Cyber Incident Victim: KP in Ukraine
Date:
Mar 2022
Location:
Ukraine
Summary
A deepfake video impersonating Ukraine's president to spread false surrender orders was disseminated through compromised news sites and social media platforms, part of a broader Russian cyber campaign involving destructive malware attacks on critical infrastructure, government, and media sectors. This included wiper malware like WhisperGate and FoxBlade, phishing targeting military personnel, and influence operations aimed at sowing panic, disrupting services, and undermining public trust. Russian APT groups conducted these coordinated cyber activities alongside kinetic military operations to degrade national functions and morale during the conflict.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 4 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 7 actors | Available to members | Available to members |
Description
On March 16, 2022, Facebook removed a deepfake video depicting Ukrainian President Volodymyr Zelenskyy falsely urging Ukrainian troops to surrender, which had spread across its platform and compromised Ukrainian news websites including Ukraine 24 and Segodnya. Meta’s security policy head Nathaniel Gleicher confirmed the video’s removal for violating manipulated media policies, noting it originated from a breached website before proliferating online. The Ukrainian Stratcom Centre had warned two weeks prior about Russia’s potential use of highly realistic deepfakes to sow panic, undermine troop morale, and erode public trust in leadership. President Zelenskyy responded by releasing an authentic video countering the disinformation, directing his message at Russian forces: "If I can offer someone to lay down their arms, it’s the Russian military. Go home." Concurrently, Facebook dismantled accounts linked to the Belarusian-aligned Ghostwriter hacking group, which had targeted Ukrainian officials with spear-phishing campaigns aimed at spreading fabricated surrender narratives. Ukraine’s CERT-UA documented additional phishing attacks targeting military personnel’s private emails, aligning with pre-invasion warnings from the Security Service of Ukraine (SSU) about hybrid warfare tactics.
Russian cyber operations against Ukraine intensified significantly before and during the February 2022 invasion, involving at least six advanced persistent threat (APT) groups conducting destructive attacks, espionage, and influence campaigns. Microsoft observed GRU-linked actors like IRIDIUM deploying wiper malware—including WhisperGate, FoxBlade (HermeticWiper), and Industroyer2—against hundreds of government, IT, energy, and financial sector systems, with nearly 40 destructive incidents between February 23 and April 8. These attacks often coincided with kinetic military strikes, such as FoxBlade deployments preceding the invasion and DesertBlade targeting a Kyiv broadcaster alongside missile strikes on TV towers. Russian threat actors compromised critical infrastructure entities like nuclear safety organizations, logistics providers, and energy companies, with Industroyer2 specifically targeting industrial control systems to cause physical disruption. Cyber-physical convergence extended to psychological operations, exemplified by DEV-0586’s anti-government emails impersonating Mariupol residents to erode public trust. Microsoft collaborated with Ukrainian cyber authorities to implement defensive measures like controlled folder access and real-time threat intelligence sharing, mitigating some wiper malware impacts while acknowledging persistent Russian efforts to degrade Ukraine’s institutional resilience through coordinated cyber-kinetic actions.