Cyber Incident Victim: Polish Ministry of National Defense
Date:
Jan 2022
Location:
Poland
Summary
Multiple Ukrainian government websites, including defense and foreign affairs portals, were compromised and defaced alongside reported breaches in Polish military databases, potentially linked through exploitation of a critical authentication vulnerability in outdated content management software. Attackers posted multilingual messages falsely claiming extensive data theft, though Ukrainian authorities confirmed no actual personal data compromise occurred. The incident disrupted public services, requiring restoration efforts, while grammatical errors in defacements and suspected Belarus-linked threat actors prompted investigations into potential geopolitical motivations amid regional tensions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 14, 2022, at least 15 Ukrainian government websites were compromised and defaced, including those of the Ministry of Foreign Affairs, Ministry of Agriculture, Ministry of Education and Science, Ministry of Security and Defense, and the Cabinet of Ministers' online portal. Attackers replaced website content with messages in Ukrainian, Russian, and Polish falsely claiming that all citizen data uploaded to public networks had been compromised. The defacements prompted Ukrainian authorities to take affected sites offline for restoration, with some remaining inaccessible during recovery efforts. Technical analysis revealed exploitation of CVE-2021-32648, a critical authentication bypass vulnerability in outdated October CMS software that enabled unauthorized password resets. Concurrently, Poland's Ministry of National Defense reported compromises of military databases potentially linked to the same incident. Linguistic analysis of defacement messages identified grammatical inconsistencies suggesting possible machine translation tools like Yandex were used, though Ukrainian cyber-police confirmed no actual data breaches occurred despite the attackers' claims.
Ukrainian cyber authorities immediately initiated incident response, publicly clarifying the falsity of data compromise claims while IT specialists worked to restore services. The State Service of Special Communication and Information Protection attributed the intrusions directly to the October CMS vulnerability. In a separate but temporally proximate action, Ukrainian cyber-police arrested members of a ransomware operation unrelated to the website defacements. Investigators did not formally attribute responsibility but noted potential connections to heightened Ukraine-Russia geopolitical tensions. Cybersecurity researchers suggested possible involvement of the GhostWriter advanced persistent threat group, which has historical links to Belarusian interests. Restoration efforts continued for multiple days as authorities conducted forensic examinations. The Polish Ministry of National Defense's parallel disclosure of military database compromises remained under joint investigation with Ukrainian counterparts at the time of reporting.