the computer with Cobalt Strike Beacon malware.

The activist hacker group KillNet carried out DDoS attacks on various websites belonging to airports, government bodies and transport organisations in Europe. These attacks rendered the sites of some organisations temporarily unavailable.

Analysing an attack on a Ukrainian energy company, cybersecurity firm ESET and the Ukrainian CERT-UA discover new malware, Industroyer2, which targets industrial control systems (ICS). Other pieces of malware, including various wipers, were also used in the attack. For more details about this malware, you can visit the ESET and CERT-UA websites. According to ESET and CERT-UA, the attack was successfully averted.

A denial-of-service attack rendered the websites of the Finnish ministries of Defence and Foreign Affairs temporarily unavailable. The attack started around noon, as Ukraine’s President Zelenskyy was addressing the Finnish parliament.

Microsoft announces that it has been able to disrupt cyberattacks targeting Ukraine. These attacks were launched by Strontium, a Russian state actor with ties to the intelligence service GRU. Strontium was attempting to compromise Ukrainian government institutions and media organisations and was also targeting EU and US government agencies and foreign policy think tanks. In order to gain access to the victims, Strontium used seven malicious internet domains.

CERT-UA reports the discovery of various malicious files that could be used in a spear-phishing attack. The files had English names and were targeting a government organisation in Latvia. CERT-UA has attributed this attack to UAC-0010 (Armageddon).

The same day, CERT-UA also reports that Ukrainian government organisations have been targeted by Armageddon, once again via a spear-phishing attack. Targets received malicious files that purported to contain personal details of suspected war criminals.

Google publishes a blog post about the Russian-based threat actor COLDRIVER, alleged to have launched phishing campaigns against various targets, including a NATO department. Google has no evidence that these attempts were successful. The group has been active since 2015 and has in the past attacked various targets such as ministries, NGOs and journalists.  

Due to a major distributed denial-of-service (DDoS) attack on the Ukrainian internet service provider Ukrtelecom, services are temporarily unavailable to its clients.

A Russian internet provider launches a brief BGP hijack of Twitter’s address space. The BGP announcement had little effect in the end because Twitter’s BGP announcements are RPKI-protected.

Three Russian spies spent five years targeting energy infrastructure in 135 countries, in an effort to enable the Russian government to gain remote control of power plants, the US Department of Justice alleged in an indictment unsealed on Thursday.

On Twitter hacking group Anonymous calls upon businesses to withdraw from Russia, giving them 48 hours to do so, otherwise they will be targeted by Anonymous. The group has previously published details of Russian companies.

CERT-UA reports new wiper malware known as Double Zero, which is spread through .zip files.

American president Joe Biden warns businesses in his country about potential Russian cyberattacks, including as a response to sanctions imposed by the West against Russia.

CERT-UA warns of attacks by InvisiMole, a hacking group with ties to the Russian advanced persistent threat (APT) group Gamaredon.

Hacking group Anonymous warns Western companies to sever ties with Russia and threatens targeted actions.

Security Affairs posts about a destructive Node-IPC package (malware attack) targeting organisations in Russia and Belarus.

Ukraine’s Computer Emergency Response Team (CERT-UA) reports a phishing campaign in which mass mailings are sent out in the name of the Ukrainian government. The attacks are being launched with the use of Cobalt Strike, GrimPlant and GraphSteel.

ESET researchers in Ukraine have also discovered new wiper malware with the name Caddywiper. Wiper malware presents itself as ransomware, but the affected systems or files cannot be recovered.

Anonymous leaks 20 terabytes of data following a cyberattack on the German subsidiary of the Russian oil company, Rosneft. In response, the German intelligence service, BSI, has issued a warning to vital sectors.

Der Spiegel reports that Germany’s Federal Office for Information Security (BSI), a division of the German Federal Ministry of the Interior and Community, is warning of a cyberattack, which is expected to target critical infrastructure. This is in retaliation for the help offered to Ukraine by Germany since the beginning of the war.

The Security Service of Ukraine, SSU, reports that hackers have posted messages of surrender on local government websites. The SSU announces on Twitter that this is disinformation and urges people to ignore the messages. The Ukrainian ambassador to the United Kingdom also tweets that the official website and email were not working because of cyberattacks.

The Ukrainian government urges tech companies to sever their business ties to Russia. Various tech companies stop providing some or all services to Russia. Cybersecurity firm Proofpoint reports a spear-phishing campaign by various state actors targeting European government organisations. The campaign appears to be an attempt by threat actors to obtain information regarding the reception and migration of Ukrainian refugees.

Wordfence researchers report hacks of numerous Ukrainian university websites coinciding with the start of the invasion. Wordfence attributes the attacks to a group known as ‘theMxOnday’. The group has openly expressed support Russia in its conflict with Ukraine.

The Belarussian Cyber-Partisans claimed that they conducted a cyber attack on the railways in Belarus, to obstruct the Russian transfer of troops. A recent overview of cyber groups that have mingled in the war, including state actors such as Sandworm, can be found here.

Taking the latest developments into consideration, the NCSC has published a perspective for action and threat-specific measures.

At this moment, there have been no observations of digital attacks on the Netherlands or its interests.

Ransomware rival Lockbit, in contrast,reported that it remains neutral in the war and is exclusively motivated by financial purposes.

The Ukrainian minister of Digital Transformation called for hackers worldwide to align with an “Ukrainian IT army”.

Ransomware-group Conti declared in a public statement to align itself with Russia. To support Russia, Conti threatens with attacks on critical infrastructure of countries opposing Russia.

After the invasion of Russian troops in Ukraine various non-state actors have mingled in the conflict. Already on the same evening, hackers-collective Anonymous declared the war on Russia. Volunteers connected to this collective then claimed to have taken down various Russian government- and media websites through DDoS-attacks. It was also claimed that sensitive data from the Russian Ministry of Defense was obtained. These claims cannot always be verified, which could cause uncertainty and confusion.

Various parties reported a new wiper malware that they had observed in Ukrainian systems. Among others, ESET, Symantec and SentielOne published their analyses. The malware has been called HermeticWiper. There are functional similarities with the earlier observed WhisperGate wiper campaign of January 13th and 14th. The goal of the new wiper is to corrupt new documents and to prevent the startup of computer systems. This new malware seems to operate more thoroughly than the wiper malware used in the previous campaign. Thus far, there have been no indications that this new wiper has any functionality that could lead to a worm through which the network-coupled systems could be infected.

The Ukrainian CERT-UA published a website report on malicious activities that they related to the actor Buhtrap. The malware campaigns would have been intended to acquire a position in the computer network of the victim. On February 23rd, severe DDoS-attacks were carried out on Ukrainian targets. Various government websites have been temporarily limited or fully unavailable. Among others, the websites of various ministries targeted. Simultaneously, multiple phishing campaigns were reported.

Various cyber-attacks were conducted on different targets in Ukraine. Among others, DDoS-attacks (Distributed Denial of Service) were reported that target the capacity of online services or the supporting servers and network equipment. The Ministry of Defense and two national banks in Ukraine were hit.

Another texting-campaign took place, that reported that ATMs were having a technical malfunction. Official authorities in Ukraine reported that this was disinformation. There would have been no existence of such malfunctions. At this moment, the NSCS has no concrete clues that targeted attacks on organizations in the Netherlands are related to the current situation in Ukraine.

CERT Ukraine (CERT UA) published part of the research on both the defacements as well as the attack with malware. In this research, large similarities were detected between the Whispergate-malware and WhiteBlackCrypt ransomware. These similarities would indicate that it was the intention of the attacker to prevent that Ukraine itself was behind the cyber-attacks.

Microsoft published a blog on the Whisptergate-malware (also called Whisperkill) that had been deployed against various (governmental)organizations in Ukraine. Whispergate is a wiperware that pretends to be ransomware, but lacks any possibility to recover affected systems or documents, which means that documents are effectively erased or that the operating system becomes out of commission. In contrast to the NotPetya-wiper, that had a worldwide impact in 2017, the Whispergate-malware does not consist of the possibility to spread itself without a human intermediary. As a result, the observed Whispergate-malware forms a significantly lower risk for the Netherlands.

The Ukrainian security service SSU published a statement about an attack on the websites of various governmental actors. The messages that were published on the websites reported in threatening language in Polish, Ukrainian and Russian that personal data of Ukrainian citizens had been stolen and that citizens should “prepare for the worst”. These kind of attacks where a website is being daubed are also called ‘defacements’. In a subsequent statement by the SSU, it became evident that there had most likely been a supply chain attack on the supplier who maintained the websites, possibly in combination with a vulnerability in OctoberrCMS (CVE-2021-32648) and Log4j. The supplier had elevated permissions in the environment so that websites could be modified.

After the large attacks the national CERT of Ukraine issued multiple warnings for other campaigns that target governmental agencies. Moreover, several cybersecurity companies published a research following the cyber-attacks in Ukraine. For instance, Palo Alto Networks Unit42, Symantec and Microsoft conducted a research on the activities of Gamaredon, also known as ACTINIUM. Thus far, the activities of Gamaredon have not been related to the cyber-attacks of January the 14th. Gamaredon is a well-known actor that thus far has focused on Ukrainian targets.