Cyber Incident Victim: Cabinet of Ministers of Ukraine

On January 14, 2022, multiple Ukrainian government websites were compromised and defaced, including those of the Ministry of Foreign Affairs, Ministry of Agriculture, Ministry of Education and Science, Ministry of Security and Defense, and the Cabinet of Ministers' online portal. At least 15 public institution websites were affected. Attackers replaced content with messages in Ukrainian, Russian, and Polish falsely claiming that all citizen data uploaded to Ukraine's public networks had been compromised. Ukrainian cyber-police quickly confirmed no personal data was actually breached and denounced the warnings as disinformation. The attackers exploited CVE-2021-32648, a critical vulnerability in outdated October CMS software that enabled unauthorized password resets. Ukrainian authorities identified this vulnerability as the intrusion vector. IT teams took the affected websites offline for restoration, with some remaining inaccessible during initial recovery efforts.

The defacement messages contained grammatical inconsistencies suggesting possible machine translation, with investigators noting potential Russian involvement or misuse of Yandex translation tools. Polish defense officials separately reported breaches of military databases potentially linked to the incident. Ukrainian cyber-police made no definitive attribution but disclosed an unrelated ransomware gang arrest around the same timeframe. Cybersecurity researchers publicly suspected involvement of GhostWriter, an advanced persistent threat group historically associated with Belarusian interests. The incident occurred against heightened geopolitical tensions between Ukraine and Russia, though no explicit motive was established. Ukrainian authorities maintained focus on forensic investigations and full service restoration without confirming operational impacts beyond website disruptions.