Russia-linked cyberattacks on Ukraine: A timeline

Cyber incidents are playing a central role in the Russia-Ukraine conflict. Here's how events are unfolding along with unanswered questions.

It’s been almost six weeks since Russian troops entered Ukraine and the large-scale “cyberwar” expected to accompany the invasion has not yet materialized. Observers and experts have offered many theories about why Russia hasn’t launched a destructive cyberattack on Ukraine yet despite its full capability to do so.

The reasons range from Russia saving its most dangerous cyberattack until the bitter end to the Kremlin’s fear of a devastating Western response. The most intriguing explanation for why Russia hasn’t seemingly unleashed its cyber arsenal is because we’re already in the middle of what Thomas Rid, professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies, calls a secret cyberwar.

The digital cyberwar is playing out in the shadows, Rid argues, with the more apparent cyberattacks taking place to divert attention from the incidents that we’re not supposed to see. Cyberwar has been playing tricks on us, he argues, emerging in the form of seemingly random attacks and then slipping away into the future.

Adding to the haziness of this digital war is the emergence of shadowy hacktivists egged on by the resource-strapped Ukrainian government, which is encouraging amateurs to do their part in helping to defeat Russia. Potentially devastating leaks of unknown origins make black-and-white delineations of digital malfeasance impossible.

Given the growing volume of varied cyber-related incidents in Ukraine, we’ve updated and expanded the scope of what we previously called our timeline of Russia-linked cyberattacks on Ukraine. Our updated timeline that follows includes not only incidents that can properly be called cyberattacks but also hacktivist campaigns and destructive digital incidents that defy categorizations that have been spurred by the situation in Ukraine.

Timeline on Russia-linked cyber incidents

Given the rapid pace of events surrounding Ukraine, we have updated our timeline of Russia-linked attacks in the country, originally published January 19. The following is a chronological timeline of this year’s developments related to the cyberattacks in Ukraine:

January 11:  U.S. releases cybersecurity advisory

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint Cybersecurity Advisory (CSA) providing an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures. The advisory also provided detection actions, incident response guidance, and mitigations.

CISA also recommended that network defenders review CISA's Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. The agencies seemingly released the CSA as part of an occasional series of joint cybersecurity advisories.

January 13 to 14: Ukrainian websites defaced

Following a breakdown of diplomatic talks between Russia and the West intended to forestall a threatened Russian invasion of Ukraine, hackers launched defacement attacks that brought down dozens of Ukrainian government websites, including the Ministry of Foreign Affairs the Ministry of Education, and others.  The hackers posted a message that said, “Be afraid and expect the worst.”

The message also warned Ukrainians that “All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered,” and raised historical grievances between Poland and Ukraine. Ukraine’s State Bureau of Investigations (SBI) press service said that no data were stolen in the attack.

Although Ukraine did not attribute the attacks to Russia definitively, the European Union's chief diplomat Josep Borrell hinted that Russia was the culprit. Serhiy Demedyuk, deputy secretary of Ukraine’s national security and defense council, preliminarily pinned the attacks on a hacker group linked to Belarusian intelligence known as UNC1151. Belarus is a close ally of Russia.

The European Union condemned the attacks and said it stands “ready to provide additional, direct, technical assistance to Ukraine to remediate this attack and further support Ukraine against any destabilizing actions, including by further building up its resilience against hybrid and cyber threats.” NATO Secretary-General Jens Stoltenberg said that his cyber experts in Brussels were exchanging information with their Ukrainian counterparts on the malicious cyber activities and would sign an agreement on enhanced cyber cooperation.

January 14: Russia takes down REvil ransomware group

In what seemingly appeared to be a surprise demonstration of U.S.-Russian collaboration, Russia’s FSB domestic intelligence service said that it dismantled ransomware crime group REvil at the request of the United States in an operation that resulted in the arrest of the group's members. The announcement was made even as the attacks on the Ukraine websites were underway.

A senior administration official notably stopped short of confirming that the arrests were made at the administration’s request. The official did say they were the product of the “President’s commitment to diplomacy and the channel that he established and the work that has been underway in sharing information and in discussing the need for Russia to take action.”

January 15: Microsoft reveals discovery of malware on Ukrainian websites

Microsoft observed destructive malware disguised as ransomware in systems belonging to dozens of Ukrainian government agencies and organizations that work closely with the Ukrainian government. Microsoft didn’t specify which agencies and organizations were targeted but said they “provide critical executive branch or emergency response functions,” as well as an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced.

If activated by the attacker, the wiper malware would render the infected computer system inoperable. Microsoft’s Threat Intelligence Center (MSTIC) issued a technical post outlining the malware, saying that while designed to look like ransomware, it lacked a ransom recovery mechanism, was intended to be destructive, and was built to render targeted devices inoperable rather than to obtain a ransom.

MSTIC found no notable associations between the observed activity, tracked as DEV-0586, and other known activity groups. Microsoft has implemented protections to detect this malware family, known as WhisperGate, via Microsoft Defender Antivirus and Microsoft Defender for Endpoint.

January 16: Ukraine blames Russia for attack on Ukrainian websites

Ukraine’s Ministry of Digital Transformation said that all the evidence pointed to the fact that Russia is behind the defacement attacks on Ukraine’s government websites. “The latest cyberattack is one of the manifestations of Russia's hybrid war against Ukraine, which has been going on since 2014,” the ministry said.

January 18: Data wiped at Ukrainian government agencies

According to the Ukrainian government and other individuals familiar with the incident, several Ukrainian government agencies had their data wiped in a cyberattack coordinated with the defacement attacks against government agency websites. The Ukrainian government said that it believed Russia was responsible.

January 23: DHS issues bulletin for critical infrastructure operators

The Department of Homeland Security sent an intelligence bulletin to critical infrastructure operators and state and local governments warning that Russia would consider conducting a cyberattack on the U.S. homeland if Moscow perceived that a U.S. or NATO response to a potential Russian invasion of Ukraine "threatened [Russia's] long-term national security.”

February 15: Ukraine's defense ministry hit by DDoS attack

Ukraine’s State Service of Special Communications and Information Protection of Ukraine (SSSCIP) confirmed that a distributed denial of service (DDoS) attack hit the websites of Ukraine's defense ministry and armed forces and the websites of two Ukrainian banks.

February 15: Declassified intelligence reveals Russian presence in critical Ukrainian networks

Newly declassified intelligence showed that Russian government hackers likely penetrated Ukrainian military, energy, and other critical computer networks to collect intelligence and position themselves potentially to disrupt those systems should Russia launch a military assault on Ukraine.

February 16: U.S. agencies issue joint Cybersecurity Advisory

CISA, along with the FBI and the NSA, issued a joint Cybersecurity Advisory titled, “Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology.” CISA said that compromised entities have included cleared defense contractors (CDCs) supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and Intelligence Community programs over the last two years.

February 18: CISA releases guidance regarding the Russia-Ukraine conflict

In the face of ongoing Russia-Ukraine geopolitical tensions, CISA released a new CISA Insight, Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides critical infrastructure owners and operators with guidance on how to identify and mitigate the risks of influence operations that use mis-, dis-, and malinformation (MDM) narratives. 

February 18: U.S. attributes February DDoS attack to Russia's GRU

In an unprecedented development, the U.S. publicly attributed the February DDoS attacks against Ukraine’s defense ministry and significant banks to Russian GRU military intelligence officers. This attribution occurred in only a few days following the attacks, a process that usually takes months or even years. The Biden administration’s deputy national security adviser for cyber and emerging technologies, Anne Neuberger, announced this attribution at a White House press briefing saying that the U.S. moved swiftly to “call out the behavior” in the hopes of averting an invasion of Ukraine.

February 22: FBI warns U.S. businesses of potential for ransomware attacks

In a phone call with private executives and state and local officials, senior FBI cyber official David Ring asked U.S. businesses and local governments to be mindful of the potential for ransomware attacks as the crisis between the Kremlin and Ukraine deepened.

February 23: New form of destructive malware discovered in Ukrainian networks

Researchers from ESET and Symantec report that a new form of destructive malware called HermeticWiper that can delete or corrupt data on a targeted computer or network has been seen spreading in Ukraine. Symantec also said that the wiper had been detected in Latvia, Lithuania and Ukraine and that targets included financial organizations and government contractors.

February 23: Ukrainian banking and government websites hit by DDoS attack

A new, second round of DDoS attacks took down Ukrainian government and banking websites. Mykhailo Fedorov, Ukraine’s digital transformation minister, confirmed that a sizeable DDOS attack affected the stability of several government websites and some Ukrainian banks and websites related to Ukraine’s parliament.

February 24: President Biden warns of risks to U.S. businesses, critical infrastructure

President Biden said during remarks on Russia’s invasion of Ukraine that "If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond.” Biden added that “For months, we've been working closely with the private sector to harden our cyber defenses, sharpen our ability to respond to Russian cyberattacks as well.”

February 24: Russian websites, critical information infrastructure hit by cyberattacks

The Russian government’s National Computer Incident Response and Coordination Center warned of “the threat of an increase in the intensity of computer attacks on Russian information resources, including critical information infrastructure (CII).” The warning follows numerous reports of outages on official Russian government websites, including the website of the Kremlin itself.

February 24: Viasat cyberattack impacts broadband service in Ukraine, across Europe

One of the world’s largest commercial satellite companies Viasat was hit with a multifaceted and deliberate cyber-attack against its KA-SAT network that resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service. The attack impacted several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.

February 26: Ukrainian officials urge civilians to join the Ukraine IT Army

Ukrainian officials supported a campaign to attract civilian developers and hackers into what it called the IT Army of Ukraine. The “army” almost immediately signed up 184,000 users on its main Telegram channel.

March 2: Microsoft warns of continued wiper attacks

In a blog update, Microsoft warned that the group behind the HermeticWiper attacks in February were still active, implying that it had observed other attacks that were not disclosed.

March 2: Russian government posts lists of IP addresses and domains allegedly involved in DDoS attacks against Russian targets

1 2 Page 1
Page 1 of 2
22 cybersecurity myths organizations need to stop believing in 2022