Today is Ukraine Independence day. It's also the six-month anniversary of the official launch of Russia's invasion into Ukraine, with no clear end to the aggression in sight. Despite the widespread fears of cyber war at the outset of the invasion, no highly damaging incidents such as crippling attacks on Ukraine's power grid have yet occurred.
As our updated timeline shows, however, the invasion did begin on February 24 with a disturbing assault on Ukraine's communications capabilities via an attack on satellite provider Viasat, attributed to Russia's GRU intelligence arm. Since then, a spate of digital disruptions by Russia, and digital defenses by Ukraine and its allies, point to a steady drumbeat of mostly low-level but steady and robust cyber assaults.
Once the kinetic war against Ukraine ends, an accurate picture of cyber damage in Ukraine and surrounding areas will no doubt emerge. Victor Zhora, the deputy head of Ukraine's State Service of Special Communications and Information Protection (SSCIP), has already declared Russia to be the perpetrator of "cyber war crimes" and is calling for prosecutions in the International Criminal Court (ICC).
[Editor’s note: This article, originally published on January 19, 2022, has been updated to reflect recent events.]
Timeline on Russia-linked cyber incidents
The following is a chronological timeline of this year's developments related to the cyberattacks in Ukraine:
January 11: U.S. releases cybersecurity advisory
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint Cybersecurity Advisory (CSA) providing an overview of Russian state-sponsored cyber operations including commonly observed tactics, techniques, and procedures. The advisory also provided detection actions, incident response guidance, and mitigations.
CISA also recommended that network defenders review CISA's Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. The agencies seemingly released the CSA as part of an occasional series of joint cybersecurity advisories.
January 13 to 14: Ukrainian websites defaced
Following a breakdown of diplomatic talks between Russia and the West intended to forestall a threatened Russian invasion of Ukraine, hackers launched defacement attacks that brought down dozens of Ukrainian government websites, including the Ministry of Foreign Affairs, the Ministry of Education, and others. The hackers posted a message that said, "Be afraid and expect the worst."
The message also warned Ukrainians, "All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered," and raised historical grievances between Poland and Ukraine. Ukraine's State Bureau of Investigations (SBI) press service said that no data were stolen in the attack.
Although Ukraine did not attribute the attacks to Russia definitively, the European Union's chief diplomat Josep Borrell hinted that Russia was the culprit. Serhiy Demedyuk, deputy secretary of Ukraine's national security and defense council, preliminarily pinned the attacks on a hacker group linked to Belarusian intelligence known as UNC1151. Belarus is a close ally of Russia.
The European Union condemned the attacks and said it stands "ready to provide additional, direct, technical assistance to Ukraine to remediate this attack and further support Ukraine against any destabilizing actions, including by further building up its resilience against hybrid and cyber threats." NATO Secretary-General Jens Stoltenberg said that his cyber experts in Brussels were exchanging information with their Ukrainian counterparts on the malicious cyber activities and would sign an agreement on enhanced cyber cooperation.
January 14: Russia takes down REvil ransomware group
In what seemingly appeared to be a surprise demonstration of U.S.-Russian collaboration, Russia's FSB domestic intelligence service said that it dismantled ransomware crime group REvil at the request of the United States in an operation that resulted in the arrest of the group's members. The announcement was made even as the attacks on the Ukraine websites were underway.
A senior administration official stopped short of confirming that the arrests were made at the administration's request. Instead, the official said they were the product of the "President's commitment to diplomacy and the channel that he established and the work that has been underway in sharing information and discussing the need for Russia to take action."
January 15: Microsoft reveals the discovery of malware on Ukrainian websites
Microsoft observed destructive malware disguised as ransomware in systems belonging to dozens of Ukrainian government agencies and organizations that work closely with the Ukrainian government. Microsoft didn't specify which agencies and organizations were targeted but said they "provide critical executive branch or emergency response functions," as well as an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced.
If activated by the attacker, the wiper malware would render the infected computer system inoperable. Microsoft's Threat Intelligence Center (MSTIC) issued a technical post outlining the malware, saying that while designed to look like ransomware, it lacked a ransom recovery mechanism, was intended to be destructive, and was built to render targeted devices inoperable rather than to obtain a ransom.
MSTIC found no notable associations between the observed activity, tracked as DEV-0586, and other known activity groups. Microsoft has implemented protections to detect this malware family, known as WhisperGate, via Microsoft Defender Antivirus and Microsoft Defender for Endpoint.
January 16: Ukraine blames Russia for attack on Ukrainian websites
Ukraine's Ministry of Digital Transformation said that all the evidence pointed to the fact that Russia is behind the defacement attacks on Ukraine's government websites. "The latest cyberattack is one of the manifestations of Russia's hybrid war against Ukraine, which has been going on since 2014," the ministry said.
January 18: Data wiped at Ukrainian government agencies
According to the Ukrainian government and other individuals familiar with the incident, several Ukrainian government agencies had their data wiped in a cyberattack coordinated with defacement attacks against government agency websites. The Ukrainian government said that it believed Russia was responsible.
January 23: DHS issues bulletin for critical infrastructure operators
The U.S. Department of Homeland Security (DHS) sent an intelligence bulletin to critical infrastructure operators and state and local governments warning that Russia would consider conducting a cyberattack on the U.S. homeland if Moscow perceived that a U.S. or NATO response to a potential Russian invasion of Ukraine "threatened [Russia's] long-term national security."
February 14: Critical infrastructure in Odesa compromised
In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that Odesa-based critical infrastructure was compromised by likely Russian actors.
February 15: Ukraine's defense ministry hit by DDoS attack
Ukraine's State Service of Special Communications and Information Protection of Ukraine (SSSCIP) confirmed that a distributed denial of service (DDoS) attack hit the websites of Ukraine's defense ministry and armed forces and the websites of two Ukrainian banks.
February 15: Declassified intelligence reveals Russian presence in critical Ukrainian networks
Newly declassified intelligence showed that Russian government hackers likely penetrated Ukrainian military, energy, and other critical computer networks to collect intelligence and position themselves potentially to disrupt those systems should Russia launch a military assault on Ukraine.
February 16: U.S. agencies issue joint Cybersecurity Advisory
CISA, the FBI, and the NSA issued a joint Cybersecurity Advisory titled, "Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology." CISA said compromised entities have included cleared defense contractors (CDCs) supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and Intelligence Community programs over the last two years.
February 17: Russian actors found present on critical infrastructure in Sumy.
In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that suspected Russian actors were present on critical infrastructure networks in Sumy.
February 18: CISA releases guidance regarding the Russia-Ukraine conflict
In the face of ongoing Russia-Ukraine geopolitical tensions, CISA released a new CISA Insight, Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides critical infrastructure owners and operators with guidance on how to identify and mitigate the risks of influence operations that use mis-, dis-, and mal-information (MDM) narratives.
February 18: U.S. attributes February DDoS attack to Russia's GRU
In an unprecedented development, the U.S. publicly attributed the February DDoS attacks against Ukraine's defense ministry and significant banks to Russian GRU military intelligence officers. This attribution occurred only a few days following the attacks, which usually takes months or even years. The Biden administration's deputy national security adviser for cyber and emerging technologies, Anne Neuberger, announced this attribution at a White House press briefing saying that the U.S. moved swiftly to "call out the behavior" in the hopes of averting an invasion of Ukraine.
February 22: FBI warns U.S. businesses of potential for ransomware attacks
In a phone call with private executives and state and local officials, senior FBI cyber official David Ring asked U.S. businesses and local governments to be mindful of the potential for ransomware attacks as the crisis between the Kremlin and Ukraine deepened.
February 23: New form of destructive malware discovered in Ukrainian networks
Researchers from ESET and Symantec report that a new form of destructive malware called HermeticWiper that can delete or corrupt data on a targeted computer or network has been seen spreading in Ukraine. Symantec also said that the wiper had been detected in Latvia, Lithuania, and Ukraine and that targets included financial organizations and government contractors.
February 23: Ukrainian banking and government websites hit by DDoS attack
A new, second round of DDoS attacks took down Ukrainian government and banking websites. Mykhailo Fedorov, Ukraine's digital transformation minister, confirmed that a sizeable DDOS attack affected the stability of several government websites and some Ukrainian banks and websites related to Ukraine's parliament.
February 24: President Biden warns of risks to U.S. businesses, critical infrastructure
President Biden said during remarks on Russia's invasion of Ukraine that "If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond." Biden added that "For months, we've been working closely with the private sector to harden our cyber defenses, sharpen our ability to respond to Russian cyberattacks as well."
February 24: Russian websites, critical information infrastructure hit by cyberattacks
The Russian government's National Computer Incident Response and Coordination Center warned of "the threat of an increase in the intensity of computer attacks on Russian information resources, including critical information infrastructure (CII)." The warning follows numerous reports of outages on official Russian government websites, including the website of the Kremlin itself.
February 24: Viasat cyberattack impacts broadband service in Ukraine, across Europe
One of the world's largest commercial satellite companies, Viasat, was hit with a multifaceted and deliberate cyber-attack against its KA-SAT network that partially interrupted KA-SAT's consumer-oriented satellite broadband service. The attack impacted several thousand customers in Ukraine and tens of thousands of other fixed broadband customers across Europe.
February 26: Ukrainian officials urge civilians to join the Ukraine IT Army
Ukrainian officials supported a campaign to attract civilian developers and hackers into what it called the IT Army of Ukraine. The "army" almost immediately signed up 184,000 users on its main Telegram channel.
February 28: Kyiv-based media company compromised
In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that a threat actor compromised a Kyiv-based media company.
March 1: Kyiv media companies faced destructive attacks and data exfiltration
In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that Kyiv-based media companies faced destructive attacks and data exfiltration.
March 2: Microsoft warns of continued wiper attacks
In a blog update, Microsoft warned that the group behind the HermeticWiper attacks in February was still active, implying that it had observed other attacks that were not disclosed.