Cyber Incident Victim: Central Election Commission of Ukraine
Date:
May 2014
Location:
Ukraine
Summary
A cyberattack targeting Ukraine's Central Election Commission during presidential elections deployed multiple disruptive methods, including infiltration of central election computers to delete critical files, nearly causing systemic failure. Hackers, identified as the pro-Russia group CyberBerkut, later attempted to covertly install malware designed to falsify results by showing a fringe candidate winning overwhelmingly, which aligned with a coinciding false report broadcast by Russian state media. The attack also involved distributed denial-of-service (DDoS) assaults during vote tallying, temporarily blocking result transmissions. Ukrainian authorities mitigated the incidents by restoring systems from backups, removing the malicious software shortly before results were published, and arresting suspects allegedly linked to Russian internet resources. While the election's integrity was preserved, the attacks aimed to discredit the process by manipulating outcomes to fuel destabilizing narratives, particularly within Russian-aligned regions. Officials attributed the operation to external actors, implying Russian involvement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyber incident targeting Ukraine's Central Election Commission (CEC) unfolded in three distinct phases during the May 2014 presidential election. Four days prior to the May 25 vote, pro-Russia hacker group CyberBerkut infiltrated the CEC's computer systems and deleted critical files, rendering the vote-tallying infrastructure inoperable. The hackers publicly claimed on May 23 to have "destroyed the computer network infrastructure," leaking stolen emails and documents as evidence. Ukrainian officials restored the system using backups within 24 hours. At 7:20 PM on election night – 40 minutes before scheduled televised results – cybersecurity personnel discovered and removed malware covertly installed on CEC computers. This virus was programmed to falsify results by showing ultranationalist candidate Dmytro Yarosh winning 37% of votes (versus his actual 1%) while reducing eventual winner Petro Poroshenko's tally to 29%. Russian state television Channel One broadcast these fabricated figures that evening. Following polls closing, between 1:00-3:00 AM on May 26, distributed denial-of-service (DDoS) attacks flooded CEC internet connections with fake data packets, temporarily blocking result transmissions. Security firm Arbor Networks later attributed this DDoS campaign to CyberBerkut. Ukrainian authorities arrested unidentified individuals in connection with the attacks, alleging Russian involvement in malware development and hosting.
The attacks sought to undermine electoral credibility through multiple vectors. The initial system deletion aimed to disrupt election administration, while the pre-programmed malware attempted to generate fraudulent outcomes matching Russian media narratives about ultranationalist influence. Had the virus succeeded, officials warned it could have provoked unrest in eastern Ukraine's Russian-speaking regions and justified potential military intervention. The DDoS attacks delayed final tallies but didn't alter results. International observers ultimately validated the election's legitimacy, crediting Ukraine's paper ballot backups and rapid incident response. U.S. officials including Assistant Secretary of State Victoria Nuland acknowledged "cyber-attacks requiring outside support," while former Congressman Mark Green cited intelligence about a "failed Russian cyber-attack." Ukrainian cybersecurity chief Volodymyr Zverev publicly attributed the malware to Russian internet resources. Despite these allegations, some experts like security researcher Joseph Kiniry noted insufficient evidence conclusively proving state sponsorship of the results-manipulation attempt. The incident demonstrated sophisticated coordination across intrusion, data destruction, disinformation, and disruption tactics against electoral infrastructure.