Cyber Incident Victim: Ministry of Foreign Affairs of Ukraine

On January 14, 2022, multiple Ukrainian government websites were compromised and defaced, including those of the Ministry of Foreign Affairs, the ministries of agriculture, education and science, security and defense, and the cabinet of ministers’ online portal. At least 15 public institution websites displayed unauthorized messages in Ukrainian, Russian, and Polish, falsely claiming that all citizen data uploaded to the public network had been compromised. The defacements prompted Ukrainian authorities to take affected websites offline for restoration, with some remaining inaccessible during recovery efforts. Ukrainian cyber-police swiftly refuted the data breach claims, confirming no personal data was compromised. Initial analysis indicated attackers exploited CVE-2021-32648, a critical authentication bypass vulnerability in outdated versions of October CMS, which enabled unauthorized password resets and system access.

The incident coincided with heightened Ukraine-Russia geopolitical tensions, though no definitive attribution was established. Investigators noted grammatical errors in defacement messages, suggesting potential use of automated translation tools like Yandex or possible Russian involvement. Concurrently, Poland’s Ministry of National Defense reported breaches of military databases, potentially linked to the same campaign. Ukrainian authorities emphasized ongoing forensic work to identify perpetrators, with researchers speculating about ties to the Belarus-aligned GhostWriter APT group. In a separate but temporally proximate action, Ukrainian cyber-police arrested a ransomware gang unrelated to the website defacements. Restoration efforts prioritized returning services to operational status while maintaining public assurances regarding data integrity. No further technical specifics or actor identities were disclosed by Ukrainian officials at the time.