Cyber Incident Victim: Coordination Headquarters for the Treatment of Prisoners of War
Date:
Jan 2024
Location:
Ukraine
Summary
Ukraine’s prisoners of war agency experienced a distributed denial-of-service (DDoS) attack disrupting its website, which was subsequently restored. The agency linked the incident to Russian actors, suggesting it was retaliation for discussions around a prisoner exchange and the downing of a Russian military transport plane near the border, though attribution remains unconfirmed. This aligns with broader Russian cyber operations targeting Ukrainian military and government entities, including recent phishing campaigns by groups like Fancy Bear aimed at stealing military credentials and disrupting command systems. Such attacks frequently coincide with critical military events, reflecting ongoing cyber warfare tactics amid the conflict.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 28, 2024, Ukraine’s Coordination Headquarters for the Treatment of Prisoners of War announced it had restored access to its website following a distributed denial-of-service (DDoS) attack over the preceding weekend. The agency, responsible for coordinating prisoner exchanges, communicating with families of captured or missing military personnel, and facilitating the repatriation of deceased soldiers’ remains, experienced temporary disruption to its online services. While the specific hacker group responsible was not identified, the agency attributed the attack to Russian actors, linking it to heightened tensions following the January 24 crash of a Russian Il-76 transport plane near Belgorod. Russian authorities claimed the aircraft carried 65 Ukrainian prisoners of war destined for an exchange, alongside nine Russian personnel, and accused Ukraine of downing the plane. Ukraine neither confirmed nor denied involvement but demanded an international investigation, which Russia opposed. The POW agency stated the cyberattack likely aimed to suppress information about prisoner exchanges and the Il-76 incident, which it characterized as part of a broader Russian "information operation" to destabilize Ukrainian society. The agency declined further comment on the plane crash pending investigation completion, emphasizing its focus on countering disinformation campaigns.
The incident occurred amid an escalation in cyber-espionage and disruptive activities targeting Ukrainian defense and government entities. Ukraine’s National Cybersecurity Coordination Center (NCSCC) reported on January 26—two days prior to the POW agency’s disclosure—that Russian state-sponsored group Fancy Bear (APT28) had launched phishing campaigns against Ukrainian military personnel to steal credentials and gain access to command systems. This aligned with a documented pattern of Russian cyber operations intensifying during critical military phases, such as Gamaredon’s attacks on Ukrainian government agencies during Kyiv’s 2023 counteroffensive. Historical incidents included September 2023 breaches of law enforcement systems to exfiltrate data on Russian war crimes investigations. The NCSCC assessed that Russia’s increased cyber-espionage reflected battlefield setbacks, with hackers persistently targeting military situational awareness and communication infrastructure. The POW agency attack followed this established tactic of synchronizing cyber operations with high-profile geopolitical events to amplify disruption, though technical specifics regarding attack vectors, mitigation steps beyond restoration, or collateral impacts beyond website accessibility were not disclosed.