Cyber Incident Victim: System of Electronic Interaction of Executive Bodies

Beginning on February 18, 2021, Ukrainian government websites—particularly those in the defense and security sectors—experienced sustained distributed denial-of-service (DDoS) attacks. The National Coordination Center for Cybersecurity (NCCC), operating under Ukraine’s National Security and Defense Council (NSDC), identified the source of these attacks as threat actors leveraging networks within Russia. While Ukrainian authorities did not formally attribute the attacks to the Russian state, they confirmed the malicious traffic originated from Russian IP addresses. Investigations revealed attackers exploited vulnerabilities in government web servers to deploy previously unseen malware. This malware covertly conscripted infected servers into a botnet controlled by the attackers, repurposing compromised infrastructure to launch additional DDoS strikes against other Ukrainian targets. The NSDC emphasized this self-propagating mechanism, noting infected servers were weaponized against domestic resources even after initial compromises.

The attacks rendered multiple government websites intermittently or fully inaccessible, including the Security Service of Ukraine (SBU) site, which went offline one day after the SBU publicized arrests linked to the Egregor ransomware operation. The NCCC warned that automated security systems at internet service providers might erroneously blacklist targeted websites’ IP addresses, prolonging disruption beyond active attack periods. Though some security researchers speculated the DDoS campaign retaliated for Ukraine’s law enforcement actions against Egregor—conducted with U.S. and French assistance—this motive remained unconfirmed. Technical analysis focused on the novel malware’s role in creating a recursive attack infrastructure, while Ukrainian cyber authorities prioritized documenting network forensic evidence and mitigating server vulnerabilities to disrupt the botnet’s operation.